Hi, I was here the other day with a browser hijack problem. I got it fixed and thanks to the help I received here got a lot of information that allowed me to update my security settings and software. However, it apparently wasn't enough because I have gotten a nasty trojan that has made my PC nearly impossible to use. Please help! I have run AVG and it will NOT remove this thing. I don't know what to do. Can you believe I've gone 6 years and only gotten a virus on this computer one other time? Now I've had two major problems in the same week. 2004 is shaping up to be a great year. NOT. Anyway Thanks In Advance, Kim Here's the HJ log: Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.exe C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.exe C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.exe C:\WINDOWS\SYSTEM\MSTASK.exe C:\WINDOWS\EXPLORER.exe C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.exe C:\WINDOWS\TASKMON.exe C:\WINDOWS\SYSTEM\SYSTRAY.exe C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.exe C:\WINDOWS\SYSTEM\WMIEXE.exe C:\WINDOWS\SYSTEM\RESTORE\STMGR.exe C:\WINDOWS\SYSTEM\RNAAPP.exe C:\WINDOWS\SYSTEM\TAPISRV.exe C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCONNECT.exe C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCSMSERVER.exe C:\WINDOWS\SYSTEM\DDHELP.exe C:\WINDOWS\SYSTEM\WBEM\WINMGMT.exe C:\WINDOWS\SYSTEM\SPOOL32.exe C:\PROGRAM FILES\COMMON FILES\UPDATER\WUPDATER.exe C:\WINDOWS\SYSTEM\SAHAGENT.exe C:\WINDOWS\RUNDLL32.exe C:\WINDOWS\SYSTEM\IEFEATURES.exe C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.exe C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = nov R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?session=23E1704A-DE58-4E68-BA31-EEDE55A7D377&version_id=18 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchwww.com/search.cgi?s=%s R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.searchalot.com/ R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\yg4s4hwn.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\yg4s4hwn.slt\prefs.js) O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\IEASST.DLL (file missing) O2 - BHO: (no name) - {71EA4DB9-C913-429C-BD02-A7B86C0B2323} - C:\WINDOWS\SYSTEM\MSRESCR40.DLL (file missing) O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP3\\winampa.exe" O4 - HKLM\..\Run: [ftxhgygn] C:\WINDOWS\SYSTEM\ftxhgygn.exe O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [PCHealth] c:\windows\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\SYSTEM\IEDriver\IEDriver.exe O4 - HKLM\..\Run: [3DE96@63H83WH4] C:\WINDOWS\SYSTEM\GnsDk.exe O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\SYSTEM\INTERNETFEATURES.exe O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\SYSTEM\IEFEATURES.exe O4 - HKLM\..\Run: [VBPVZ] C:\WINDOWS\VBPVZ.exe O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.exe" O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.exe" "+b1" O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM) O9 - Extra 'Tools' menuitem: Turbo Download (HKLM) O10 - Broken Internet access because of LSP provider 'lsp.dll' missing O12 - Plugin for .pdf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll O12 - Plugin for .doc: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPDOC.DLL O14 - IERESET.INF: START_PAGE_URL= O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37773.6786111111 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1294afff4ba92f0f1423/netzip/RdxIE601.cab O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

Hi Kim You have ( or or appear to have had) shopathome on your system, if still there remove using add/remove programs. Have Hijackthis fix the following by putting a tick in the box next to them and hitting the 'Fix Checked' button. R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?session=23E1704A-DE58-4E68-BA31-EEDE55A7D377&version_id=18 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchwww.com/search.cgi?s=%s R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.searchalot.com/ R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\IEASST.DLL (file missing) O2 - BHO: (no name) - {71EA4DB9-C913-429C-BD02-A7B86C0B2323} - C:\WINDOWS\SYSTEM\MSRESCR40.DLL (file missing) O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\SYSTEM\IEDriver\IEDriver.exe O4 - HKLM\..\Run: [3DE96@63H83WH4] C:\WINDOWS\SYSTEM\GnsDk.exe O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\SYSTEM\INTERNETFEATURES.exe O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\SYSTEM\IEFEATURES.exe O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1294afff4ba92f0f1423/netzip/RdxIE601.cab O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab reboot into safe mode then find and delete the following files/folders. To make sure none of them elude you due to being hidden, make sure to show hidden/system files. How to show hidden/system files: http://www.xtra.co.nz/help/0,,4155-1916458,00.html C:\WINDOWS\SYSTEM\ SAHAGENT.exe <---- file C:\PROGRAm Files INCREDIFIND <----folder C:\WINDOWS\ BELT.exe <---- file C:\Program Files\Common Files\ slmss <------ folder C:\WINDOWS\ mwsvm.exe <----file C:\Program Files\ Power Scan <------folder C:\WINDOWS\SYSTEM\IEDriver\ IEDriver.exe <------file C:\WINDOWS\SYSTEM\ GnsDk.exe <----file C:\Program Files\Common files\updater\ wupdater.exe <---- file C:\WINDOWS\SYSTEM\ INTERNETFEATURES.exe <---- file C:\WINDOWS\SYSTEM\ IEFEATURES.exe <---- file Find the following files, zip and email them to me, (click on my name at the top of this post) C:\WINDOWS\SYSTEM\ftxhgygn.exe C:\WINDOWS\VBPVZ.exe I'll get them checked and let you know what you should do with them. Visit http://forums.net-integration.net/index.php?showtopic=3051 to find out how to help prevent further problems. Reboot and post a fresh HJT log for us to check.

The solution: easy to use without any knowledge in computers: Trojan Remover 6.15 this program works alone, freeware for one month, two scans to perform on memory and detection of the worm hidden in the hard drive.