[resolved] Heretofind.com etc.

Hi Mike,
Thats some mess you have there,

Firstly your windows updates are very out dated, Get over to Windows update and download all the most recent updates, You are exposing yourself to many more problems such as the one you have now, if you don't get those sqaured away.


Next see this Post, Download, CWS, Adaware, Stinger and spybot, Run them as suggested,
Next run live update for Nortons,
Reboot to safe mode and run a full system scan,

Doing this will not cure the heretofind hijack, We will get to that once we get your log cleaned up a bit.
Post back a fresh log after you have done the above

Thank you for the quick response. I am in the process of scanning using the stinger before. Otherwise (besides checking microsoft's site out) I thought I did everything else you say to do there.

1. I have Norton AV 2002 on my 'puter, but it is currently nagging me to re-subscribe and was last updated on 4/21/2004. I don't have a credit card or a checking account, so I need to know if there is an alternative way I can get an accurate scan of my system done.

2. The link on the forum for cwshredder.exe appears to be dead, so I googled it and found a version here...

http://www.majorgeeks.com/download4086.html

seemed to operate correctly but afterward I did a scan with Ad-Aware (after I updated it for the first time) and still found CWS hits on my drive...

Now that I think of it, I did do all of this after posting my log and before your reply (except as before mentioned). As soon as stinger's done, I will post my new log.

WU also says I am up to date and I remember downloading all the updated on May 8, 2004, but isn't there any more since then?

Thank you for your help. I really appreciate it.

I thought the title of this thread was heterofind...


nevermind.

I've done the above items you suggested and here is the updated HJT file

Logfile of HijackThis v1.98.2
Scan saved at 6:31:56 PM, on 8/30/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\System32\gearsec.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\syshy32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\S3apphk.exe
C:\WINDOWS\system32\ps2.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\system32\iexo32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\YPAGER.EXE
C:\WINDOWS\system32\ir50_qcx.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xhwjx.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wujxg.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wujxg.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {15E0349E-6EF2-650B-FF5F-E936C897D83D} - C:\WINDOWS\system32\javaje32.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] "C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [iexo32.exe] C:\WINDOWS\system32\iexo32.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [addtf.exe] C:\WINDOWS\system32\addtf.exe
O4 - HKLM\..\RunOnce: [mfcjv.exe] C:\WINDOWS\mfcjv.exe
O4 - HKLM\..\RunOnce: [sdkjg.exe] C:\WINDOWS\sdkjg.exe
O4 - HKLM\..\RunOnce: [nettj32.exe] C:\WINDOWS\nettj32.exe
O4 - HKLM\..\RunOnce: [mfclk32.exe] C:\WINDOWS\system32\mfclk32.exe
O4 - HKLM\..\RunOnce: [winol32.exe] C:\WINDOWS\winol32.exe
O4 - HKLM\..\RunOnce: [ipxt.exe] C:\WINDOWS\system32\ipxt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\winlogon.exe
O4 - HKCU\..\Run: [ir50_qcx] C:\WINDOWS\system32\ir50_qcx.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Registration The Political Machine.LNK = C:\Program Files\Ubisoft\Stardock\PolMachine\Ubisoft\RegistrationReminder.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Corel Network monitor worker - {F7FBA6BA-E25B-48AA-AD04-42C275411E72} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {F7FBA6BA-E25B-48AA-AD04-42C275411E72} - (no file)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O9 - Extra button: Corel Network monitor worker - {F7FBA6BA-E25B-48AA-AD04-42C275411E72} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {F7FBA6BA-E25B-48AA-AD04-42C275411E72} - (no file) (HKCU)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=15&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=15&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=15&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=15&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=15&q=
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.com/client/setup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/220b5838a0c60cffe605/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093904653546
O16 - DPF: {BFA1F11D-3121-AFE1-4112-894323212DAC} (GINWORDS Class) - http://66.98.132.156/g_bin_eng/words_2_0_0_20.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O21 - SSODL: SysTray.Ex - {F5B7D0BE-5f02-4255-96DB-386DFA244900} - (no file)

Mike you have a couple nasty hijacks running here,

This might take a couple runs to get it,
But lets get at it.
First:
Download AboutBuster
Then Unzip it to your desktop..

