OK Ive been trying to do this myself and thought I had removed the "issues" myself by deleting them from the regedit<<<<run, win 32 and task manager ect... but it seems that they just wont stay gone. Im sure this has something to do with the fact that I have no idea what I am doing but I think I am learning alot anyway. lol. First it seems that I was attacked and hijacked the instant I clicked Internet explorer while hooking up my (brand new unprotected harddrive(another long story) to my new Verizon dsl(HMMM WHATS THAT ABOUT!!!!!!? :mad: ) service. I am not kidding I never went to a site, the instant I clicked IE I was notified that "your site bar" was being installed on my computer. I couldnt go anywhere but some fake search site. I had my old AVG, Adaware, hijack this ect but after this happened none of them would work. Also when I went to the sites to download them i was told " my security settings didnt allow these downloads" So essentially I couldnt get any protection either. Im not sure what hapened but my settings appeared ok, though I know that when your browser is hijacked they can do lots of weird things, am I right????? Anyway so I was forced out of exasperation to p2p avg and adaware and I attempted Nortons which I believe is where all of my(New) problems began. The new trojans (?) crashed the AVG and it was acting really weird finding a virus in every scan but in the wrong file so I trashed it. Meanwhile I went into my run section of my registry and deleted what seemed bad after google searching each object in there. After I did that I went back and tried the legit site downloads again for AVG, ANTIVIR, and Adaware and like magic they worked. But alas I go in today and look and everything I deleted is back again. Adaware finds nothing but MRUS AntiVir nothing, McAffey and AVG nothing. I also have ie.spyad

I have also been seeing C:\ii.exe;\YEA.REG Lowzones.A on my av scans and the programs werent helaing or removing it but now they dont see it and I am unsure
whether this was taken care of by the antivirus programs or not.

I just did a Hijackthis scan and checked alll of the:

lbtmfo,
wvsvc,
f0mered,
spoolnt,
cosine,
entries

I scanned again and guess what, they were all still there.....
although it is entirely possible I missed some.

Oh and I had missed the lbtmfo and left it in the reg on the first time I was deleting things and when I went back the next day to delete it after figuring out that it was bad it wasnt there??? Now it is. (or was I deleted all the above 5 things from the run in the reg. now)

Also I saw someone talking about cpu usage, should it not say 100% all the time, is that bad? Sorry if that is a dumb question like I said I really dont know what I am doing.

What exactly does Hijackthis do? I mean how does it work? (The short version in dummy terms ) Is your system really clear after you check fix?

And yes I know I need to move hijack this to a permanant folder I will do that now! :thumb:


