Hi, I've run all of the preliminary tests and updates that you suggest on your site before posting to this forum. The log from my kids' computer is below. I had to email this to my computer because when I try to post a new topic here from the other computer, I get redirected to porn sites and the browser is then closed. I have spybot and spyware guard running. Any thoughts?

Sincerely ~

~MaryLee

Logfile of HijackThis v1.98.2

Scan saved at 12:42:20 PM, on 8/21/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)



Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\System32\NMSSvc.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\PROMon.exe

C:\WINNT\GWMDMMSG.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINNT\System32\P2P Networking\P2P Networking.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINNT\System32\yckefgvh.exe

C:\Program Files\WindowsSA\omniscient.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\AWS\WeatherBug\Weather.exe

C:\Palm\HOTSYNC.EXE

C:\Program Files\StealthRay\StealthRay.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE

C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

C:\Program Files\Microsoft Works\MSWorks.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Julia\Desktop\hijackthis\HijackThis.exe



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\mfplay.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\mfplay.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\mfplay.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\mfplay.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\mfplay.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\mfplay.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)

R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)

O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll

O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll (file missing)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {4A8F48DD-E880-4AB1-A2AB-3E02832F03D9} - C:\WINNT\System32\mfplay.dll (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINNT\System32\nvms.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINNT\System32\mscb.dll

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\System32\msbe.dll

O2 - BHO: sr - {FC2593E3-3E5A-410F-AF3D-82613CCE58E5} - c:\winnt\sr.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [izflyk] C:\WINNT\System32\yckefgvh.exe

O4 - HKLM\..\Run: [diskmain] C:\WINNT\system32\1054\diskmain.exe

O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe

O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe

O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe

O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: PowerReg Scheduler.exe

O4 - Global Startup: LCDPlayer.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE

O4 - Global Startup: StealthRay.lnk = C:\Program Files\StealthRay\StealthRay.exe

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab

O16 - DPF: Sametime Meeting Toolkit ST25 - file://C:\WINNT\Java\ControlF1\STMeeting25.cab

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...abbfe763eea522b

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...Transporter.cab?

O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://www.easports.com/downloads/games/common/ieell.cab

O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab

O16 - DPF: {5D1E3FA5-64FF-4387-9418-F1D67AFB2247} (MaxisSuperstarTeleX Control) - http://thesims.ea.com/teleport/superstar/M...erstarTeleX.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093104133685

O16 - DPF: {8629CFEB-C31A-4429-9BB0-8765A8A24FDA} (MaxisUnleashedLotTeleX Control) - http://thesims.ea.com/teleport/unleashed/L...hedLotTeleX.cab

O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab

O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab

O16 - DPF: {F167B843-DB78-4966-8D48-B4A1EA465CFC} (MediaManager Class) - http://www.discwareonline.com/download/discware.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{BFE771CA-4514-4C37-BFCA-A1A47C11F521}: NameServer = 216.17.128.1,216.17.128.2

O18 - Filter: text/html - {4F343794-942B-4CDF-A041-1EDAE0083357} - C:\WINNT\System32\mfplay.dll

O18 - Filter: text/plain - {4F343794-942B-4CDF-A041-1EDAE0083357} - C:\WINNT\System32\mfplay.dll

=== Step 1 - Get File Info ===

You have a CoolWebSearch variant which requires special treatment to fix.


Download FindnFix.exe from here:
http://www10.brinkster.com/expl0iter/freeatlast/FNF/ or
http://downloads.subratam.org/FINDnFIX.exe

Double Click on the FindnFix.exe and it will install the batch file in its own folder.

Open the FindnFix folder and double click on !LOG!.bat

IMPORTANT! Before you run this tool please close ALL running programs and ALL open windows except for the FindnFix folder.


Relax, sit back and wait a few minutes while the program collects the necessary information.


*NOTE:If your AntiVirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.


When the program is finished:

Open the FindnFix folder.
1. Post the contents of Log.txt in this thread.
2. Attach file Win.txt to the same post. (Please attach, do not post)

(If this board does not provide the ability to attach documents to your post, then please post the Win.txt file in this thread)

My husband was finally home and able to run the fixes you mentioned. Here's the log. Any help you can offer would be greatly appreciated. I've also attached the other file he asked me to.

Thanks so much ~ MaryLee



»»»»»»»»»»»»»»»»»»***LOG!***(*updated *8/22*)»»»»»»»»»»»»»»»»

*System:
Microsoft Windows XP Home Edition 5.1 Service Pack 1 (Build 2600)
*IE version:
6.0.2800.1106 SP1-Q832894-Q330994-Q831167


__________________________________
!!*Creating backups...!!
__________________________________

*Local time:
Saturday, August 21, 2004 (8/21/2004)
8:07 PM, Mountain Daylight Time
*Uptime:
20:07:49 up 0 days, 7:43:41

*Path:
C:\FINDnFIX
----------------------------------------------------
»»Member of...: ("ADMIN" logon + group match required!)

User is a member of group JMME\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Group BUILTIN\Administrators matches list.
Group BUILTIN\Users matches list.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

User: [JMME\Mitch], is a member of:

BUILTIN\Administrators
\Everyone
JMME\None

Running in WORKSTATION MODE.