First, reboot into 'SAFE MODE'. (By tapping the F8 key on start up)
Next:
Run About Buster twice in safe Mode Save the logs it generates,
While still in safe mode,
Please restart HJT put a check next to the following if they still exist, close all open windows and click "fix.checked"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xhwjx.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wujxg.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wujxg.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {15E0349E-6EF2-650B-FF5F-E936C897D83D} - C:\WINDOWS\system32\javaje32.dll
O4 - HKLM\..\Run: [iexo32.exe] C:\WINDOWS\system32\iexo32.exe
O4 - HKLM\..\RunOnce: [addtf.exe] C:\WINDOWS\system32\addtf.exe
O4 - HKLM\..\RunOnce: [mfcjv.exe] C:\WINDOWS\mfcjv.exe
O4 - HKLM\..\RunOnce: [sdkjg.exe] C:\WINDOWS\sdkjg.exe
O4 - HKLM\..\RunOnce: [nettj32.exe] C:\WINDOWS\nettj32.exe
O4 - HKLM\..\RunOnce: [mfclk32.exe] C:\WINDOWS\system32\mfclk32.exe
O4 - HKLM\..\RunOnce: [winol32.exe] C:\WINDOWS\winol32.exe
O4 - HKLM\..\RunOnce: [ipxt.exe] C:\WINDOWS\system32\ipxt.exe
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\winlogon.exe
O4 - HKCU\..\Run: [ir50_qcx] C:\WINDOWS\system32\ir50_qcx.exe
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Corel Network monitor worker - {F7FBA6BA-E25B-48AA-AD04-42C275411E72} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {F7FBA6BA-E25B-48AA-AD04-42C275411E72} - (no file)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O9 - Extra button: Corel Network monitor worker - {F7FBA6BA-E25B-48AA-AD04-42C275411E72} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {F7FBA6BA-E25B-48AA-AD04-42C275411E72} - (no file) (HKCU)
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=15&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=15&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=15&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=15&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=15&q=
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/220b5838a0c60cffe605/netzip/RdxIE601.cab
O21 - SSODL: SysTray.Ex - {F5B7D0BE-5f02-4255-96DB-386DFA244900} - (no file)



make sure you can view all View all Hidden Files/Folders search for and delete the following in BOLD if still present

C:\WINDOWS\system32\javaje32.dll
C:\WINDOWS\system32\iexo32.exe
C:\WINDOWS\system32\addtf.exe
C:\WINDOWS\mfcjv.exe
C:\WINDOWS\sdkjg.exe
C:\WINDOWS\nettj32.exe
C:\WINDOWS\system32\mfclk32.exe
C:\WINDOWS\winol32.exe
C:\WINDOWS\system32\ipxt.exe
C:\WINDOWS\System\winlogon.exe
C:\WINDOWS\system32\ir50_qcx.exe
PowerReg Scheduler V3.exe
c:\windows\start.chm
c:\windows\system32\c_10230.dll


Next
Click Start, Click Run, Type RegEdit in the box, Navigate to the following keys, Check them twice to be sure you have the right one, Then right Click and Delete
Using RegEdit, carefully remove the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{869EE607-5376-486d-8DAC-EDC8E239AD5F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9DBB80E2-B681-4765-8A5F-AD3994C9B4F3}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9DBB80E2-B681-4765-8A5F-AD3994C9B4F3}
HKEY_CURRENT_USER\Software\Classes\CLSID\{9DBB80E2-B681-4765-8A5F-AD3994C9B4F3}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{9DBB80E2-B681-4765-8A5F-AD3994C9B4F3}


Restart your computer,

Run AboutBuster again please, Again save the log from it and post back all the logs from AboutBuster and a fresh HJT log please.

Restart HJT and post back a fresh log.

Don

OK, Good news...my computer is running faster and a lot better...

Bad news the heretofind.com jack is still there...

First off here are the buster logs...