Logfile of HijackThis v1.99.0
Scan saved at 1:43:25 AM, on 1/3/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Program Files\AVPersonal\AVGUARD.EXE
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\Program Files\AVPersonal\AVWUPSRV.EXE
F:\WINNT\System32\svchost.exe
F:\WINNT\system32\hidserv.exe
f:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
F:\WINNT\system32\regsvc.exe
F:\WINNT\system32\MSTask.exe
F:\WINNT\system32\stisvc.exe
F:\WINNT\system32\ZoneLabs\vsmon.exe
F:\WINNT\Explorer.EXE
F:\WINNT\System32\WBEM\WinMgmt.exe
F:\WINNT\System32\mspmspsv.exe
F:\WINNT\system32\svchost.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
f:\PROGRA~1\mcafee.com\vso\mcshield.exe
F:\WINNT\system32\wuauclt.exe
F:\Program Files\AVPersonal\AVWIN.EXE
F:\Program Files\AVPersonal\AVSched32.EXE
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
F:\Documents and Settings\Cara\Desktop\old drive stuff\unzipped\hijackthis\HijackThis.exe
F:\Program Files\WinZip\WINZIP32.EXE
F:\PROGRA~1\WINZIP\wzqkpick.exe
F:\Documents and Settings\Cara\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cgi.verizon.net/bookmarks/bmredir.a...=4.0&bm=ho_home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Search Bar - {0A8CE102-FA03-4612-9BEE-7FE5452F4CB1} - F:\WINNT\system32\srchbar.dll (file missing)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Windows Compliant] rbcnxc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] trasccs.exe
O4 - HKLM\..\Run: [Admilli Service] F:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] F:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [Start Upping] spoolnt.exe
O4 - HKLM\..\Run: [Starting up] wvsvc.exe
O4 - HKLM\..\Run: [cosine] cosine.exe
O4 - HKLM\..\Run: [Start aThx Roll] f0mered.exe
O4 - HKLM\..\Run: [ebjKf] F:\WINNT\lbtmfo.exe
O4 - HKLM\..\RunServices: [Windows Compliant] rbcnxc.exe
O4 - HKLM\..\RunServices: [cosine] cosine.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] trasccs.exe
O4 - HKLM\..\RunServices: [Start Upping] spoolnt.exe
O4 - HKLM\..\RunServices: [Start aThx Roll] f0mered.exe
O4 - HKLM\..\RunServices: [Starting up] wvsvc.exe
O4 - HKCU\..\Run: [Windows Compliant] rbcnxc.exe
O4 - HKCU\..\Run: [cosine] cosine.exe
O4 - HKCU\..\Run: [Start Upping] spoolnt.exe
O4 - HKCU\..\Run: [Start aThx Roll] f0mered.exe
O4 - HKCU\..\Run: [Starting up] wvsvc.exe
O4 - HKCU\..\Run: [ares] "F:\Documents and Settings\Cara\Desktop\old drive stuff\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: WinZip Quick Pick.lnk = F:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,7...pdatePortal.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon.net/update/msnwebinsta...es/vzWebIns.CAB
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - F:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - F:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee.com McShield - Unknown - f:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - F:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - f:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - F:\WINNT\system32\ZoneLabs\vsmon.exe



THANK YOU SO SO SO MUCH !!!

Hi hoohoo,

Check your computer with the following free anti-virus/anti-trojan products.

Housecall Anti Virus Panda Anti Virus Trojan Scan

And, here's the link to McAfee AVERT Stinger and instructions for use.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location, so you can delete it yourself.

Afterwards post a new log from HijackThis.

Ok done. I had to dl the 30 day trial for pc cillin instead of the housecall though, for some reason it never ran right.

None of the found anything.............





Logfile of HijackThis v1.98.2
Scan saved at 3:06:02 PM, on 1/4/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Program Files\AVPersonal\AVGUARD.EXE
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\Program Files\AVPersonal\AVWUPSRV.EXE
F:\WINNT\System32\svchost.exe
F:\WINNT\system32\hidserv.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
F:\WINNT\system32\regsvc.exe
F:\WINNT\system32\MSTask.exe
F:\WINNT\system32\stisvc.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
F:\WINNT\Explorer.EXE
F:\WINNT\system32\ZoneLabs\vsmon.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
F:\WINNT\System32\mspmspsv.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\System32\svchost.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
F:\Program Files\WinZip\WZQKPICK.EXE
F:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\WINNT\system32\cosine.exe
F:\WINNT\system32\wuauclt.exe
F:\Documents and Settings\Cara\Desktop\hijackthis\HijackThis.exe
F:\Documents and Settings\Cara\Desktop\hijackthis\HijackThis.exe
F:\Documents and Settings\Cara\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cgi.verizon.net/bookmarks/bmredir.a...=4.0&bm=ho_home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] trasccs.exe
O4 - HKLM\..\Run: [Admilli Service] F:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] F:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [cosine] cosine.exe
O4 - HKLM\..\Run: [Start Upping] spoolnt.exe
O4 - HKLM\..\Run: [Start aThx Roll] f0mered.exe
O4 - HKLM\..\Run: [ebjKf] F:\WINNT\lbtmfo.exe
O4 - HKLM\..\Run: [pccguide.exe] "F:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\RunServices: [Microsoft Update Machine] trasccs.exe
O4 - HKLM\..\RunServices: [cosine] cosine.exe
O4 - HKLM\..\RunServices: [Start Upping] spoolnt.exe
O4 - HKLM\..\RunServices: [Start aThx Roll] f0mered.exe
O4 - HKCU\..\Run: [ares] "F:\Documents and Settings\Cara\Desktop\old drive stuff\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [cosine] cosine.exe
O4 - HKCU\..\Run: [Start Upping] spoolnt.exe
O4 - HKCU\..\Run: [Start aThx Roll] f0mered.exe
O4 - Global Startup: WinZip Quick Pick.lnk = F:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,7...pdatePortal.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon.net/update/msnwebinsta...es/vzWebIns.CAB
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

