da** imbum.com. whatever the hell they got that pops up on every single page got me. i now have those wonderful pop ups coming back. they aren't as bad as before, but i got a gut feeling that it put a ton of crap on my computer. so, here's my loglist from hijackthis.

Logfile of HijackThis v1.98.2
Scan saved at 10:53:56 PM, on 9/27/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Ontrack\SYSTEM~1\mxserver.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
E:\LiveJournal\Semagic\LiveJournal.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\memturbo\memturbo.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livejournal.com/users/eure_maum/friends
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.zestyfind.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Extreme Messenger for AIM] E:\Extreme Messenger\ExtremeMessenger.exe nosplash
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Semagic] E:\LiveJournal\Semagic\LiveJournal.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: MemTurbo.lnk = C:\memturbo\memturbo.exe
O4 - Startup: Semagic.lnk = E:\LiveJournal\Semagic\LiveJournal.exe
O4 - Global Startup: BlackICE Utility.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://imbum.com/Imbum_bw.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab

please kindly help me. oye. i hate my freakin hate this.

Well, less than three weeks and your back. I see you did not bother to take any of the suggestions I made for spyware/malware protection. If you had take the time to install them, you would not have been infected. It's your choice, take a few moments out to protect yourself, or keep being infected.

Check the following items in HiJackThis:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.zestyfind.com/

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://imbum.com/Imbum_bw.cab

Close all open windows except HiJackThis and press 'Fix Checked'.

Reboot.
Run HiJackThis again and post a new log in this thread.

Logfile of HijackThis v1.98.2
Scan saved at 8:10:08 AM, on 9/28/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Ontrack\SYSTEM~1\mxserver.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
E:\LiveJournal\Semagic\LiveJournal.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\ezula\mmod.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\memturbo\memturbo.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cg...k=sbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cg...look=stmpl1&fw=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livejournal.com/users/eure_maum/friends
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.search-exe.com/nph-search.cg...look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cg...k=sbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cg...look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cg...look=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cg...look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cg...look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cg...look=stmpl1&fw=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - C:\Program Files\se\v11\se.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O4 - HKCU\..\Run: [Extreme Messenger for AIM] E:\Extreme Messenger\ExtremeMessenger.exe nosplash
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Semagic] E:\LiveJournal\Semagic\LiveJournal.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: MemTurbo.lnk = C:\memturbo\memturbo.exe
O4 - Startup: Semagic.lnk = E:\LiveJournal\Semagic\LiveJournal.exe
O4 - Global Startup: BlackICE Utility.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab

First:
Download DLLCompare from here:
http://download.broadbandmedic.com/DllCompare.exe

Copy the program to its own folder and double click on it.
Press the 'Run Locate.com' button

That should finish quickly, then:
Press the 'Compare' button.

That will run for a while longer.

When it is finished, press the 'Make A Log of What was Found' button
and post the log in this thread.

Press 'Exit' to quit program.


Second:
Download LSPfix here: »www.cexx.org/lspfix.htm

Launch the application, and click the "I know what I'm doing" checkbox.
Check all instances of calsp.dll (and nothing else) , and move them to the "Remove" pane.
Then click Finish

Reboot


Third:
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Check the following items in HijackThis.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cg...k=sbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cg...look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.search-exe.com/nph-search.cg...look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cg...k=sbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cg...look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cg...look=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cg...look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cg...look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cg...look=stmpl1&fw=

R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - C:\Program Files\se\v11\se.DLL

O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


Close all windows except HijackThis and click Fix checked.

Reboot in Safe Mode*, delete the following: (you may need to show hidden files**)
C:\Program Files\se\ <-- delete entire folder
C:\PROGRA~1\ezula\ <-- delete entire folder
C:\PROGRA~1\Web Offer\ <-- delete entire folder

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode.


HiJackThis version 198.2 is now available.
If you do not already have it installed, download it from here:
http://www.computercops.biz/downloads-file-328.html
http://tomcoyote.org/hjt/

Then run HiJackThis again and post a new log in this thread.

* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\ahaamon.dll Sun Aug 29 2004 1:02:54p A.SHR 320,872 313.35 K
C:\WINNT\SYSTEM32\attxprxy.dll Sun Aug 29 2004 1:02:54p A.SHR 320,872 313.35 K
C:\WINNT\SYSTEM32\ajaamon.dll Sun Aug 29 2004 1:02:54p A.SHR 320,872 313.35 K
C:\WINNT\SYSTEM32\ajledit.dll Sun Aug 29 2004 1:02:54p A.SHR 320,872 313.35 K
C:\WINNT\SYSTEM32\aasldp.dll Mon Sep 27 2004 10:47:04p A.SHR 320,872 313.35 K
C:\WINNT\SYSTEM32\akvpack.dll Sun Aug 29 2004 1:02:54p A.SHR 320,872 313.35 K
C:\WINNT\SYSTEM32\afvpack.dll Thu May 6 2004 5:43:52p A.SHR 316,776 309.35 K
C:\WINNT\SYSTEM32\abledit.dll Thu May 6 2004 5:43:52p A.SHR 316,776 309.35 K
C:\WINNT\SYSTEM32\awsmib.dll Thu May 6 2004 5:43:52p A.SHR 316,776 309.35 K
C:\WINNT\SYSTEM32\arledit.dll Sun Aug 29 2004 1:02:54p A.SHR 320,872 313.35 K
C:\WINNT\SYSTEM32\ducapi.dll Thu May 6 2004 5:43:52p A.SHR 316,776 309.35 K
C:\WINNT\SYSTEM32\dvcapi.dll Thu May 6 2004 5:43:52p ..SHR 316,776 309.35 K
C:\WINNT\SYSTEM32\aevpack.dll Thu May 6 2004 5:43:52p A.SHR 316,776 309.35 K
C:\WINNT\SYSTEM32\abvpack.dll Thu May 6 2004 5:43:52p A.SHR 316,776 309.35 K
C:\WINNT\SYSTEM32\ajmparse.dll Thu May 6 2004 5:43:52p A.SHR 316,776 309.35 K
C:\WINNT\SYSTEM32\artxprxy.dll Thu May 6 2004 5:43:52p A.SHR 316,776 309.35 K
C:\WINNT\SYSTEM32\awsetupc.dll Thu May 6 2004 5:43:52p A.SHR 316,776 309.35 K
C:\WINNT\SYSTEM32\asledit.dll Thu May 6 2004 5:43:52p A.SHR 316,776 309.35 K
C:\WINNT\SYSTEM32\acptif.dll Thu May 6 2004 5:43:52p A.SHR 316,776 309.35 K
C:\WINNT\SYSTEM32\mmstkprp.dll Thu May 6 2004 5:43:52p A.SHR 316,776 309.35 K
C:\WINNT\SYSTEM32\aiaamon.dll Thu May 6 2004 5:43:52p A.SHR 316,776 309.35 K
C:\WINNT\SYSTEM32\ahsetupc.dll Sun Aug 29 2004 1:02:54p A.SHR 320,872 313.35 K
C:\WINNT\SYSTEM32\alledit.dll Thu May 6 2004 5:43:52p A.SHR 316,776 309.35 K
C:\WINNT\SYSTEM32\aqsldp.dll Thu May 6 2004 5:43:52p A.SHR 316,776 309.35 K
C:\WINNT\SYSTEM32\atsetupc.dll Thu May 6 2004 5:43:52p A.SHR 316,776 309.35 K
C:\WINNT\SYSTEM32\abaamon.dll Thu May 6 2004 5:43:52p A.SHR 316,776 309.35 K
C:\WINNT\SYSTEM32\abtxprxy.dll Thu May 6 2004 5:43:52p A.SHR 316,776 309.35 K
C:\WINNT\SYSTEM32\afledit.dll Thu May 6 2004 5:43:52p A.SHR 316,776 309.35 K
C:\WINNT\SYSTEM32\vuscript.dll Thu May 6 2004 5:43:52p A.SHR 316,776 309.35 K
C:\WINNT\SYSTEM32\ayledit.dll Sun Aug 29 2004 1:02:54p ..SHR 320,872 313.35 K
C:\WINNT\SYSTEM32\aftxprxy.dll Sun Aug 29 2004 1:02:54p A.SHR 320,872 313.35 K
C:\WINNT\SYSTEM32\agaamon.dll Sun Aug 29 2004 1:02:54p A.SHR 320,872 313.35 K
C:\WINNT\SYSTEM32\axtxprxy.dll Sun Aug 29 2004 1:02:54p A.SHR 320,872 313.35 K
C:\WINNT\SYSTEM32\aatxprxy.dll Sun Aug 29 2004 1:02:54p A.SHR 320,872 313.35 K
C:\WINNT\SYSTEM32\agvpack.dll Sun Aug 29 2004 1:02:54p A.SHR 320,872 313.35 K
C:\WINNT\SYSTEM32\ahledit.dll Sun Aug 29 2004 1:02:54p A.SHR 320,872 313.35 K
C:\WINNT\SYSTEM32\afmparse.dll Sun Aug 29 2004 1:02:54p A.SHR 320,872 313.35 K
C:\WINNT\SYSTEM32\apaamon.dll Mon Sep 27 2004 10:47:04p ..SHR 320,872 313.35 K
C:\WINNT\SYSTEM32\aoledit.dll Mon Sep 27 2004 10:47:04p A.SHR 320,872 313.35 K
________________________________________________