Scanned at: 9:00:32 PM on: 8/30/2004


-- Scan 1 ---------------------------
About:Buster Version 3.0
Reference List : 15

No ADS found on system
Removed 3 Random Key Entries
Removed! : C:\WINDOWS\aagvx.dat
Removed! : C:\WINDOWS\abvis.dat
Removed! : C:\WINDOWS\addmw.dll
Removed! : C:\WINDOWS\addoc.exe
Removed! : C:\WINDOWS\addus.exe
Removed! : C:\WINDOWS\aiprj.dat
Removed! : C:\WINDOWS\aiqoi.dat
Removed! : C:\WINDOWS\akgaf.dat
Removed! : C:\WINDOWS\aktpz.dat
Removed! : C:\WINDOWS\apiit32.exe
Removed! : C:\WINDOWS\apite.dll
Removed! : C:\WINDOWS\appvb.dll
Removed! : C:\WINDOWS\bantc.dat
Removed! : C:\WINDOWS\bdvam.dat
Removed! : C:\WINDOWS\bhuej.dat
Removed! : C:\WINDOWS\bsnfll.dat
Removed! : C:\WINDOWS\bwqwa.dat
Removed! : C:\WINDOWS\cazgl.dll
Removed! : C:\WINDOWS\cjxfo.dll
Removed! : C:\WINDOWS\cqkle.dat
Removed! : C:\WINDOWS\czbtn.dat
Removed! : C:\WINDOWS\czbtn.dll
Removed! : C:\WINDOWS\d3vt.dll
Removed! : C:\WINDOWS\dkcqn.dat
Error Removing! : C:\WINDOWS\dsgmyy.dat
Removed! : C:\WINDOWS\dtsly.dll
Removed! : C:\WINDOWS\dzcgus.dat
Removed! : C:\WINDOWS\echky.dat
Removed! : C:\WINDOWS\ekwhu.dll
Removed! : C:\WINDOWS\etscy.dat
Removed! : C:\WINDOWS\exooo.dat
Removed! : C:\WINDOWS\fdywi.dat
Removed! : C:\WINDOWS\fdywi.dll
Removed! : C:\WINDOWS\fgaxc.dat
Removed! : C:\WINDOWS\fgqfcl.dat
Removed! : C:\WINDOWS\fpwbvi.dat
Removed! : C:\WINDOWS\fsyai.dll
Removed! : C:\WINDOWS\gglro.dll
Removed! : C:\WINDOWS\ghwpjj.dat
Removed! : C:\WINDOWS\gikkjq.dat
Removed! : C:\WINDOWS\gjlup.dat
Removed! : C:\WINDOWS\gksrbc.dat
Removed! : C:\WINDOWS\hbqoa.dat
Removed! : C:\WINDOWS\hlpvg.dat
Removed! : C:\WINDOWS\ieaepr.dat
Removed! : C:\WINDOWS\iecho.dat
Removed! : C:\WINDOWS\ieli.exe
Removed! : C:\WINDOWS\ietq.exe
Error Removing! : C:\WINDOWS\ieui.dll
Removed! : C:\WINDOWS\ipla.exe
Removed! : C:\WINDOWS\ippf.exe
Removed! : C:\WINDOWS\ixnzax.dat
Removed! : C:\WINDOWS\javapq.dll
Removed! : C:\WINDOWS\javavt.exe
Removed! : C:\WINDOWS\jegxvb.dat
Removed! : C:\WINDOWS\jlvii.dat
Removed! : C:\WINDOWS\jmfpm.dat
Removed! : C:\WINDOWS\jrfqi.dat
Removed! : C:\WINDOWS\kjtss.dat
Removed! : C:\WINDOWS\kwdjp.dat
Removed! : C:\WINDOWS\kwdjp.dll
Removed! : C:\WINDOWS\lhelh.dat
Removed! : C:\WINDOWS\lhtyf.dll
Removed! : C:\WINDOWS\lmolp.dat
Removed! : C:\WINDOWS\lutrt.dat
Removed! : C:\WINDOWS\lypdd.dat
Removed! : C:\WINDOWS\mfccy.exe
Removed! : C:\WINDOWS\mfcjv.exe
Removed! : C:\WINDOWS\mfcnt.exe
Removed! : C:\WINDOWS\mfctm.exe
Removed! : C:\WINDOWS\mfgsl.dat
Removed! : C:\WINDOWS\mnbmt.dat
Removed! : C:\WINDOWS\mnbmt.dll
Removed! : C:\WINDOWS\msom32.exe
Removed! : C:\WINDOWS\mszzf.dat
Removed! : C:\WINDOWS\mszzf.dll
Removed! : C:\WINDOWS\nettj32.exe
Removed! : C:\WINDOWS\ntma32.dll
Removed! : C:\WINDOWS\ntpg.exe
Removed! : C:\WINDOWS\ntwf32.dll
Removed! : C:\WINDOWS\oeiao.dat
Removed! : C:\WINDOWS\oeiao.dll
Removed! : C:\WINDOWS\oolls.dat
Removed! : C:\WINDOWS\oqdite.dat
Removed! : C:\WINDOWS\oqyhxi.dat
Removed! : C:\WINDOWS\pbuwb.dat
Removed! : C:\WINDOWS\peeub.dat
Removed! : C:\WINDOWS\plhgn.dat
