Need help ASAP. Spyfalcon + more issues

[harmful_if_swollowed]

First, id like to thank you for taking the time to help me and id like to say sorry for bugging anyone. Anyways, on to my issues..A few days ago i  had  a warning thing that kept popping up from what seemed like a windows program about "spyware" i posted on a non-computer related forum asking for help, and was pointed here. They said it was probably Spyfalcon.

  Well for 2 days i have been trying to eliminate spyfalcon, but i cant. (i tried the method on this site but i follow the steps and either cant find the file i am told to delete/alter or i do and it just returns). I also tried some other methods through other sites..nothing worked.As you can probably tell, i am VERY computer illiterate.. im the only one who uses this computer and all i normally use is the basic functions and Internet.

 So today i reboot and spyfalcon has spread. At first it was just a little symbol in the tray with a tiny bubble popping up every 20 seconds or so(and when i clicked the bubble it closed and did nothing). That bugged me, but it wasnt horrible. Now i have pop ups, a bigger little window in the rightside bottom corner saying  i have  a spyware problem and need to download a program immediatly or my computer will crash. I click that window, low and behold it sends me to Spyfalcon.com.

To make this all worse, My computer is  small and  barely has enough memory (thats why for the last 2 weeks i have been trying to clean its memory and make it go faster)... but this is Seriously eating away at its speed and memory...and i fear it may crash.So i am here for help. (by the way, my computer has a 4.87GB capacity with 611MB free Space)

Heres my Hijack This Log.... hope  someone knows of something that will help me.


Logfile of HijackThis v1.99.1
Scan saved at 7:49:24 PM, on 5/4/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\sndraw32.exe
D:\WINDOWS\System32\mshtb.exe.exe
D:\WINDOWS\System32\wuauclt.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\WINDOWS\system32\rundll32.exe
C:\Program Files\EarthLink TotalAccess\FastLane\ARUpld32.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\System32\dcomcfg.exe
D:\WINDOWS\System32\atmclk.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Symantec\LiveUpdate\AUpdate.exe
D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
D:\Documents and Settings\Josh\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=explorer.exe                                                                                                    "D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe"
O1 - Hosts: nd.com
O1 - Hosts: nd.com
O1 - Hosts: ind.com
O1 - Hosts: ind.com
O1 - Hosts: find.com
O1 - Hosts: find.com
O1 - Hosts: yfind.com
O1 - Hosts: yfind.com
O1 - Hosts: tyfind.com
O1 - Hosts: tyfind.com
O1 - Hosts: styfind.com
O1 - Hosts: styfind.com
O1 - Hosts: estyfind.com
O1 - Hosts: estyfind.com
O1 - Hosts: .zestyfind.com
O1 - Hosts: .zestyfind.com
O1 - Hosts: w.zestyfind.com
O1 - Hosts: w.zestyfind.com
O1 - Hosts: o.offeroptimizer.com
O1 - Hosts:



O1 - Hosts: 1
O1 - Hosts: m
O1 - Hosts: om
O1 - Hosts: .com
O1 - Hosts: ar.com
O1 - Hosts: lbar.com
O1 - Hosts: oolbar.com
O1 - Hosts: rtoolbar.com
O1 - Hosts: sertoolbar.com
O1 - Hosts: owsertoolbar.com
O1 - Hosts: 2.browsertoolbar.com
O1 - Hosts: ww2.browsertoolbar.com
O1 - Hosts: 1
O1 - Hosts: .www2.browsertoolbar.com
O1 - Hosts: ww.www2.browsertoolbar.com
O1 - Hosts: 127.0.0
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - D:\WINDOWS\System32\hpF4F8.tmp
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - D:\WINDOWS\AppPatch\webiis.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [sndraw32] D:\WINDOWS\System32\sndraw32.exe
O4 - HKLM\..\Run: [mshtb.exe] D:\WINDOWS\System32\mshtb.exe.exe
O4 - HKLM\..\RunServices: [sndraw32] D:\WINDOWS\System32\sndraw32.exe
O4 - HKLM\..\RunServices: [mshtb.exe] D:\WINDOWS\System32\mshtb.exe.exe
O4 - HKCU\..\Run: [sndraw32] D:\WINDOWS\System32\sndraw32.exe
O4 - HKCU\..\Run: [mshtb.exe] D:\WINDOWS\System32\mshtb.exe.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -noauth
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://D:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.i-lookup.com
O15 - Trusted Zone: *.offshoreclicks.com
O15 - Trusted Zone: *.searchmeup.com
O15 - Trusted Zone: *.teensguru.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {610FB8B8-2427-4375-BCF9-2F7AE17173A6} (Snapfish File Upload ActiveX Control) - http://www.clarkcolor.com/ClarkUpload.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=5071
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B61B8AC-EC5D-4999-A3A4-ADD56DCD37F4}: NameServer = 207.217.126.81 207.217.77.82
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B61B8AC-EC5D-4999-A3A4-ADD56DCD37F4}: NameServer = 207.217.126.81 207.217.77.82
O20 - Winlogon Notify: browsela - D:\WINDOWS\system32\browsela.dll
O20 - Winlogon Notify: cfgmngr32 - D:\WINDOWS\system32\cfgmngr32.dll
O20 - Winlogon Notify: docanti - D:\WINDOWS\repair\docanti.dll (file missing)
O20 - Winlogon Notify: gg - D:\WINDOWS\adsldpbd.dll (file missing)
O20 - Winlogon Notify: iexplore - D:\WINDOWS\SYSTEM32\lf3ds.dll
O20 - Winlogon Notify: javacr - D:\WINDOWS\Fonts\javacr.dll (file missing)
O20 - Winlogon Notify: req - D:\WINDOWS\System32\req.dat (file missing)
O20 - Winlogon Notify: st3 - D:\WINDOWS\system32\st3.dll
O20 - Winlogon Notify: webiis - D:\WINDOWS\AppPatch\webiis.dll
O20 - Winlogon Notify: wingom32 - D:\WINDOWS\SYSTEM32\wingom32.dll
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

