HJT Log - This thing is driving me insane!

Hi mai and welcome to A2K,
Run this please lop uninstaller
Reboot

You left out the top part of the HJT log we need to see that,
If your running a version older than 1.92.0
You need to create a dedicated folder for it please,
If your unsure of what version your running post back a fresh log so we can have a look at it prior to making the fix's. Version 1.98.2 and current create a folder for the back ups, If your not running the newer versions you will end up with back ups all over your desk top

Please restart HJT put a check next to the following, close all open windows and click "Fix Checked"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.eahnmjligrmidmudbyvuugsot.uk/LEqL/2HFmLfrl8BvjxDj4vFdIb2zme3_8UlORLEYtHiY2afYvosUYPS5YhDAurC1.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qldgomphzbjjnqxjmqnjks.net/LEqL/2HFmLd8hLXTRpGUC1MVl8emdX2zrMTG5t8ZLuA.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/en-us/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: TChkBHO Class - {B5B25B3D-7333-417D-868A-1640E398B5E3} - C:\WINDOWS\system32\idaiurn.dll (file missing)
O2 - BHO: (no name) - {BF91D22B-AFD8-2143-2B53-4AF2A1838CB1} - C:\DOCUME~1\MIRWIN~1\APPLIC~1\MODESK~1\kind corn.exe
O4 - HKLM\..\Run: [Eggs coal drv bird] C:\Documents and Settings\All Users\Application Data\LiteNewEggsCoal\aboutblue.exe
O4 - HKCU\..\Run: [Bike Idle] C:\DOCUME~1\MIRWIN~1\APPLIC~1\FASTID~1\up 4 first.exe


Next reboot to safe mode ( By tapping the F8 key on start up) Make sure you can view all Hidden Files/Folders search for and delete the above files highlighted in BOLD
C:\WINDOWS\system32\idaiurn.dll
C:\DOCUME~1\MIRWIN~1\APPLIC~1\MODESK~1\kind corn.exe<Delete any associated foler with this file
C:\Documents and Settings\All Users\Application Data\LiteNewEggsCoal\aboutblue.exe <<Delete any associated foler with this file
C:\DOCUME~1\MIRWIN~1\APPLIC~1\FASTID~1\up 4 first.exe<<Delete any associated foler with this file

Restart your computer, Post back a fresh log please

Hi,

Thanks for the quick reply. I ran the lop uninstaller and deleted that up for first.exe junk, but there's just one more thing I can't seem to delete.

kind corn.exe is either being run or i have no permission to delete it and it's folder. When i try to delete, here's what i get:

"access is denied. make sure the disk is full-right protected etc... "

Curses, I can't find it in my processes if it is truely running. Anyway here's my updated log with the top part (sorry i'm a sloppy selector )

Logfile of HijackThis v1.98.2
Scan saved at 10:27:52 AM, on 12/28/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\KMaestro\KMaestro.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\MIrwin\Desktop\hijackthis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/en-us/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: TChkBHO Class - {B5B25B3D-7333-417D-868A-1640E398B5E3} - C:\WINDOWS\system32\idaiurn.dll (file missing)
O2 - BHO: VCS3IESupport Class - {B9D6B3C2-09AD-464A-8162-8C55114C808A} - C:\Program Files\AV VCS 3.0\Vcs3RT.dll
O2 - BHO: (no name) - {BF91D22B-AFD8-2143-2B53-4AF2A1838CB1} - C:\DOCUME~1\MIRWIN~1\APPLIC~1\MODESK~1\kind corn.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095029264296
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24844A49-AA05-40EF-AA03-51188D83D0F9}: NameServer = 63.240.76.19,204.127.202.19
O17 - HKLM\System\CS1\Services\Tcpip\..\{24844A49-AA05-40EF-AA03-51188D83D0F9}: NameServer = 63.240.76.19,204.127.202.19
O17 - HKLM\System\CS2\Services\Tcpip\..\{24844A49-AA05-40EF-AA03-51188D83D0F9}: NameServer = 63.240.76.19,204.127.202.19

Woops,

I did forget to "fix checked" in HJT on the system32 and kind corn.exe junk. Of course I still can't delete the kind corn though. I wish I could edit my last post

-thanks

Logfile of HijackThis v1.98.2
Scan saved at 10:38:08 AM, on 12/28/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\KMaestro\KMaestro.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\MIrwin\Desktop\hijackthis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/en-us/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: VCS3IESupport Class - {B9D6B3C2-09AD-464A-8162-8C55114C808A} - C:\Program Files\AV VCS 3.0\Vcs3RT.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095029264296
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24844A49-AA05-40EF-AA03-51188D83D0F9}: NameServer = 63.240.76.19,204.127.202.19
O17 - HKLM\System\CS1\Services\Tcpip\..\{24844A49-AA05-40EF-AA03-51188D83D0F9}: NameServer = 63.240.76.19,204.127.202.19
O17 - HKLM\System\CS2\Services\Tcpip\..\{24844A49-AA05-40EF-AA03-51188D83D0F9}: NameServer = 63.240.76.19,204.127.202.19

Hi again mai,
Can you log on under Adimin on this computer,
You probably need to be logged on as the admin to delete the file,
I don't see it running on your system any longer,

make sure you can view Hidden Files and Folders, search for
kind corn.exe and see if you can delete it,
Run hjt again and have it fiz the following same way as above,
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com


Also please go Here and update to AVG7. AVG6 is no longer supported.

Post back and let us know how you make out,