Removed! : C:\WINDOWS\plhgn.dll
Removed! : C:\WINDOWS\popqe.dat
Removed! : C:\WINDOWS\pwhskr.dat
Removed! : C:\WINDOWS\qjzhf.dat
Removed! : C:\WINDOWS\qrinr.dll
Removed! : C:\WINDOWS\qrzba.dat
Removed! : C:\WINDOWS\qrzba.dll
Removed! : C:\WINDOWS\qsqoxx.dat
Removed! : C:\WINDOWS\rcech.dat
Removed! : C:\WINDOWS\rcech.dll
Removed! : C:\WINDOWS\rlvqo.dll
Removed! : C:\WINDOWS\rnrih.dat
Removed! : C:\WINDOWS\rpkday.dat
Removed! : C:\WINDOWS\rymog.dat
Removed! : C:\WINDOWS\sagyf.dat
Removed! : C:\WINDOWS\sauaj.dat
Removed! : C:\WINDOWS\sauaj.dll
Removed! : C:\WINDOWS\sdkjg.exe
Removed! : C:\WINDOWS\sdkrl.exe
Removed! : C:\WINDOWS\shyas.dll
Removed! : C:\WINDOWS\sknrf.dat
Removed! : C:\WINDOWS\slchost.exe
Removed! : C:\WINDOWS\sndnx.dll
Removed! : C:\WINDOWS\snqpz.dll
Removed! : C:\WINDOWS\sobii.dat
Removed! : C:\WINDOWS\svahost.exe
Removed! : C:\WINDOWS\swchost.exe
Removed! : C:\WINDOWS\sysft.exe
Removed! : C:\WINDOWS\tkmaq.dat
Removed! : C:\WINDOWS\tkmaq.dll
Removed! : C:\WINDOWS\tntyb.dat
Removed! : C:\WINDOWS\txmokx.dat
Removed! : C:\WINDOWS\ugbua.dat
Removed! : C:\WINDOWS\ukbasu.dat
Removed! : C:\WINDOWS\ulywh.dat
Removed! : C:\WINDOWS\ulywh.dll
Removed! : C:\WINDOWS\unrpd.dat
Removed! : C:\WINDOWS\uzvfm.dat
Removed! : C:\WINDOWS\viyrc.dat
Removed! : C:\WINDOWS\viyrc.dll
Removed! : C:\WINDOWS\vkgbg.dll
Removed! : C:\WINDOWS\vlyta.dat
Removed! : C:\WINDOWS\vrhol.dat
Removed! : C:\WINDOWS\vrhol.dll
Removed! : C:\WINDOWS\winex.exe
Removed! : C:\WINDOWS\winhw32.exe
Removed! : C:\WINDOWS\winol32.exe
Removed! : C:\WINDOWS\wolcpy.dat
Removed! : C:\WINDOWS\xajku.dat
Removed! : C:\WINDOWS\xajku.dll
Removed! : C:\WINDOWS\xhwjx.dat
Removed! : C:\WINDOWS\xhwjx.dll
Removed! : C:\WINDOWS\ykcow.dat
Removed! : C:\WINDOWS\ykcow.dll
Removed! : C:\WINDOWS\yrayc.dat
Removed! : C:\WINDOWS\zklyl.dat
Removed! : C:\WINDOWS\System32\abutl.dat
Removed! : C:\WINDOWS\System32\abutl.dll
Removed! : C:\WINDOWS\System32\addmd32.exe
Removed! : C:\WINDOWS\System32\addtf.exe
Removed! : C:\WINDOWS\System32\aegtk.dat
Removed! : C:\WINDOWS\System32\apagk.dat
Removed! : C:\WINDOWS\System32\apihk32.exe
Removed! : C:\WINDOWS\System32\apiiw.exe
Removed! : C:\WINDOWS\System32\aqpyh.dat
Removed! : C:\WINDOWS\System32\atlue32.exe
Removed! : C:\WINDOWS\System32\awraj.dat
Removed! : C:\WINDOWS\System32\bakue.dat
Removed! : C:\WINDOWS\System32\bcmdh.dat
Removed! : C:\WINDOWS\System32\bhvqk.dat
Removed! : C:\WINDOWS\System32\btjkv.dll
Removed! : C:\WINDOWS\System32\bwutx.dll
Removed! : C:\WINDOWS\System32\byeju.dat
Removed! : C:\WINDOWS\System32\cdfcz.dat
Removed! : C:\WINDOWS\System32\cniup.dat
Removed! : C:\WINDOWS\System32\cniup.dll
Removed! : C:\WINDOWS\System32\cris.exe
Removed! : C:\WINDOWS\System32\cvrxs.dat
Removed! : C:\WINDOWS\System32\cvrxs.dll
Removed! : C:\WINDOWS\System32\cztno.dll
Removed! : C:\WINDOWS\System32\d3df.exe
Removed! : C:\WINDOWS\System32\d3wp32.exe
Removed! : C:\WINDOWS\System32\dcfoi.dat
Removed! : C:\WINDOWS\System32\dpfke.dll
Removed! : C:\WINDOWS\System32\efmcg.dat
