I am getting my normal home page (Google) reset to About:blank and something called mkc001 keeps appearing in my favourites page. Occasionally, it will attempt to load up mkc001 and the operation of my web browser is intermittent; sometimes it just comes up with an error message and exits the Web browser. I will try to attach a log from hijackthis. By the way, I have run Norton Antivirus, Adware SE and Spybot today. I also use the yahoo toolbar for doing scans but none of these have succeeded in stopping mkc001 and About:blank. :mad:
Can you help me?
Iwan Griffiths


Logfile of HijackThis v1.99.0
Scan saved at 13:44:52, on 06/02/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\SYSTEM\APILY32.EXE
C:\WINDOWS\SYSTEM\IPED.EXE
C:\WINDOWS\IPPB.EXE
C:\WINDOWS\SYSTEM\IPMH32.EXE
C:\WINDOWS\APPXA.EXE
C:\WINDOWS\SDKJZ.EXE
C:\WINDOWS\ATLNW.EXE
C:\WINDOWS\SYSTEM\JAVAJS.EXE
C:\WINDOWS\NETOL32.EXE
C:\WINDOWS\SYSTEM\IEQO32.EXE
C:\WINDOWS\NTLR32.EXE
C:\WINDOWS\SYSTEM\D3DC32.EXE
C:\WINDOWS\APIRF32.EXE
C:\WINDOWS\APIOP32.EXE
C:\WINDOWS\SYSTEM\ATLXQ.EXE
C:\WINDOWS\ATLKJ32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\AAFCMR.EXE
C:\PROGRAM FILES\WINDOWS SERVEAD\WINSERVAD.EXE
C:\WINDOWS\SYSTEM\IETW32.EXE
C:\PROGRAM FILES\WINDOWS SERVEAD\WINSERVSUIT.EXE
C:\WINDOWS\TEMP\C1B1.TMP.EXE
C:\WINDOWS\NETOL32.EXE
C:\WINDOWS\SYSTEM\IPMH32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\ATLNW.EXE
C:\WINDOWS\SYSTEM\MFCMI32.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\WINDOWS\ATLNW.EXE
C:\WINDOWS\MFCFO32.EXE
C:\WINDOWS\ATLNW.EXE
C:\WINDOWS\ATLNW.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\ATLNW.EXE
C:\WINDOWS\D3DK32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\ATLNW.EXE
C:\WINDOWS\MSVU.EXE
C:\WINDOWS\ATLNW.EXE
C:\WINDOWS\SYSTEM\MFCLS.EXE
C:\WINDOWS\APPXA.EXE
C:\WINDOWS\APPXA.EXE
C:\WINDOWS\APPXA.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\bffoc.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bffoc.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\bffoc.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\bffoc.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bffoc.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\bffoc.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\bffoc.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {A8BD9C38-D1DD-A874-F18E-BE3BA429FC7D} - C:\WINDOWS\MFCXI32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ifBVGed] C:\AAFCMR.EXE
O4 - HKLM\..\Run: [¢‰¸ï04Ã4}¤Áœ5]C:\Program Files\ISTsvc\istsvc.exe] C:\AAFCMR.EXE