You're posting from an old version of HijackThis! Get rid of it, and only use 1.99 from now on. Furthermore the log you posted is incomplete! It ends on the O9-section while the previous one went all the way to the O23-sections...

Please post a full log.

Ok I hope I got this right this time, Im really sorry.



Logfile of HijackThis v1.99.0
Scan saved at 11:08:08 PM, on 1/5/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Program Files\AVPersonal\AVGUARD.EXE
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\Program Files\AVPersonal\AVWUPSRV.EXE
F:\WINNT\System32\svchost.exe
F:\WINNT\system32\hidserv.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
F:\WINNT\system32\regsvc.exe
F:\WINNT\system32\MSTask.exe
F:\WINNT\system32\stisvc.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
F:\WINNT\system32\ZoneLabs\vsmon.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
F:\WINNT\System32\mspmspsv.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\Explorer.EXE
F:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\WINNT\system32\cosine.exe
F:\Program Files\Common Files\Adobe\ESD\AdobeDownloadManager.exe
F:\Program Files\WinZip\WZQKPICK.EXE
F:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\PROGRA~1\WINZIP\winzip32.exe
F:\Documents and Settings\Cara\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cgi.verizon.net/bookmarks/bmredir.a...=4.0&bm=ho_home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] trasccs.exe
O4 - HKLM\..\Run: [Admilli Service] F:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] F:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [cosine] cosine.exe
O4 - HKLM\..\Run: [Start Upping] spoolnt.exe
O4 - HKLM\..\Run: [Start aThx Roll] f0mered.exe
O4 - HKLM\..\Run: [ebjKf] F:\WINNT\lbtmfo.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] trasccs.exe
O4 - HKLM\..\RunServices: [cosine] cosine.exe
O4 - HKLM\..\RunServices: [Start Upping] spoolnt.exe
O4 - HKLM\..\RunServices: [Start aThx Roll] f0mered.exe
O4 - HKCU\..\Run: [ares] "F:\Documents and Settings\Cara\Desktop\old drive stuff\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [cosine] cosine.exe
O4 - HKCU\..\Run: [Start Upping] spoolnt.exe
O4 - HKCU\..\Run: [Start aThx Roll] f0mered.exe
O4 - HKCU\..\Run: [dlmMgr] "F:\Program Files\Common Files\Adobe\ESD\AdobeDownloadManager.exe" restart=1
O4 - Global Startup: WinZip Quick Pick.lnk = F:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,7...pdatePortal.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon.net/update/msnwebinsta...es/vzWebIns.CAB
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - F:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - F:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - F:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - F:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - F:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - F:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - F:\WINNT\system32\ZoneLabs\vsmon.exe

Hi hoohoo,

Please move HijackThis to another location, preferably c:\Program Files\HijackThis. Anywhere is fine, other than your Desktop or a Temp folder. If HijackThis is in a temporary folder you run the risk of accidentally deleting the backups or it clutters your desktop with all the backups.
If you use Windows XP it might be that you just double clicked on the file HijackThis.exe, but that only extracts the file to a temporary folder. Please select the file and Extract it to a folder.