Removed! : C:\WINDOWS\System32\envna.dll
Removed! : C:\WINDOWS\System32\fvfpd.dat
Removed! : C:\WINDOWS\System32\gydmf.dat
Removed! : C:\WINDOWS\System32\gydmf.dll
Removed! : C:\WINDOWS\System32\hmedh.dat
Removed! : C:\WINDOWS\System32\hvumh.dat
Removed! : C:\WINDOWS\System32\idvpq.dat
Removed! : C:\WINDOWS\System32\iewn.exe
Removed! : C:\WINDOWS\System32\ikbcp.dat
Removed! : C:\WINDOWS\System32\ipxt.exe
Removed! : C:\WINDOWS\System32\iudqk.dll
Removed! : C:\WINDOWS\System32\ivzyg.dat
Removed! : C:\WINDOWS\System32\javaje32.dll
Removed! : C:\WINDOWS\System32\jcpez.dll
Removed! : C:\WINDOWS\System32\jepge.dat
Removed! : C:\WINDOWS\System32\kkjqg.dat
Removed! : C:\WINDOWS\System32\klnqz.dat
Removed! : C:\WINDOWS\System32\kuayr.dat
Removed! : C:\WINDOWS\System32\kwoev.dat
Removed! : C:\WINDOWS\System32\lcymv.dll
Removed! : C:\WINDOWS\System32\leasj.dat
Removed! : C:\WINDOWS\System32\leasj.dll
Removed! : C:\WINDOWS\System32\lvoki.dat
Removed! : C:\WINDOWS\System32\mfclk32.exe
Removed! : C:\WINDOWS\System32\mqcxn.dat
Removed! : C:\WINDOWS\System32\mqcxn.dll
Removed! : C:\WINDOWS\System32\mrjnr.dat
Removed! : C:\WINDOWS\System32\mscc.exe
Removed! : C:\WINDOWS\System32\mylun.dat
Removed! : C:\WINDOWS\System32\mylun.dll
Removed! : C:\WINDOWS\System32\nimcm.dat
Removed! : C:\WINDOWS\System32\nqclx.dat
Removed! : C:\WINDOWS\System32\ntdyd.dat
Removed! : C:\WINDOWS\System32\oarww.dat
Removed! : C:\WINDOWS\System32\oarww.dll
Removed! : C:\WINDOWS\System32\obced.dat
Removed! : C:\WINDOWS\System32\oiiiy.dll
Removed! : C:\WINDOWS\System32\ovskc.dll
Removed! : C:\WINDOWS\System32\pbvik.dat
Removed! : C:\WINDOWS\System32\pgrnc.dat
Removed! : C:\WINDOWS\System32\pylgq.dat
Removed! : C:\WINDOWS\System32\pzuto.dat
Removed! : C:\WINDOWS\System32\qfhuw.dat
Removed! : C:\WINDOWS\System32\qppai.dat
Removed! : C:\WINDOWS\System32\qsqox.dat
Removed! : C:\WINDOWS\System32\quarm.dat
Removed! : C:\WINDOWS\System32\qxjwd.dll
Removed! : C:\WINDOWS\System32\rahov.dat
Removed! : C:\WINDOWS\System32\rgeks.dat
Removed! : C:\WINDOWS\System32\rgeks.dll
Removed! : C:\WINDOWS\System32\rjari.dll
Removed! : C:\WINDOWS\System32\rxkny.dll
Removed! : C:\WINDOWS\System32\sdkad32.exe
Removed! : C:\WINDOWS\System32\sdklw.exe
Removed! : C:\WINDOWS\System32\shbev.dat
Removed! : C:\WINDOWS\System32\tdyrk.dat
Removed! : C:\WINDOWS\System32\tdyrk.dll
Removed! : C:\WINDOWS\System32\tvxns.dll
Removed! : C:\WINDOWS\System32\uoiii.dat
Removed! : C:\WINDOWS\System32\uqtxs.dat
Removed! : C:\WINDOWS\System32\usahw.dat
Removed! : C:\WINDOWS\System32\uwkwj.dat
Removed! : C:\WINDOWS\System32\vlxgc.dat
Removed! : C:\WINDOWS\System32\winih32.exe
Removed! : C:\WINDOWS\System32\winre32.exe
Removed! : C:\WINDOWS\System32\winvq32.exe
Removed! : C:\WINDOWS\System32\wycao.dat
Removed! : C:\WINDOWS\System32\wzdsw.dll
Removed! : C:\WINDOWS\System32\xieis.dat
Removed! : C:\WINDOWS\System32\xkryh.dat
Removed! : C:\WINDOWS\System32\xswuu.dat
Removed! : C:\WINDOWS\System32\xzacy.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 3.0
Reference List : 15

