Here is my hijack this log file. I have Av guard and Spy sweeper running. These items seem to get past. Are there any widows patches i can download to stop my pc from downloading trojans from websites? How can i clean this up? Also, i think something here is preventing me from opening regedit, this ever happen to anyone. Thanks for the help Logfile of HijackThis v1.97.7 Scan saved at 10:02:44 PM, on 12/5/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\spoolsv.exe D:\Program Files\AVPersonal\AVWUPSRV.exe D:\WINDOWS\system32\pctspk.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\Explorer.exe D:\Program Files\Stop-the-Pop-Up Lite\stopthepop.exe D:\WINDOWS\System32\P2P Networking\P2P Networking.exe D:\Program Files\Common Files\Real\Update_OB\realsched.exe D:\WINDOWS\System32\JCSXPGV.exe D:\Program Files\AVPersonal\AVGNT.exe D:\WINDOWS\System32\rundll32.exe D:\WINDOWS\System32\SahAgent.exe D:\Program Files\Common files\updater\wupdater.exe D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe D:\program files\Webdialer\od-teen42.exe D:\Program Files\Internet Explorer\iexplore.exe D:\Documents and Settings\Will\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe D:\WINDOWS\system32\notepad.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://in.webcounter.cc/--/?bzbjr (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://in.webcounter.cc/---/?bzbjr (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?bzbjr (obfuscated) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.webcounter.cc/-/?bzbjr (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?bzbjr (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?bzbjr (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?bzbjr (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?bzbjr (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?bzbjr (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?bzbjr (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?bzbjr (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://webcoolsearch.com/ R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?bzbjr (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?bzbjr (obfuscated) R3 - URLSearchHook: PerfectNavBHO Class - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - D:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - D:\WINDOWS\bi.dll O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: DNSErr object - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - (no file) O2 - BHO: (no name) - {3C4E691E-50E0-4163-8E94-37F72E994272} - (no file) O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - D:\Program Files\NewDotNet\newdotnet5_48.dll O2 - BHO: NavErrRedir Class - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - D:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll O4 - HKLM\..\Run: [sureshotpopupkiller] "D:\Program Files\Stop-the-Pop-Up Lite\stopthepop.exe" -minimized O4 - HKLM\..\Run: [P2P Networking] D:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Winsock2 driver] JCSXPGV.exe O4 - HKLM\..\Run: [AVGCtrl] D:\Program Files\AVPersonal\AVGNT.exe /min O4 - HKLM\..\Run: [Soundmx] D:\WINDOWS\System32\soundmx.exe O4 - HKLM\..\Run: [New.net Startup] rundll32 D:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup O4 - HKLM\..\Run: [SAHAgent] D:\WINDOWS\System32\SahAgent.exe O4 - HKLM\..\Run: [Belt] D:\WINDOWS\Belt.exe O4 - HKLM\..\Run: [updater] D:\Program Files\Common files\updater\wupdater.exe O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s O4 - HKLM\..\Run: [Updates] D:\WINDOWS\system32\msupdate.exe O4 - HKCU\..\Run: [SpySweeper] D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0 O4 - HKCU\..\Run: [quicken] C:\WINDOWS\quicken.exe O4 - HKCU\..\Run: [od-teen42] d:\program files\Webdialer\od-teen42.exe -m O4 - HKCU\..\RunOnce: [Winsock2 driver] JCSXPGV.exe O8 - Extra context menu item: Download With SpeedNet - D:\PROGRA~1\SPEEDN~1.1\download.htm O8 - Extra context menu item: Yahoo! Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: AIM (HKLM) O10 - Broken Internet access because of LSP provider 'lsp.dll' missing O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vtm_x.cab O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cab O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt3_x.cab O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/Mx0n12n3.cab O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://download.online-dialer.com/MaConnect.cab O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/239ca3ee2d604ad4ac05/netzip/RdxIE601.cab O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O19 - User stylesheet: D:\WINDOWS\Web\tips.ini O19 - User stylesheet: D:\WINDOWS\hh.htt (HKLM)

Might i suggest you try Spyware Blaster? http://www.wilderssecurity.net/spywareblaster.html It is free (donations requested for people who use it and like it), and it blocks spyware from being downloaded. I just found it tonight.

Thanks, I just downloaded it. It seems like it will work fine once i clean every thing. I'm just apprehensive about doing it as i'm no expert.

It can be easily undone. Just create a system snapshot under options or settings (don't remember which) before you run it to be safe. All you do is select the checkboxes (update it first) to block the spyware. To undo it, simply uncheck them And, if you are running win2k or xp, do a system state backup first to be REALLY safe. :-)

Someone else will have to analyze your HJT, but there's some funny looking stuff in there. You may have a virus or trojan or worm or adware or some other sort of malware. Run an AV scan, and download AdAware and Spybot, install them, update them, and run. Delete anything that looks suspicious. Some advise deleting everything because it's all reversible. Also get Spyblaster which keeps a list of bad stuff on your computer and blocks them from being installed (theoretically). Be sure your independent (not MS’s) firewall is enabled. Spybot AdAware

Follow Salgolf's suggestion to run Adaware and SpyBot, have them clean all they find. That should clean up a lot of the crud ie; newdotnet etc. Repost your HJT log after and we'll see what's left. hth shep

You have a CoolWebSearch hijack, download and run CWShredder: CWShredder