How do you make a permanent folder:

Click "My Computer", then "C:\" and then on "Program Files".
In the menu bar, "File"->"New"->"Folder".
That will create a folder named "New Folder", which you can rename to "HJT" or "HijackThis".
Now you have "C:\Program Files\HijackThis". Put your HijackThis.exe there.

Run HijackThis, click on "Scan" and check the boxes next to all these items.

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [Microsoft Update Machine] trasccs.exe
O4 - HKLM\..\Run: [Admilli Service] F:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKLM\..\Run: [cosine] cosine.exe
O4 - HKLM\..\Run: [Start Upping] spoolnt.exe
O4 - HKLM\..\Run: [Start aThx Roll] f0mered.exe
O4 - HKLM\..\Run: [ebjKf] F:\WINNT\lbtmfo.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] trasccs.exe
O4 - HKLM\..\RunServices: [cosine] cosine.exe
O4 - HKLM\..\RunServices: [Start Upping] spoolnt.exe
O4 - HKLM\..\RunServices: [Start aThx Roll] f0mered.exe
O4 - HKCU\..\Run: [cosine] cosine.exe
O4 - HKCU\..\Run: [Start Upping] spoolnt.exe
O4 - HKCU\..\Run: [Start aThx Roll] f0mered.exe

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Restart your computer in Safe Mode. How do I Safe Boot my computer?

Show hidden files. How do I show hidden files?

Delete the following files in red (it could be that they are deleted already):

F:\WINNT\System32\trasccs.exe
F:\WINNT\System32\cosine.exe
F:\WINNT\System32\spoolnt.exe
F:\WINNT\System32\f0mered.exe
F:\WINNT\lbtmfo.exe

Delete the following folders in red (it could be that they are deleted already):

F:\Program Files\Admilli Service

Restart your computer and post a new log in this thread.

Please excuse my exceptional density but i cannot figure out how to move the hijckthis folder I made per your directions. Everything is just a shortcut when I drag and drop it and if i click sent to only options are floppy,my documents,desktop or mail recipient. My computer is going sooooooooooooooo freaking slow, I am getting so frustrated I dont know what to do.
I just bought a new hard drive and new memory and nothing works right...........

Thanks again. Here it is cosine seems to still be there. It was there when I restarted in safemode and deleted it.

Logfile of HijackThis v1.99.0
Scan saved at 11:55:17 PM, on 1/6/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Program Files\AVPersonal\AVGUARD.EXE
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\Program Files\AVPersonal\AVWUPSRV.EXE
F:\WINNT\System32\svchost.exe
F:\WINNT\system32\hidserv.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
F:\WINNT\system32\regsvc.exe
F:\WINNT\system32\MSTask.exe
F:\WINNT\system32\stisvc.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
F:\WINNT\Explorer.EXE
F:\WINNT\system32\ZoneLabs\vsmon.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
F:\WINNT\System32\mspmspsv.exe
F:\WINNT\system32\svchost.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
F:\Program Files\WinZip\WZQKPICK.EXE
F:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
F:\Documents and Settings\Cara\Local Settings\Temp\HijackThis.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE
F:\WINNT\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cgi.verizon.net/bookmarks/bmredir.a...=4.0&bm=ho_home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] F:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "F:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [cosine] cosine.exe
O4 - HKLM\..\RunServices: [cosine] cosine.exe
O4 - HKCU\..\Run: [ares] "F:\Documents and Settings\Cara\Desktop\old drive stuff\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [WindowBlinds] F:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe auto
O4 - HKCU\..\Run: [cosine] cosine.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = F:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,7...pdatePortal.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon.net/update/msnwebinsta...es/vzWebIns.CAB
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - F:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - F:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - F:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - F:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - F:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - F:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - F:\WINNT\system32\ZoneLabs\vsmon.exe

Hi hoohoo,

No worries... That's why we're here.
You can select HijackThis.exe where it is, select Cut from the Edit menu, navigate to the folder you made and select Paste from the Edit menu. That way the file HijackThis.exe will be moved to that folder.

Run HijackThis, click on "Scan" and check the boxes next to all these items.