O4 - HKLM\..\Run: [¢‰¸ï0+¿ÔÇè]mú*àaîžiC:\Program Files\ISTsvc\istsvc.exe] C:\AAFCMR.EXE
O4 - HKLM\..\Run: [Windows ServeAd] C:\PROGRAM FILES\WINDOWS SERVEAD\WINSERVAD.EXE
O4 - HKLM\..\Run: [IETW32.EXE] C:\WINDOWS\SYSTEM\IETW32.EXE
O4 - HKLM\..\Run: [C1B1.TMP] C:\WINDOWS\TEMP\C1B1.TMP.exe 1 28129
O4 - HKLM\..\Run: [epl2] C:\WINDOWS\SYSTEM\epl2.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [C1B1.TMP.EXE] C:\WINDOWS\TEMP\C1B1.TMP.EXE 3 28129
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] c:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [IPMH32.EXE] C:\WINDOWS\SYSTEM\IPMH32.EXE
O4 - HKLM\..\RunServices: [IPPB.EXE] C:\WINDOWS\IPPB.EXE
O4 - HKLM\..\RunServices: [SDKJZ.EXE] C:\WINDOWS\SDKJZ.EXE
O4 - HKLM\..\RunServices: [ATLNW.EXE] C:\WINDOWS\ATLNW.EXE
O4 - HKLM\..\RunServices: [IPED.EXE] C:\WINDOWS\SYSTEM\IPED.EXE
O4 - HKLM\..\RunServices: [APILY32.EXE] C:\WINDOWS\SYSTEM\APILY32.EXE
O4 - HKLM\..\RunServices: [JAVAJS.EXE] C:\WINDOWS\SYSTEM\JAVAJS.EXE
O4 - HKLM\..\RunServices: [APPXA.EXE] C:\WINDOWS\APPXA.EXE
O4 - HKLM\..\RunServices: [IEQO32.EXE] C:\WINDOWS\SYSTEM\IEQO32.EXE
O4 - HKLM\..\RunServices: [NETOL32.EXE] C:\WINDOWS\NETOL32.EXE
O4 - HKLM\..\RunServices: [NTLR32.EXE] C:\WINDOWS\NTLR32.EXE
O4 - HKLM\..\RunServices: [D3DC32.EXE] C:\WINDOWS\SYSTEM\D3DC32.EXE
O4 - HKLM\..\RunServices: [APIOP32.EXE] C:\WINDOWS\APIOP32.EXE
O4 - HKLM\..\RunServices: [APIRF32.EXE] C:\WINDOWS\APIRF32.EXE
O4 - HKLM\..\RunServices: [ATLXQ.EXE] C:\WINDOWS\SYSTEM\ATLXQ.EXE
O4 - HKLM\..\RunServices: [ATLKJ32.EXE] C:\WINDOWS\ATLKJ32.EXE
O4 - HKLM\..\RunServices: [MFCMI32.EXE] C:\WINDOWS\SYSTEM\MFCMI32.EXE
O4 - HKLM\..\RunServices: [MFCFO32.EXE] C:\WINDOWS\MFCFO32.EXE
O4 - HKLM\..\RunServices: [D3DK32.EXE] C:\WINDOWS\D3DK32.EXE
O4 - HKLM\..\RunServices: [MSVU.EXE] C:\WINDOWS\MSVU.EXE
O4 - HKLM\..\RunServices: [MFCLS.EXE] C:\WINDOWS\SYSTEM\MFCLS.EXE
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\PROGRAM FILES\YAHOO!\YPSR\PPCLEAN.EXE" "clean" "cws" "2"
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .uk/schools/public: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {042EEA26-2402-4E5A-B5BB-0FB445A5526E} (VacPro.win98_P) - http://www9.advnt01.com/dialer/win98_P.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int4.exe
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/gamc10-gb/gbc10/games4.cab
O16 - DPF: {2B22E8F3-08C5-1EE4-751E-109D47BB0C19} - http://66.117.37.5/1/rdgGB298.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_adult.cab