No ADS found on system
Removed 3 Random Key Entries
Removed! : C:\WINDOWS\dsgmyy.dat
Removed! : C:\WINDOWS\ieui.dll
Attempted Clean Of Temp folder.
Pages Reset... Done!






Scanned at: 9:40:10 PM on: 8/30/2004


-- Scan 1 ---------------------------
About:Buster Version 3.0
Reference List : 15

No ADS found on system
Removed 6 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 3.0
Reference List : 15

No ADS found on system
Removed 6 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!

The one I did after safe mode was identical...

Now here's where it gets messed up...

HJT Logs...
BEFORE THE REBOOT...

Logfile of HijackThis v1.98.2
Scan saved at 9:10:18 PM, on 8/30/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\About Buster\AboutBuster\AboutBuster.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] "C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Registration The Political Machine.LNK = C:\Program Files\Ubisoft\Stardock\PolMachine\Ubisoft\RegistrationReminder.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.com/client/setup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093904653546
O16 - DPF: {BFA1F11D-3121-AFE1-4112-894323212DAC} (GINWORDS Class) - http://66.98.132.156/g_bin_eng/words_2_0_0_20.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

HERE IS AFTER THE REBOOT:

Logfile of HijackThis v1.98.2
Scan saved at 9:47:48 PM, on 8/30/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\System32\gearsec.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\S3apphk.exe
C:\WINDOWS\system32\ps2.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\YPAGER.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] "C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Registration The Political Machine.LNK = C:\Program Files\Ubisoft\Stardock\PolMachine\Ubisoft\RegistrationReminder.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=15&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=15&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=15&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=15&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=15&q=
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.com/client/setup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093904653546
O16 - DPF: {BFA1F11D-3121-AFE1-4112-894323212DAC} (GINWORDS Class) - http://66.98.132.156/g_bin_eng/words_2_0_0_20.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

HERE IS AN ERROR I GOT WHILE IN SAFE MODE ON HJT:

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O21 - SSODL: SysTray.Ex - {F5B7D0BE-5f02-4255-96DB-386DFA244900} - (no file))
Error #62 - Input past end of file

Please email me at [email protected], reporting the following:
* What you were doing when the error occurred
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2600.0000
HijackThis version: 1.98.2

This message has been copied to your clipboard.