O4 - HKLM\..\Run: [cosine] cosine.exe
O4 - HKLM\..\RunServices: [cosine] cosine.exe
O4 - HKCU\..\Run: [cosine] cosine.exe

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Restart your computer in Safe Mode. How do I Safe Boot my computer?

Show hidden files. How do I show hidden files?

Delete the following files in red (it could be that they are deleted already):

c:\WinNT\System32\cosine.exe

Restart your computer and post a new log in this thread.

OK i HAVENT HAD A CHANCE TO MOVE THE FILE BUT HERE IS A QUICK LOG
i DONT TRUST THEM TO STAY GONE SO I WILL CHECK BACK TONIGHT AFTER i TRY TO MOVE THE FILE.

Logfile of HijackThis v1.99.0
Scan saved at 3:13:22 PM, on 1/7/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Program Files\AVPersonal\AVGUARD.EXE
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\Program Files\AVPersonal\AVWUPSRV.EXE
F:\WINNT\System32\svchost.exe
F:\WINNT\system32\hidserv.exe
F:\WINNT\system32\regsvc.exe
F:\WINNT\system32\MSTask.exe
F:\WINNT\system32\stisvc.exe
F:\WINNT\system32\ZoneLabs\vsmon.exe
F:\WINNT\Explorer.EXE
F:\WINNT\System32\WBEM\WinMgmt.exe
F:\WINNT\System32\mspmspsv.exe
F:\WINNT\system32\svchost.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
F:\Program Files\WinZip\WZQKPICK.EXE
F:\Documents and Settings\Cara\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cgi.verizon.net/bookmarks/bmredir.a...=4.0&bm=ho_home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] F:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "F:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKCU\..\Run: [ares] "F:\Documents and Settings\Cara\Desktop\old drive stuff\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [WindowBlinds] F:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe auto
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = F:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,7...pdatePortal.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon.net/update/msnwebinsta...es/vzWebIns.CAB
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - F:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - F:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - F:\WINNT\system32\ZoneLabs\vsmon.exe

Logfile of HijackThis v1.99.0
Scan saved at 12:19:08 AM, on 1/8/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\Program Files\AVPersonal\AVGUARD.EXE
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
F:\Program Files\AVPersonal\AVWUPSRV.EXE
F:\WINNT\System32\svchost.exe
F:\WINNT\system32\hidserv.exe
F:\WINNT\system32\regsvc.exe
F:\WINNT\system32\MSTask.exe
F:\WINNT\system32\stisvc.exe
F:\WINNT\system32\ZoneLabs\vsmon.exe
F:\WINNT\Explorer.EXE
F:\WINNT\System32\WBEM\WinMgmt.exe
F:\WINNT\System32\mspmspsv.exe
F:\WINNT\system32\svchost.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
F:\Program Files\WinZip\WZQKPICK.EXE
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cgi.verizon.net/bookmarks/bmredir.a...=4.0&bm=ho_home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Zone Labs Client] "F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] F:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "F:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKCU\..\Run: [ares] "F:\Documents and Settings\Cara\Desktop\old drive stuff\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [WindowBlinds] F:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe auto
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = F:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,7...pdatePortal.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon.net/update/msnwebinsta...es/vzWebIns.CAB
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - F:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - F:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - F:\WINNT\system32\ZoneLabs\vsmon.exe

Yea! I made a permanent folder for HijackThis. I had no idea I was doing it wrong all this time. I think cosine is finally gone. I dont understand why it disapeared now but not all the other times I did the same steps? I have checked cosine on hijackthis at least 6 times before and deleted it from system32 as well. But I am just glad it is gone. :)
Thanks so much for your help!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Let me know if I did it right and everything is ok.

Hi hoohoo,

You've done good! :thumb:

This log is clean!

This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox.

Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.

This can be accessed by going to http://windowsupdate.microsoft.com/ and following the prompts. If you are running Windows XP get updated to SP-2

Please post back if you are still having any problems....