First:
Please take the following steps:

First, please enable viewing of hidden/system files per the instructions here: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Also, before we start, to be safe backup your registry.
Start --> Run --> scanregw
If you get a dialog asking if you want to backup the registry, press 'OK'
Press 'OK' when the backup is finished

IMPORTANT Be sure all browser and explorer windows are closed.

Using the Task Manager end the task on the following processes (if any are present):
Network Security Service
Remote Procedure Call (RPC) Helper
Workstation NetLogon Service

Reboot into Safe Mode*

Run HijackThis and place a check mark next to the following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\bffoc.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bffoc.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\bffoc.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\bffoc.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bffoc.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\bffoc.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\bffoc.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O2 - BHO: Class - {A8BD9C38-D1DD-A874-F18E-BE3BA429FC7D} - C:\WINDOWS\MFCXI32.DLL

O4 - HKLM\..\Run: [ifBVGed] C:\AAFCMR.EXE
O4 - HKLM\..\Run: [¢‰¸ï04Ã4}¤Áœ5]C:\Program Files\ISTsvc
\istsvc.exe] C:\AAFCMR.EXE
O4 - HKLM\..\Run: [¢‰¸ï0+¿ÔÇè]mú*àaîžiC:\Program Files\ISTsvc\istsvc.exe] C:\AAFCMR.EXE
O4 - HKLM\..\Run: [Windows ServeAd] C:\PROGRAM FILES\WINDOWS SERVEAD\WINSERVAD.EXE
O4 - HKLM\..\Run: [IETW32.EXE] C:\WINDOWS\SYSTEM\IETW32.EXE
O4 - HKLM\..\Run: [C1B1.TMP] C:\WINDOWS\TEMP\C1B1.TMP.exe 1 28129
O4 - HKLM\..\Run: [epl2] C:\WINDOWS\SYSTEM\epl2.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [C1B1.TMP.EXE] C:\WINDOWS\TEMP\C1B1.TMP.EXE 3 28129
O4 - HKLM\..\RunServices: [IPMH32.EXE] C:\WINDOWS\SYSTEM\IPMH32.EXE
O4 - HKLM\..\RunServices: [IPPB.EXE] C:\WINDOWS\IPPB.EXE
O4 - HKLM\..\RunServices: [SDKJZ.EXE] C:\WINDOWS\SDKJZ.EXE
O4 - HKLM\..\RunServices: [ATLNW.EXE] C:\WINDOWS\ATLNW.EXE
O4 - HKLM\..\RunServices: [IPED.EXE] C:\WINDOWS\SYSTEM\IPED.EXE
O4 - HKLM\..\RunServices: [APILY32.EXE] C:\WINDOWS\SYSTEM\APILY32.EXE
O4 - HKLM\..\RunServices: [JAVAJS.EXE] C:\WINDOWS\SYSTEM\JAVAJS.EXE
O4 - HKLM\..\RunServices: [APPXA.EXE] C:\WINDOWS\APPXA.EXE
O4 - HKLM\..\RunServices: [IEQO32.EXE] C:\WINDOWS\SYSTEM\IEQO32.EXE
O4 - HKLM\..\RunServices: [NETOL32.EXE] C:\WINDOWS\NETOL32.EXE
O4 - HKLM\..\RunServices: [NTLR32.EXE] C:\WINDOWS\NTLR32.EXE
O4 - HKLM\..\RunServices: [D3DC32.EXE] C:\WINDOWS\SYSTEM\D3DC32.EXE
O4 - HKLM\..\RunServices: [APIOP32.EXE] C:\WINDOWS\APIOP32.EXE
O4 - HKLM\..\RunServices: [APIRF32.EXE] C:\WINDOWS\APIRF32.EXE
O4 - HKLM\..\RunServices: [ATLXQ.EXE] C:\WINDOWS\SYSTEM\ATLXQ.EXE
O4 - HKLM\..\RunServices: [ATLKJ32.EXE] C:\WINDOWS\ATLKJ32.EXE
O4 - HKLM\..\RunServices: [MFCMI32.EXE] C:\WINDOWS\SYSTEM\MFCMI32.EXE
O4 - HKLM\..\RunServices: [MFCFO32.EXE] C:\WINDOWS\MFCFO32.EXE
O4 - HKLM\..\RunServices: [D3DK32.EXE] C:\WINDOWS\D3DK32.EXE
O4 - HKLM\..\RunServices: [MSVU.EXE] C:\WINDOWS\MSVU.EXE
O4 - HKLM\..\RunServices: [MFCLS.EXE] C:\WINDOWS\SYSTEM\MFCLS.EXE

O16 - DPF: {042EEA26-2402-4E5A-B5BB-0FB445A5526E} (VacPro.win98_P) - http://www9.advnt01.com/dialer/win98_P.CAB
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int4.exe
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/gamc10-gb/gbc10/games4.cab
O16 - DPF: {2B22E8F3-08C5-1EE4-751E-109D47BB0C19} - http://66.117.37.5/1/rdgGB298.exe
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_adult.cab

Press 'Fix Checked'.

