A month ago my computer was ruined. Something has found its way onto my computer and I can't seem to do anything. If I try to use any yahoo search links I get taken to "morwillsearch.com" Sometimes when on the net something pops up called "command script prompt" and shuts down all my IE windows. Some toolbar pops up every time I start up. I run SpyBot, AdAware, NAV all the time, yet nothing works. I'm so frustrated I could cry, can anyone help me? :(

It is basiclly vundu or winfixer, Hijack This will locate the bad files,hopefully.Please post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified. You can download Hijack This at this link http://www.tomcoyote.org/hjt/ then place it into a folder of it's on, such as C:\HJT, so that back up copies can be made and not clutter your desktop or other folders and the backup copies of deleted items can be easily located if needed. Once saved double click HijackThis.exe, and press "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that, save the log, Ctrl-A to Select All, and copy its contents into the text editor at this forum. Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly.

Logfile of HijackThis v1.99.1 Scan saved at 4:13:06 PM, on 12/23/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\PopUp Killer\PopUpKiller.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Jay\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file) R3 - URLSearchHook: (no name) - {297887A8-373C-8BB9-A3A5-310A81F5E7A3} - MSTCPDLL.dll (file missing) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {0c0c593a-1659-45d1-b3be-24f0ae8ad7ca} - C:\WINDOWS\System32\vwbmefex.dll O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\ddaba.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.exe (file missing) O12 - Plugin for .mid: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: *.iframedollars.biz O15 - Trusted Zone: *.iframedollars.biz (HKLM) O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.com/resources/MsnPUpld.cab O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135370183812 O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} - http://www.zuvio.com/UCSearch.CAB O17 - HKLM\System\CCS\Services\Tcpip\..\{5ACC90AA-B0FF-4544-B0F7-0CFDFBF47A21}: NameServer = 85.255.113.148,85.255.112.20 O17 - HKLM\System\CCS\Services\Tcpip\..\{7D4FD8F7-1708-4808-B274-91E55CC3B544}: NameServer = 85.255.113.148,85.255.112.20 O17 - HKLM\System\CCS\Services\Tcpip\..\{ACEC3B7E-DB9A-4E5B-A7C3-396E79DB92D5}: NameServer = 85.255.113.148 85.255.112.20 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: ddaba - C:\WINDOWS\System32\ddaba.dll O20 - Winlogon Notify: st3 - C:\WINDOWS\q13708593_disk.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Could this also affect my USB game dance pads? They haven't worked since this annoying nightmare either.

You have about:blank,wareout and winfixer.Lets start with winfixer. There are two ways to run the fix for this version so if we are not sucessful the first go around don't fret. Please download http://www.atribune.org/downloads/VundoFix.exe to your desktop. Double-click VundoFix.exe to extract the files This will create a VundoFix folder on your desktop. After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter. Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat You will first be presented with a warning. It should look like this: VundoFix V2.15 by Atri By using VundoFix you agree that you are doing so at your own risk Press enter to continue.... At this point press enter one time. Next you will see: Please Type in the filepath as instructed by the forum staff and then press enter: At this point please type the following file path (make sure to enter it exactly as below!): C:\WINDOWS\System32\ddaba.dll Press Enter to continue with the fix. Next you will see: At this point please type the following file path (make sure to enter it exactly as below!): C:\WINDOWS\System32\abadd.* Press Enter to continue with the fix. The fix will run then HijackThis will open, if it does not open automatically please open it manually. In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\ddaba.dll O20 - Winlogon Notify: ddaba - C:\WINDOWS\System32\ddaba.dll We will do this in stages so don't remove anything else with HT.

jabuck: done but one problem, there was no 02 BHO MS Object line...so I couldn't check it off. What's more is after I "fixed" the O20 one my screen went black (in safe mode) and I couldn't do ANYTHING. I had to restart my computer manually. I have to pick up my wife from work...is there anyway to have your email so I can contact you directly to fix this nightmare? Thank you so much for your help! My email: disney_315@yahoo.com

I'm almost in the same boat you are in, I have to make a walmart run.I'd rather keep it on the forum. It is to easy to get infected via email and you have a basket full. Post a HT log, we may have to make some changes to the name in the second line of the fix.