Some software programs such as Evidence eraser, spyware avenger, Virus Hunter security and others automatically install themselve on my pc after I remove them with adaware and spybot. I have lost control of my machine. I have tried to install virus protection, but the pc will not let me. Below is my hijackthis log...

Logfile of HijackThis v1.99.1
Scan saved at 3:53:38 PM, on 2/20/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\soft.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software
Update\HPWuSchd2.exe
C:\WINNT\system32\hphmon05.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\nthv32.exe
C:\WINNT\sdkks.exe
C:\WINNT\isrvs\desktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\Guicku.exe
C:\WINNT\system32\danint35.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\12.tmp.exe
C:\WINNT\system32\wsxsvc\wsxsvc.exe
C:\WINNT\system32\winupdt.exe
C:\winnt\system32\msnavc32.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\winnt\system32\saie.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\WINNT\system32\wincjdk32.exe
C:\WINNT\system32\bolialui.exe
C:\WINNT\system32\sysmonnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\prutqct.exe
C:\Program Files\43dupf1q\43dupf1q.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\prutqct.exe
C:\WINNT\system32\tibs5.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\winnt\system32\kzzyntg.exe
c:\winnt\system32\packager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\metro.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINNT\kytkd.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
=
res://C:\WINNT\kytkd.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
res://C:\WINNT\kytkd.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINNT\kytkd.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page
=
res://C:\WINNT\kytkd.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
res://C:\WINNT\kytkd.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
res://C:\WINNT\kytkd.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINNT\system32\soft.exe
O2 - BHO: (no name) - {23084635-3EC2-B4F8-38A4-30AE7AA197C1} -
C:\WINNT\system32\apioi.dll
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} -
C:\WINNT\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: CControl Object -
{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} -
C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} -
C:\WINNT\system32\boln.dll
O2 - BHO: (no name) - {D544FBEE-0A03-0AE8-F1E9-1F3BC0B4FA42} -
C:\WINNT\netsm32.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41}
-
C:\WINNT\EliteSideBar\EliteSideBar 08.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ADUserMon] C:\Program
Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program
Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program
Files\Iomega\DriveIcons\deskup.exe
/IMGSTART
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program
Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program
Files\Hewlett-Packard\HP
Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINNT\system32\hphmon05.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [iTunesHelper] C:\Program
Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [sdkks.exe] C:\WINNT\sdkks.exe
O4 - HKLM\..\Run: [tibs5] C:\WINNT\system32\tibs5.exe
O4 - HKLM\..\Run: [Web Service] C:\WINNT\system32\sm.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [kzzyntg] c:\winnt\system32\kzzyntg.exe
O4 - HKLM\..\Run: [antiware] c:\winnt\system32\eliteewc32.exe
O4 - HKLM\..\Run: [version] C:\WINNT\system32\Vqtsfa.exe
O4 - HKLM\..\Run: [secure] C:\WINNT\system32\Guicku.exe
O4 - HKLM\..\Run: [s7rW3FO] danint35.exe
O4 - HKLM\..\Run: [12.tmp]
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\12.tmp.exe 0
10001
O4 - HKLM\..\Run: [12.tmp.exe]
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\12.tmp.exe
1 10001
O4 - HKLM\..\Run: [ntechin] C:\WINNT\system32\n20050308.exe
O4 - HKLM\..\Run: [Dvx] C:\WINNT\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\system32\winupdt.exe
O4 - HKLM\..\Run: [43dupf1q] C:\Program
Files\43dupf1q\43dupf1q.exe
O4 - HKLM\..\Run: [fkighc] C:\WINNT\system32\fkighc.exe
O4 - HKLM\..\Run: [App32dll] C:\winnt\system32\msnavc32.exe
lee0105
O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\system32\wintask.exe
O4 - HKLM\..\Run: [nsmsdc] C:\WINNT\system32\nsmsdc.exe
O4 - HKLM\..\Run: [IST Service] C:\Program
Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [saie] c:\winnt\system32\saie.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe boln.dll,
DllRegisterServer
O4 - HKLM\..\Run: [ctyr] c:\winnt\ctyr.exe
O4 - HKLM\..\Run: [7.tmp]
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7.tmp.exe 0
10001
O4 - HKLM\..\RunOnce: [nthv32.exe] C:\WINNT\system32\nthv32.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft
Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Web Service] C:\WINNT\system32\sm.exe
O4 - HKCU\..\Run: [dw06RPi5U] bolialui.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\system32\sysmonnt
O4 - HKCU\..\Run: [prutqct] C:\WINNT\system32\prutqct.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O10 - Unknown file in Winsock LSP:
c:\winnt\system32\winlspak.dll
O10 - Unknown file in Winsock LSP:
c:\winnt\system32\winlspak.dll
O10 - Unknown file in Winsock LSP:
c:\winnt\system32\winlspak.dll
O10 - Unknown file in Winsock LSP:
c:\winnt\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2fu**ed.biz
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone,
should be
Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone,
should be
Internet Zone (HKLM)
O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer
Class) -
http://www.addictivetechnologies.net/DM0/cab/15yf09fg.cab
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} -
http://www.alwaysupdatednews.com/install/aun_0010.exe
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E}
-
C:\WINNT\isrvs\mfiltis.dll
O23 - Service: Logical Disk Manager Administrative Service
(dmadmin) -
VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iomega App Services - Iomega Corporation -
C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc.
-
C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP -
C:\WINNT\system32\HPZipm12.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_)
- Iomega
Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
O23 - Service: Remote Procedure Call (RPC) Helper
(�%AF夶À¨) - Unknown
owner - C:\WINNT\system32\javanb.exe (file missing)