1,154 items found: 1,154 files (39 H/S), 0 directories.
Total of file sizes: 208,417,012 bytes 198.76 M

Administrator Account = True

--------------------End log---------------------

Logfile of HijackThis v1.98.2
Scan saved at 6:18:24 PM, on 9/28/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Ontrack\SYSTEM~1\mxserver.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
E:\LiveJournal\Semagic\LiveJournal.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\memturbo\memturbo.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livejournal.com/users/eure_maum/friends
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Extreme Messenger for AIM] E:\Extreme Messenger\ExtremeMessenger.exe nosplash
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Semagic] E:\LiveJournal\Semagic\LiveJournal.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Startup: MemTurbo.lnk = C:\memturbo\memturbo.exe
O4 - Startup: Semagic.lnk = E:\LiveJournal\Semagic\LiveJournal.exe
O4 - Global Startup: BlackICE Utility.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab

That looks much better, one last check.

=== Download Need Programs ===
Download the following tool and install it in its own folder:
http://download.broadbandmedic.com/VX2Finder(126).exe
http://www.downloads.subratam.org/VX2Finder(126).exe

=== Get Name of Hidden dll ===
Run vx2finder(126).exe
Press 'Click to Find VX2.BetterInternet'
Press 'Make Log' and post it in this thread for review

Log for VX2.BetterInternet File Finder (msg126)

Files Found---
C:\WINNT\system32\aasldp.dll
C:\WINNT\system32\aatxprxy.dll
C:\WINNT\system32\aeledit.dll
C:\WINNT\system32\afmparse.dll
C:\WINNT\system32\aftxprxy.dll
C:\WINNT\system32\agaamon.dll
C:\WINNT\system32\agvpack.dll
C:\WINNT\system32\ahaamon.dll
C:\WINNT\system32\ahledit.dll
C:\WINNT\system32\ahsetupc.dll
C:\WINNT\system32\ahvpack.dll
C:\WINNT\system32\ajaamon.dll
C:\WINNT\system32\ajledit.dll
C:\WINNT\system32\akvpack.dll
C:\WINNT\system32\ansmib.dll
C:\WINNT\system32\aoledit.dll
C:\WINNT\system32\apaamon.dll
C:\WINNT\system32\arledit.dll
C:\WINNT\system32\attxprxy.dll
C:\WINNT\system32\axtxprxy.dll
C:\WINNT\system32\ayledit.dll
C:\WINNT\system32\wbaueng.dll

Additional Files---
C:\WINNT\system32\lspak.dll
C:\DOCUME~1\BLACKA~1\LOCALS~1\Temp\upd126.exe

Keys Under Notify---
crypt32chain
cryptnet
cscdll
NavLogon
sclgntfy
SensLogn
wzcnotif


Guardian Key--- is called:

User Agent String---
{8211237C-FDF8-4B0F-B978-1DAFCF169E22}

=== Look2me VX2.BetternetInternet Fix for Win 2K and XP only ===

=== Delete Hidden dl, Guardian key, User Agent; Restore Security Policies ===
Sign off and stay off the internet until the entire procedure is complete.

Run vx2finder(126).exe
Press 'Click to Find VX2.BetterInternet'
Select all the files found
Press 'Delete These Files'

The program will delete all files but one that will be deleted on reboot
Allow program to reboot

Once Restarted:
a. Press 'Guardian.reg'
b. Press 'User Agent'
c. Press 'Restore Policy'

=== Remove Remaining Infection ===
Download and install the latest version of Ad-Aware at
http://www.lavasoft.de/software/adaware/

After installing AAW, and before running the program, you NEED to FIRST update the reference file following the instructions here: http://www.lavahelp.com/howto/updref/index.html

Now do the following:
- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."

