Hi - Hope someone can help. Have studied many posted forum logs and have become familiar with HT. I've ran it many times and looked at the tutorial. After each fix and re-boot, bad lines still appear (O1 host redirect) and subsequent runs of google and 2 lines per search more or less until it eventually takes on a mind of its own and goes to all kinds of "questionable" sites. I know Ive picked up something and would like to know what and how to get rid of it. Here is the HT log: I welcome your help!!! thnx Logfile of HijackThis v1.97.7 Scan saved at 6:31:28 PM, on 12/2/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\System32\Ati2evxx.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\ScsiAccess.exe C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\WINDOWS\System32\CTHELPER.exe C:\WINDOWS\svchost.exe C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe C:\WINDOWS\System32\svchosts.exe C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\IC Media Corp\ICM532\Launchpad.exe C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.exe c:\program files\internet explorer\iexplore.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\ULTIMA~1\LOCALS~1\Temp\Rar$EX00.813\HijackThis.exe O1 - Hosts: 63.246.157.35 google # Porn Google O1 - Hosts: 63.246.157.36 security.com #Microsoft Security System O1 - Hosts: 63.246.157.35 google # Porn Google O1 - Hosts: 63.246.157.36 security.com #Microsoft Security System O1 - Hosts: 63.246.157.35 google # Porn Google O1 - Hosts: 63.246.157.36 security.com #Microsoft Security System O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.exe O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.exe O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.exe O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.exe /run O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe O4 - HKLM\..\Run: [Msoffice] C:\WINDOWS\Fonts\msoffice.hta O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe" O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe" O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Launchpad.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O4 - Global Startup: Proxomitron.lnk = C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM) O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37933.8343865741

Remove the 01 lines, you already know that. This may be your problem; O4 - HKLM\..\Run: [Msoffice] C:\WINDOWS\Fonts\msoffice.hta The 06 lines if you need to get to your secure settings.

This baby ain't right: C:\WINDOWS\System32\svchosts.exe see: http://www.sophos.com/virusinfo/analyses/trojsdbotz.html hth shep

Neither is this: O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe Not sure what it is yet..gotta run Someone will pick up on it. While waiting try running CWShredder...I dont know if you have it (cool web search hijack) or not but it will not hurt you. CWShredder Then try a scan here: (disable your av prog while scanning) RAV antivirus Post results of scan. More help will come

Might as well throw these in the mix,while you're at it; http://www.trojanscan.com/ http://housecall.trendmicro.com/

Your problem is in the hosts file. If hijack this won't delete the 01 lines, then navigate to C:\Windows\Drivers\etc and look for a file named "hosts" with no extention. Double click it and select "select the program from a list" and find NotePad in the list.(make sure to uncheck "Always use the selected program...".Once you have it opened in NotePad, you probably won't find anything but those listings. Click "Edit, Select All" then "Edit, Delete" (Note: If there are more entries in your Hosts file than just these, then just highlight those and delete them.) By the way, the page that sxshep sent you to references a file named "svchostS.dll" not "svchost.dll". The svchost.dll is a valid MS system file. DON'T DO ANYTHING TO DISABLE IT You may find yourself with something not working. Hope this helps Ron

Thanks everyone. I deleted the bad lines with HS and re-booted. it seems like the problem is gone. No more icon populating my desktop, no more add-ins to my favorites and no more hikacked web browser. It appeared I had somthing called bkdr_daemonizer. Ughh Nasty. Great xmas gift from you all! Thanks for the info!!