Step 1
Bube.d aka Win32.Beavis is a new infection. The only program I have found so far that removes it properly is KAV Personal 5.0 (you can get a free 30 day trial, fully functional that will remove it for you). We have found a number of AVs detect and claim to cure it but instead, they quarantine and/or delete the infected explorer.exe leaving you with no desktop.

This infection can download over 100 different malwares, but some typical entries you might see in a log look like this (and after cleaning offline, they come right back as soon as you connect to the internet)




Here is the article about the malware you have
http://www.viruslist.com/en/weblog



Go here to download the free KAV Personal 5.0 Trial (good for 30 days)
http://www.kaspersky.com/index.html

Click on *downloads* on the left menu

Then scroll down and click on *trial versions*

Then choose *Kaspersky Anti-Virus Personal 5.0*

You will then have a list of the trial downloads to choose from (choose a location closest to you)

Choose *save* and it should create and save to a KAV folder on your hard drive

Navigate to the KAV folder and doubleclick on kav5.0trial_personalen.exe to install it.

You will see this screen showing the default folder it will install into. Click on *next*



If KAV detects another AV running on your PC it will advise you to uninstall it.
You can do that or you can disable the existing AV program and then press *yes* to continue.
The way to disable resident protection differs for different anti-virus programs. You might try right clicking on the icon for your AV program in the Windows System tray (on the lower right hand part of the screen) and looking at the different options.
Alternatively, you may disable your AV from starting with Windows using msconfig (Start > Run and type msconfig and OK. Click on the Startup Tab, uncheck all the startups relating to your AntiVirus and reboot).
The important thing is to set your current AV *not* to scan as your files are accessed, so that KAV can do its job



In my case, I just disabled the resident protection on EZ AV and that worked just fine without uninstalling it.

Next you will see the Kaspersky Anti-Virus Personal 5.0 Setup Wizard. It will advise you to close all other applications before starting setup. Do that and then press *Next* to continue.

You will then be presented with the License Agreement. Read that and when done you can agree to continue.

Next is the Customer Information screen. Just fill that in as you prefer and click on *next* to continue

You will be presented with some important KAV notes. I copied these and saved in Wordpad to refer back to if needed.

Please remove the green checkmark the box that says *Operate according to Recommended settings* This is so we can do a custom install.



Press *next* to continue after you have read those and unchecked the box for recommended settings

On the next screen, please uncheck the box for *use real-time protection against network attacks*
This has been known to cause problems on PCs running certain firewalls, you can try enabling it later after the initial install and scan.



You may leave the *iStreams technology* box checked if you like (I did) but it is generally recommended not to checkmark that box if you are going to uninstall KAV again after the infection has been removed.

Now it will choose the Destination folder (mine was fine as pre-selected by KAV). Click *next* to continue

Now you will get the *finish* screen

KAV will now open. If you are running a firewall, allow KAV to connect to get the updates it needs. Wait while the updates are downloaded and installed



Now get the *extended database* of updates as well, to remove the AdWare that Virus.Win32.Bube. may have downloaded. Look under *Settings*, and then *Configure Updater* Choose Extended Database. Click *OK* and then Check for Updates and you will get another smaller update which will install.



Now click on *Settings* and choose *Configure On-demand scan settings* and select *Perform recommended action* and click *OK*. You might prefer to set the scan level to maximum, just to be sure that nothing is hiding in an email database.


Close KAV and any open programs you have running.