Press "Scan Now"
- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys.
Right-click in that pane and choose "select all"

Now press "Next" again.
It will ask you whether you'd like to remove all checked items. Click OK.

Finally, close Ad-Aware, and reboot.


=== Verify Removal ===
Run vx2finder(126).exe
Press 'Click to Find VX2.BetterInternet'
Press 'Make Log' and post it in this thread for review

Run HiJackThis and post a new log in this thread

sorry that this took so long to get done. got diverted by my literature review for my senior thesis which is due real soon. anyway, onto the logs.

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
NavLogon
sclgntfy
SensLogn
wzcnotif


Guardian Key--- is called:

User Agent String---


Logfile of HijackThis v1.98.2
Scan saved at 10:40:26 PM, on 10/4/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Ontrack\SYSTEM~1\mxserver.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\memturbo\memturbo.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\wisptis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livejournal.com/users/eure_maum/friends
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [Extreme Messenger for AIM] E:\Extreme Messenger\ExtremeMessenger.exe nosplash
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Semagic] E:\LiveJournal\Semagic\LiveJournal.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Startup: MemTurbo.lnk = C:\memturbo\memturbo.exe
O4 - Startup: Semagic.lnk = E:\LiveJournal\Semagic\LiveJournal.exe
O4 - Global Startup: BlackICE Utility.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab

One left over item and we are done!

Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT

Check the following items in HijackThis.
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

Close all windows except HijackThis and click Fix checked.

While still in Safe Mode*, delete the following: (you may need to show hidden files**)
C:\Program Files\Viewpoint\Viewpoint Manager\ <-- delete entire folder

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode.

HiJackThis version 198.2 is now available.
If you do not already have it installed, download it from here:
http://www.computercops.biz/downloads-file-328.html
http://tomcoyote.org/hjt/

Run HiJackThis again and post a new log in this thread.

Logfile of HijackThis v1.98.2
Scan saved at 10:16:25 PM, on 10/6/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Ontrack\SYSTEM~1\mxserver.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
E:\LiveJournal\Semagic\LiveJournal.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\memturbo\memturbo.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livejournal.com/users/eure_maum/friends
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Extreme Messenger for AIM] E:\Extreme Messenger\ExtremeMessenger.exe nosplash
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Semagic] E:\LiveJournal\Semagic\LiveJournal.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: MemTurbo.lnk = C:\memturbo\memturbo.exe
O4 - Startup: Semagic.lnk = E:\LiveJournal\Semagic\LiveJournal.exe
O4 - Global Startup: BlackICE Utility.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab

At last, your system is clean and free of spyware! Want to keep it that way?

Here are some simple steps you can take to reduce the chance of infection in the future.

1. Visit Windows Update: <-- YOU NEED TO DO THIS!!
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
a. Windows Update: http://v5.windowsupdate.microsoft.com/en/default.asp

2. Adjust your security settings for ActiveX:]
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the
second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.

3. Download and install the following free programs
a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
b. SpywareGuard: http://www.wilderssecurity.net/spywareguard.html
c. IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm
d. Bugoff: http://tools.zerosrealm.com/bugoff.zip

4. Install Spyware Detection and Removal Programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft.de/]http://www.lavasoft.de/
b. Spybot S&D: http://security.kolla.de/index.php?lang=en&page=download

Before adding any other Spyware Detection and Removal programs always check the Rogue Anti-Spyware List for programs known to be misleading, mistaken, or just outright "Foistware". You will find the list here: http://www.spywarewarrior.com/rogue_anti-spyware,htm

5. Install 'Spoofstick"
Spoofstick is a simple browser extension that helps users detect spoofed (fake) websites. This extension is free and installs in Internet Explorer and Mozilla Firefox.
a. http://www.corestreet.com/spoofstick

6. Reset System Restore
If you are using Windows ME or Windows XP, please reset your System Restore. See Windows help for information.

7. Rogue/Suspect Anti-Spyware
Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link: http://www/spywarewarrior.com/reogue_anti-spyware.htm

For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiator-antivirus.com/index...?showtopic=9857


Good luck, and thanks for coming to our forums for help with your security and malware issues.

thank you! downloaded all of your recommendations. only one question, what the heck does bugoff do??? *shrugs* anywayz, thank ye for ur help. now that i got all that anti-spyware stuff u said to download hopefully i won't need ur help anymore after i fully get my friends computer fixed.

Bugoff close the last two holes the Internet Explorer has. Merijn's site has all the info on it: http://spywareinfo.com/~merijn/