Hi; I am not sure what is going on with my computer. I have run Ad-Aware and gotten rid of everything it detected. I have the free BitDefender virus scanner and that found a worm or trojan and deleted it; nonetheless, my browser is still hijacked. Everytime I reboot the computer, my homepage is changed and an internet shortcut named "Anonimous serfing" is placed on the desktop (no matter which user is logging on to the computer). Also, lately I seem to be having problems with this svchost.exe program that is running. Every once in a while, a window will pop up saying that svchost.exe generated errors, will be shut down, and the errors will be logged. There is a "svchost.exe" in C:\WINNT and one in C:\WINNT\SYSTEM32--the one in C:\WINNT, when I right-click on it, says it was created on Friday, February 20, 2004. Sounds fishy. There is also a svchostc.exe (it has a 'c' on the end) in C:\WINNT\SYSTEM32 that also says it was created on February 20. I don't know if svchost is a red herring, but just thought I would throw out that information too. Any help is appreciated. Almost forgot, here is the HijackThis log: Logfile of HijackThis v1.97.3 Scan saved at 3:42:16 AM, on 2/22/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\PROGRA~1\TrayMan\ntstart.exe C:\PROGRA~1\TrayMan\trayman.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe C:\WINNT\Explorer.exe C:\WINNT\SOUNDMAN.exe C:\Program Files\Ahead\InCD\InCD.exe C:\WINNT\system32\PELMICED.exe C:\WINNT\svchost.exe C:\Program Files\AOpen\SilentTek\SilentTek.exe C:\WINNT\system32\wuauclt.exe C:\WINNT\system32\cdplayer.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\m2\MyIE.exe C:\Documents and Settings\mc\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uh-porn.com/?id=bookmark.com R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dieskv.t.muxa.cc/h.php?aid=420 (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dieskv.t.muxa.cc/s.php?aid=420 (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://dieskv.t.muxa.cc/s.php?aid=420 (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://awebfind.biz/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://awebfind.biz/sp.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://awebfind.biz/sp.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dieskv.t.muxa.cc/s.php?aid=420 (obfuscated) F0 - system.ini: Shell= O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [UIUCU] C:\DOCUME~1\mg\LOCALS~1\Temp\UIUCU.exe -CLEAN_UP -S O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.exe TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.exe O4 - HKLM\..\Run: [HardwareMonitor] C:\Program Files\AOpen\SilentTek\RegInformation.exe O4 - HKLM\..\Run: [Systems] C:\WINNT\svchost.exe O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{4FDD315B-2F5C-411E-AD2D-332C7EE419E8}: NameServer = 169.237.250.250 169.237.1.250 O17 - HKLM\System\CCS\Services\Tcpip\..\{BF3FA333-6A63-41BC-A083-DDC388688758}: NameServer = 168.150.253.2,168.150.253.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{4FDD315B-2F5C-411E-AD2D-332C7EE419E8}: NameServer = 169.237.250.250 169.237.1.250

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uh-porn.com/?id=bookmark.com (that is bad) ================== R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm =================================== Infected example: run=dialer.exe ========================================= Infected : shell=explorer.exe,openme.exe default means good one : explorer.exe Infected:run=dialer.exe =================================== when finding RO in highJack this program that means that there is a change in the default value of a registery key resulting in a change in IE search page by default > search bar,page,or search assesstant. ====================================== O1\\ is very dangerous result to find in my openion for the fact that a change in the host sys.file could look up for a domain name before the default sys.file queyring and opens the actual DNS server effectively making sys.file believe the auto result think that the requested domain has a defferent IP address and giving a falls num. domain ======================== O1- is an analized data from a program called highjackthis the program is to copy all REG_SZ HKY data and values for all MODS. exe seeing O1 file conferm a change that has to be investegated . ( overcome the auto search resolts) ============================== BHO is conferming a trace for web activities someone is monotering

http://hjt.wizardsofwebsites.com/ Hijack This Tutorial

This is just my opinion, but I think your issue might require some registry tweaks or you might need to reload windows. If you've never worked with hacking your registry, don't start until you've read up on it more and are comfortable making the needed changes. Changes made to your registry could disable it if you don't do it right. The first thing I would do is see what's running by going into the local machine, then Software, then Microsoft, then Windows, the highlighting Run and noting what's shown in the right window. Everything in that window starts when windows starts. I would then delete everything I know doesn't need to be started and then reboot. Second, I would go to Add/Remove Programs under the control panel and delete any programs I'm not familiar with or know I didn't download. Always try to investigate the program if you're not sure, so you don't delete something you need or can't get back. After that I'd reboot as necessary to complete all removals. Third, I'd go under C:Drive (or whatever driver letter you're using) and Program Files and delete the folders of any files I've previously deleted. While deleting/removing, select "no" if asked to remove a "shared" file. Some of these programs may be sharing needed system files and will remove that file if you select yes, which could disable your PC. Lastly, some of these programs are probably still in your registry. Go back into your Local Machine, then Software to see what programs are still in your registry. If you don't absolutely know what something is, then thoroughly investigate it before deleting/removing it. Kind of long winded, but hope that helps.

I had the identical problem and I SOLVED IT! There was a dll, specifically msrt32.dll. (I found it by searching for all *.dll and sorting by date -- it was the only recent one.) In Safe Mode I deleted it. Then I got a message that svchost.exe couldn't find its dll. I ran RegClean and then the can't-find-the-dll problem went away too. Voila. Everything is fine. (I think I also deleted that svchost while keeping another -- but I don't recall for sure.)

That is very interesting, funky_donkey. After reading your post, I did a search, and I *did* find msrt32.dll on my computer, and it has a recent date too. I have already "solved" my problem too, via a different route. Basically I did what people suggested above, but I used a freeware start-up applet from Mike Lin to look at what was running at start-up. Anyways, the offending program *was* svchost.exe, I'm assuming the new one. Haven't had any problems since removing it from the start-up list.