It is recommended you run the scan in SAFE MODE

* Boot into safe mode.
How to start the computer in Safe mode (here are instructions if you need them)
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
Once you have booted into safe mode as XP can still allow an internet connection in safe mode

Physically Disconnect from the Internet

* Open KAV but do not start the scan yet

* now and this is very important :

* Press Ctrl + ALT+DEL and bring up task manager, go to processes tab and right click on explorer.exe and then select stop process

Now your desktop will go blank and you will have no taskbar or menu etc you will still have taskmanager and KAV open on desktop so do not close them

* Now Start a full system scan. Click on the protection tab and Choose *Scan My Computer
* It will take some time probably 2 or 3 hours and will delete any infected files it finds
* KAV will disinfect all files detected as Virus.Win32.Bube and many related malware it has downloaded.
* when it has finished then on the Taskmanger press file/newtask and type explorer to regain the desktop etc.
* Close KAV &Taskmanager
* Reboot back into normal mode.

Additional cleanup may be needed. Please be sure to post in the forum if you have any questions.

IMPORTANT NOTE! This virus changes security settings your trusted zone and in the Windows Security Center. Please be sure to check all of your security settings After disinfecting.
................................
If you are asked to post a KAV log from your scan. Here's how:

Click on *View Reports*



When you go to View reports, you will see a list. You rightclick on the report *Full Scan* and a menu opens: choose *export detailed report to file* which allows you to save it. It defaults as a .csv (Excel) file, but I found I could save as .txt (text) as well.. Give it a name and click *save* to save the log.



Then you can attach your report to a reply for review.
.................................
If you have lost explorer.exe
If you have lost Explorer.exe from attempted cleaning with another AV then ask for help on the forums as each version of windows needs slightly different treatment


Step 2
First:
If running, kill the follow processes in Task Manager:
desktop.exe
edmond.exe
ffisearch.exe

Second:
Launch Notepad.
Copy/paste the text in the box below into a new text file.
Save it as fixme.reg on your Desktop




Locate fixme.reg on your Desktop and double-click on it.

You will receive a prompt similar to: "Do you wish to merge the information into the registry?".

Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".


Third:
Execute the following commands:
Start -> Run -> regsvr32 /u C:\Windows\isrvs\mfiltis.dll
Start -> Run -> regsvr32 /u C:\Windows\isrvs\msdbhk.dll
Start -> Run -> regsvr32 /u C:\Windows\isrvs\sysupd.dll

Fourth:
Reboot your computer into Safe Mode* (stay in Safe Mode* until directed otherwise)

Delete the following files/folders (if present) in C:\Windows\ or C:\Windows\Systme32\
delprot.ini
delprot.log
desktop.exe
isrvs (delete the entire folder)

Fifth:
Delete the following file:
C:\windows\system32\drivers\delprot.sys

Sixth:
Delete the following files/folder (if present) in C:\Documents and Settings\\Desktop\
anal exploits.url
big dick school for 2.95.url
evidence eraser.lnk
popup blocker stops popups.lnk
spyware avenger.lnk
virus hunter security.lnk
your platinum visa.lnk

Seventh:
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'C:\Program Files\Hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT

Check the following items in HijackThis.
(note: If any R* items do not appear in Safe Mode, re-run HiJackThis in Normal Mode and remove them after you finish removing these items.)


Close all windows except HijackThis and click Fix checked.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\kytkd.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINNT\kytkd.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
res://C:\WINNT\kytkd.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINNT\kytkd.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINNT\kytkd.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINNT\kytkd.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINNT\kytkd.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing

F3 - REG:win.ini: run=C:\WINNT\system32\soft.exe

O2 - BHO: (no name) - {23084635-3EC2-B4F8-38A4-30AE7AA197C1} - C:\WINNT\system32\apioi.dll
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINNT\system32\boln.dll
O2 - BHO: (no name) - {D544FBEE-0A03-0AE8-F1E9-1F3BC0B4FA42} - C:\WINNT\netsm32.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINNT\EliteSideBar\EliteSideBar 08.dll