Exit HiJackThis.

Delete the following files:
C:\AAFCMR.EXE
C:\PROGRAM FILES\WINDOWS SERVEAD\WINSERVAD.EXE
C:\WINDOWS\SYSTEM\IETW32.EXE
C:\WINDOWS\TEMP\C1B1.TMP.exe 1 28129
C:\WINDOWS\SYSTEM\epl2.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\TEMP\C1B1.TMP.EXE 3 28129
C:\WINDOWS\SYSTEM\IPMH32.EXE
C:\WINDOWS\IPPB.EXE
C:\WINDOWS\SDKJZ.EXE
C:\WINDOWS\ATLNW.EXE
C:\WINDOWS\SYSTEM\IPED.EXE
C:\WINDOWS\SYSTEM\APILY32.EXE
C:\WINDOWS\SYSTEM\JAVAJS.EXE
C:\WINDOWS\APPXA.EXE
C:\WINDOWS\SYSTEM\IEQO32.EXE
C:\WINDOWS\NETOL32.EXE
C:\WINDOWS\NTLR32.EXE
C:\WINDOWS\SYSTEM\D3DC32.EXE
C:\WINDOWS\APIOP32.EXE
C:\WINDOWS\APIRF32.EXE
C:\WINDOWS\SYSTEM\ATLXQ.EXE
C:\WINDOWS\ATLKJ32.EXE
C:\WINDOWS\SYSTEM\MFCMI32.EXE
C:\WINDOWS\MFCFO32.EXE
C:\WINDOWS\D3DK32.EXE
C:\WINDOWS\MSVU.EXE
C:\WINDOWS\SYSTEM\MFCLS.EXE

[/b]While still in Safe Mode* finish the cleanup process, please run through the rest of these steps:

Go to Start --> Run and type Regedit then click Ok.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
and highlight Services in the left pane. In the right pane, look for any of these entries:

__NS_Service
__NS_Service_2
__NS_Service_

If any are listed, right-click that entry in the right pane and choose Delete.

Now navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
and highlight Root in the Left Pane. In the right pane, look for these entries:

LEGACY___NS_Service
LEGACY___NS_Service_2
LEGACY___NS_Service_3

If you find it, right-click it in the right-pane and choose delete.

If you have trouble deleting a key. Then click once on the key name (LEGACY__NS_SERVICE_ or another name that starts with LEGACY__NS_SERVICE) to highlight it. Then click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritable permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.

Exit regedit, boot in Normal Mode.

To remove the remainder of the files this exploit deposits, run this Online AntiVirus scan, removing all it finds:

Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com


=== Check ActiveX Settings ===
Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', ten OK.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the
second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.


=== Replace Deleted Files ===
It is also possible that the infection may have deleted up to three files from your system. If these files are present, to be safe I suggest you overwrite them with a new copy.

Go here: http://www.spywareinfo.com/~merijn/winfiles.html#control and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.

Download the Hoster from here: http://members.aol.com/toadbee/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.

If you have Spybot S&D installed you may also need to replace one file.
Go here: http://www.spywareinfo.com/~merijn/winfiles.html#sdhelper and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.

* How to Boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...001052409420406


Second:
Download the attached file (deldomains.zip) and unzip to your desktop,

Right-click on the deldomains.inf file and select 'Install'

When its finished your IE Zones wil lbe reset. That will make it necessary to re-install protection using SpywareBlaster and to re-install IE/Spyads, if you use them.


Third:
Run HiJackThis and post a new log in this thread.