SystemDrive is C:
SystemRoot is C:\WINNT
Logon Domain is JMME
Administrator's Name is Mitch
Computer Name is JMME
LOGON SERVER is \\JMME

»»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»
The list will produce a small database of files that will match certain criteria.
Ex: read only files, s/h files, last modified date. size, etc.
The filters provided and registry scan should match the
corresponding file(s) listed.
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Unless the file match the entire criteria, it should not be pointed to remove
without attempting to confirm it's nature!
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!
If in doubt, always search the file(s) and properties according to criteria!

The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder

______________________________________________________________________________
***YOU NEED TO DISABLE YOUR ACTIVE ANTI VIRUS PROTECTION TO AVOID CONFLICTS!***
______________________________________________________________________________

......Scanning for file(s)...
*Note! The list(s) may include legitimate files!
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........
»»Read access error(s)...


»»»»» (*2*) »»»»»........

»»»»» (*3*) »»»»»........

unknown/hidden files...

»»»»» (*4*) »»»»».........
Sniffing..........

»»»»»(*5*)»»»»»

»»»»»(*6*)»»»»»

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»»Search by size...
*List of files and specs according to 'size' :
*Note: Not all files listed here are infected, but *may include* the
name and spces of the offending file...
___________________________________________________________________________


____________________________________________________________________________
*By size and date...



»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»


BHO search...




»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

»»Checking for AppInit_DLLs (empty) value...
________________________________
!"AppInit_DLLs"=""!

Value Matches
________________________________

»»Comparing *saved* key with *original*...

REGDIFF 2.1 - Freeware written by Gerson Kurz (http://www.p-nand-q.com)

Comparing File #1 (Keys1\winkey.reg) with File #2 (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows).

No differences found.

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs =
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



»»Performing string scan....

---------- WIN.TXT
fùAppInit_DLLsÖ�æG
--------------
--------------
--------------
--------------
No strings found.

--------------
--------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

..........
*Debug...
--------------
--------------
Ntdll.DLL at 77F50000
Kernel32.DLL at 77E60000
..........
A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value exists and reports as 2 bytes, including the 2 for string termination.

[AppInitDLLs]
Ansi string : ""
0000 00 00 | ..
-----------------------

»»»»»»Backups list...»»»»»»
20:08:01 up 0 days, 7:43:53
-----------------------


*Temp backups...

________________________________________________________________________________
***THE FIX IS NOT COMPATIBLE WITH EARLIER;UNPATCHED VERSIONS OF WIN2K'(SP3 and BELLOW)'
AND/OR LAX OF SECURITY UPDATES AND SERVICE PACKS FOR ALL PLATFORMS!
MINIMAL REQUIREMENTS INCLUDE:
_________XP HOME/PRO; SP1; IE6/SP1
_________2K/SP4; IE6/SP1
________________________________________________________________________________
»»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»
-----END------


Good news, you still have a CWS infection, but it is not the 'difficult' one. Go ahead and delete the FindnFix folder since we do not need it anymore.

First:
I recommend that you uninstall P2P Networking through Add/Remove Programs.

If/when asked whether you also want to remove Altnet components, say 'Yes'.

P2P Networking is a totally useless Kazaa add-on, and it's been reported to be responsible for serious system slowdowns.

Subsequently remove the P2P Networking folder in C:\Windows\System32, if still there.


Second:
Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg and save it on your Desktop.

Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".


Third:
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Check the following items in HijackThis.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\mfplay.dll/sp.html (obfuscated
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\mfplay.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\System32\mfplay.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\System32\mfplay.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\mfplay.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\System32\mfplay.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll (file missing)
O2 - BHO: (no name) - {4A8F48DD-E880-4AB1-A2AB-3E02832F03D9} - C:\WINNT\System32\mfplay.dll (file missing)
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINNT\System32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINNT\System32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\System32\msbe.dll
O2 - BHO: sr - {FC2593E3-3E5A-410F-AF3D-82613CCE58E5} - c:\winnt\sr.dll

O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [izflyk] C:\WINNT\System32\yckefgvh.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
O4 - Global Startup: PowerReg Scheduler.exe

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...abbfe763eea522b
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab

O18 - Filter: text/html - {4F343794-942B-4CDF-A041-1EDAE0083357} - C:\WINNT\System32\mfplay.dll
O18 - Filter: text/plain - {4F343794-942B-4CDF-A041-1EDAE0083357} - C:\WINNT\System32\mfplay.dll

Close all windows except HijackThis and click Fix checked.

Reboot in Safe Mode*, delete the following: (you may need to show hidden files**)
C:\WINNT\System32\yckefgvh.exe
C:\Program Files\WindowsSA\ <-- delete folder
C:\Program Files\Web_Rebates\ <-- delete folder
C:\WINNT\System32\mfplay.dll

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode.


HiJackThis version 198.2 is now available.
If you do not already have it installed, download it from here:
http://downloads.net-integration.net/HijackThis.exe
http://www.computercops.biz/downloads-file-328.html
http://tomcoyote.org/hjt/

Then run HiJackThis again and post a new log in this thread.
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Check the following items in HijackThis.


Close all windows except HijackThis and click Fix checked.

Reboot in Safe Mode*, delete the following: (you may need to show hidden files**)


*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode.


HiJackThis version 198.2 is now available.
If you do not already have it installed, download it from here:
http://downloads.net-integration.net/HijackThis.exe
http://www.computercops.biz/downloads-file-328.html

Then run HiJackThis again and post a new log in this thread.