O4 - HKLM\..\Run: [sdkks.exe] C:\WINNT\sdkks.exe
O4 - HKLM\..\Run: [tibs5] C:\WINNT\system32\tibs5.exe
O4 - HKLM\..\Run: [Web Service] C:\WINNT\system32\sm.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [kzzyntg] c:\winnt\system32\kzzyntg.exe
O4 - HKLM\..\Run: [antiware] c:\winnt\system32\eliteewc32.exe
O4 - HKLM\..\Run: [version] C:\WINNT\system32\Vqtsfa.exe
O4 - HKLM\..\Run: [secure] C:\WINNT\system32\Guicku.exe
O4 - HKLM\..\Run: [s7rW3FO] danint35.exe
O4 - HKLM\..\Run: [12.tmp] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\12.tmp.exe 0 10001
O4 - HKLM\..\Run: [12.tmp.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\12.tmp.exe 1 10001
O4 - HKLM\..\Run: [ntechin] C:\WINNT\system32\n20050308.exe
O4 - HKLM\..\Run: [Dvx] C:\WINNT\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\system32\winupdt.exe
O4 - HKLM\..\Run: [43dupf1q] C:\Program Files\43dupf1q\43dupf1q.exe
O4 - HKLM\..\Run: [fkighc] C:\WINNT\system32\fkighc.exe
O4 - HKLM\..\Run: [App32dll] C:\winnt\system32\msnavc32.exe lee0105
O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\system32\wintask.exe
O4 - HKLM\..\Run: [nsmsdc] C:\WINNT\system32\nsmsdc.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [saie] c:\winnt\system32\saie.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe boln.dll,DllRegisterServer
O4 - HKLM\..\Run: [ctyr] c:\winnt\ctyr.exe
O4 - HKLM\..\Run: [7.tmp] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7.tmp.exe 0 10001
O4 - HKLM\..\RunOnce: [nthv32.exe] C:\WINNT\system32\nthv32.exe
O4 - HKCU\..\Run: [Web Service] C:\WINNT\system32\sm.exe
O4 - HKCU\..\Run: [dw06RPi5U] bolialui.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\system32\sysmonnt
O4 - HKCU\..\Run: [prutqct] C:\WINNT\system32\prutqct.exe

O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.addictivetechnologies.net/DM0/cab/15yf09fg.cab
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0010.exe

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll

O23 - Service: Remote Procedure Call (RPC) Helper (�%AF夶À¨) - Unknown owner - C:\WINNT\system32\javanb.exe (file missing)

While still in Safe Mode*, delete the following: (you may need to show hidden files**)
(Files specified without a full path will be lcoated in C:\Windows\ or C:\Windows\System32\)
C:\WINNT\system32\nthv32.exe
C:\WINNT\sdkks.exe
C:\WINNT\system32\wsxsvc\wsxsvc.exe
C:\WINNT\system32\winupdt.exe
C:\winnt\system32\msnavc32.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\winnt\system32\saie.exe
C:\WINNT\system32\bolialui.exe
C:\WINNT\system32\sysmonnt.exe
C:\WINNT\system32\prutqct.exe
C:\Program Files\43dupf1q\43dupf1q.exe
C:\WINNT\system32\tibs5.exe
c:\winnt\system32\kzzyntg.exe
c:\winnt\system32\packager.exe
C:\WINNT\metro.exe
C:\WINNT\kytkd.dll
C:\WINNT\system32\soft.exe



*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode


Eighth:
Download DelDomains.inf from here:

www.mvps.org/winhelp2002/DelDomains.inf

Right-click on the deldomains.inf file and select 'Install'

When its finished your IE Zones wil lbe reset. That will make it necessary to re-install protection using SpywareBlaster and to re-install IE/Spyads, if you use them.


Last:
Run HiJackThis again and post a new log in this thread.

Last night I was able to install the Kaspersky software and it downloaded the first set of updates, but then a box popped up and said the pc would shut down after like 55 seconds and it started counting down. Today when I booted back up the desktop was gone and my pc could not get to the web so I could not do the *extended database* step.

I scanned the machine in safe mode and it removed a bunch of files and quarantined some others. When I type explorer into the the new task screen, it tells me it can't find explorer or one of its components.

I am not sure what my next step should be? Do I need to try to get to the
internet in order to perform the *extended database* step, if so how do I do that? Or should I do something about the explorer missing and if so what I do?
Thanks again for your help!

Where we go depends on waht recovery facility you have. We need to get a clean copy of explorer.exe for SP1. If you have a Wnidows XP CD and it is SP1, you can copy from there.

Let me know what your facilities are.

Note: That on a temporary basis you can use iexplore.exe in lieu of explorer.exe. For local files you will have to supply the path in the address bar and I believe the format is "File:///C:/<path to file>", without the quotes.

Taking another look at your log versus the current situation and my reocmmendation is that you save all pertinent data then reformat and re-install Windows.

Besdies Bube.d you also have Admincash which has made several modifications to yuor system. See this for more info on it: http://securityresponse.symantec.com/avcen....admincash.html

It is going to be rough road, at best, just to get a clean explorer.exe installed. Then we are faced with cleaning the remainder. Regardless of you choice you are going to need a Anti Virus that provides real time protection. KAV is not free, but is one of the best. For free AV's I recommend AVG.

Let me know how you want to go.