hi all. a few weeks ago..i had my adaware pop up and say that certain things were trying to screw around with my registry..i i clicked block to all of them..next thing none of my exe files worked...anyway..found a reg fix for the exe files..they are working okay..but the real problem is...when windows starts up..i get this funny blue box just before you get to the part where you type in your name...it has funny squiggles and sometimes has a directory location on it..the info always seems to change..and you have to click ok to get past it...once inside..i have lost my programs that reside in the bottom right hand corner of the taskbar..my volume control isnt there..and what worries me the most is that my antivirus (computer associates) doesnt appear there any more..any body know if this is a virus..or time for a damn reformatt?? thanks alot in advance...mickey

Please download SmitFraudFix from this link http://siri.urz.free.fr/Fix/Smitfra... Then extract the contents to your desktop. !!!! Only run option #1 as runing the other options on an uninfected computer will damage the desktop.!!!! Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd" Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply. Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. !!!If anything is "found" continue to the next paragraph, if nothing is "found" skip the next paragraph.!!! Next, please reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. Once in Safe Mode, open the "SmitfraudFix" folder again and double-click "smitfraudfix.cmd" Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing " Y " and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if "wininet.dll " is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing "Y" and press "Enter". The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. The report can also be found at the root of the system drive, usually at C:\rapport.txt Please download ComboFix to the desktop from this link: http://download.bleepingcomputer.com/sUBs/ComboFix.exe Double-click combofix.exe Follow the prompts. (Don't click on the window while the program is running, it may cause your system to hang.) Please post the log it produces. Please post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified. Please download HJTsetup.exe from this link http://www.thespykiller.co.uk/files/HJTsetup.exe to your desktop. Doubleclick on the HJTsetup.exe icon on your desktop. By default it will install to C:\Program Files\Hijack This. Continue to click "next" in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue. Put a check by "Create a desktop icon" then click "Next" again. Continue to follow the rest of the prompts from there. At the final dialogue box click "Finish" and it will launch Hijack This. Click on the "Do a system scan and save a logfile" button. It will scan and the log should open in notepad. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log and post it in this thread. Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly.

hi jabuck, this is the log file SmitFraudFix v2.176 Scan done at 8:58:26.62, Tue 08/05/2007 Run from D:\smith\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Spyware Doctor\sdhelp.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\WF2K.exe C:\Program Files\WinFast\WFDTV\DTVSchdl.exe C:\Program Files\WinFast\WFTVFM\WFWIZ.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe C:\Program Files\Network ICE\BlackICE\blackice.exe C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Network ICE\BlackICE\blackd.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\System32\wbem\wmiprvse.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts hosts file corrupted ! 127.0.0.1 mpa.one.microsoft.com »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\REXMAX »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\REXMAX\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\REXMAX\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32 huy32 detected, use a Rootkit scanner »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: SiS 900-Based PCI Fast Ethernet Adapter - Packet Scheduler Miniport DNS Server Search Order: 192.168.0.1 DNS Server Search Order: 192.168.1.1 HKLM\SYSTEM\CCS\Services\Tcpip\..\{8733AAC0-483E-4BED-A3F3-DA33A6EFCF52}: DhcpNameServer=192.168.0.1 192.168.1.1 HKLM\SYSTEM\CS1\Services\Tcpip\..\{8733AAC0-483E-4BED-A3F3-DA33A6EFCF52}: DhcpNameServer=192.168.0.1 192.168.1.1 HKLM\SYSTEM\CS2\Services\Tcpip\..\{8733AAC0-483E-4BED-A3F3-DA33A6EFCF52}: DhcpNameServer=192.168.0.1 192.168.1.1 HKLM\SYSTEM\CS3\Services\Tcpip\..\{8733AAC0-483E-4BED-A3F3-DA33A6EFCF52}: DhcpNameServer=192.168.0.1 192.168.1.1 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.1.1 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.1.1 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.1.1 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.1.1 »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End

You have a rootkit. Download Gmer from this link GMER Unzip it and start the GMER.exe Select >>>>> (arrows just to the right of rootkit is a button) Click the CMD tab In the top box (black screen) paste the following. gmer -del service huy32 Click Run Let it finish. When done, Copy and paste the results back here after executing this. Restart the computer normally to reset the registry. Run Smifraud option #1 only and post the results. Post the requested Hijack This log and Combofix log please.

yo jabuck, hey thanks for all your help so far..unfortunately i am on night shift for the next 2 nights so i wont be able to try your remedy yet...check back here friday..and by then i would have posted my attempts....regards michael