Pretty much, the deal is...the computer is running a lot faster but the hijack is still there...I am going to buy NAV 2004 this week and update my software. Any way, where do I go from here...

Mike

Mike we are rid of one of the hijackers, Now lets see if we can get heretofind,
Have HJT fix the following same way as above

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=15&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=15&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=15&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=15&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=15&q=


Again go to RegEdit same way as above and search for and Delete

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{869EE607-5376-486d-8DAC-EDC8E239AD5F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9DBB80E2-B681-4765-8A5F-AD3994C9B4F3}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9DBB80E2-B681-4765-8A5F-AD3994C9B4F3}
HKEY_CURRENT_USER\Software\Classes\CLSID\{9DBB80E2-B681-4765-8A5F-AD3994C9B4F3}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{9DBB80E2-B681-4765-8A5F-AD3994C9B4F3}


Next Reboot to safe mode. (By tapping the F8 key on start up)
Search for and delete,
c:\windows\start.chm
c:\windows\system32\c_10230.dll

While still in safe mode,
Remove all the files and sub-folders from the below TEMP Folders: (But not the Main Temp Folders, Just whats inside them )

C:\Documents and Settings\ \Local Settings\Temp
C:\temp
C:\windows\temp
The TIF ( Temporary Internet Files) can also be emptied via:
Internet Explorer--Tools--Internet Options--General tab--"Delete Files",
Also tick the "delete all offline content" box .

Restart your computer
Make sure Ad-aware is updates and rescan with Ad-aware and fix all it finds,

Next go Here and download Service Pack1 for IE.

Post back a fresh log after you have done the above please

I started to run HiJackThis like you said and the offending entries kept popping back up, so I went ahead and rebooted to safe mode first thing.

I took care of the items on the list, then I went to remove the registry items and files you asked me to. None of the files were present.

I then dumped the files (and subfolders) in the following locations:

C:/Documents and Settings/Default User/Local Settings/Temp
C:/WINDOWS/Temp

I did not find a top level C: drive folder named Temp.

I restarted Windows and ran Ad-Aware, it found two more regf***s and about 16 data miners in my system and I took care of that. I also went to WindowsUpdate and took care of that, also.

Here is the results:
Logfile of HijackThis v1.98.2
Scan saved at 12:45:10 PM, on 8/31/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\System32\gearsec.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\S3apphk.exe
C:\WINDOWS\system32\ps2.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] "C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Registration The Political Machine.LNK = C:\Program Files\Ubisoft\Stardock\PolMachine\Ubisoft\RegistrationReminder.exe
O4 - Global Startup: LimeWire 4.0.8.lnk = C:\Program Files\LimeWire\LimeWire 4.0.8\LimeWire.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.com/client/setup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093904653546
O16 - DPF: {BFA1F11D-3121-AFE1-4112-894323212DAC} (GINWORDS Class) - http://66.98.132.156/g_bin_eng/words_2_0_0_20.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

I just wanna say You gotz the skillz to pay the billz. You have vanquished the demons in my computer and ... well, you just rock. Thank you so much for your help. I really appreciate you taking time out to help me.

Mike

P.S. I have one more question before I let you go. How do I get my computer to COMPLETE a defrag. Everytime I leave it on overnight, it's never even close to halfway done.

Thats great Mike, Log looks clean now. And your very welcome
With all the crap you had running on your system I could see why it would run all night defragging,
Try defragging from safe mode first off, If you haven't done it in a while or if it never finished it might take a while just the same,

For some reason it is not showing you have service pack 1 for XP or IE 6

Download the following programs, For keeping crap off your system to begin with
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.

Download Spyware Blaster and SpywareGaurd

Let us know if you have any further problems