[Guest]

Hello, visitor!

The Hijack This log analyzer has analyzed your log. Please take a closer look on the results.

Your system seems to be infected with malicious parasites. Please follow the steps below in order to eliminate the infection and clean up your computer.

1.   Download the Pocket KillBox utility. You will need it later to delete parasite-related files and folders.
2. The following entries are not malicious, but some of them are not used anymore. You may use HijackThis to fix a few of them. However, please keep in mind that some of the entries marked as Questionable or Not Needed are fully legitimate and might be required by installed software to work properly, while some others might be related to certain parasites. It is up to you to decide whether you need any of them, or not.
D:\WINDOWS\system32\services.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: nd.com
O1 - Hosts: nd.com
O1 - Hosts: ind.com
O1 - Hosts: ind.com
O1 - Hosts: find.com
O1 - Hosts: find.com
O1 - Hosts: yfind.com
O1 - Hosts: yfind.com
O1 - Hosts: tyfind.com
O1 - Hosts: tyfind.com
O1 - Hosts: styfind.com
O1 - Hosts: styfind.com
O1 - Hosts: estyfind.com
O1 - Hosts: estyfind.com
O1 - Hosts: .zestyfind.com
O1 - Hosts: .zestyfind.com
O1 - Hosts: w.zestyfind.com
O1 - Hosts: w.zestyfind.com
O1 - Hosts: o.offeroptimizer.com
O1 - Hosts:



O1 - Hosts: 1
O1 - Hosts: m
O1 - Hosts: om
O1 - Hosts: .com
O1 - Hosts: ar.com
O1 - Hosts: lbar.com
O1 - Hosts: oolbar.com
O1 - Hosts: rtoolbar.com
O1 - Hosts: sertoolbar.com
O1 - Hosts: owsertoolbar.com
O1 - Hosts: 2.browsertoolbar.com
O1 - Hosts: ww2.browsertoolbar.com
O1 - Hosts: 1
O1 - Hosts: .www2.browsertoolbar.com
O1 - Hosts: ww.www2.browsertoolbar.com
O1 - Hosts: 127.0.0
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra ''Tools'' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ''Tools'' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://D:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.i-lookup.com
O15 - Trusted Zone: *.offshoreclicks.com
O15 - Trusted Zone: *.searchmeup.com
O15 - Trusted Zone: *.teensguru.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {610FB8B8-2427-4375-BCF9-2F7AE17173A6} (Snapfish File Upload ActiveX Control) - http://www.clarkcolor.com/ClarkUpload.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=5071
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B61B8AC-EC5D-4999-A3A4-ADD56DCD37F4}: NameServer = 207.217.126.81 207.217.77.82
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B61B8AC-EC5D-4999-A3A4-ADD56DCD37F4}: NameServer = 207.217.126.81 207.217.77.82
O20 - Winlogon Notify: docanti - D:\WINDOWS\repair\docanti.dll (file missing)
O20 - Winlogon Notify: gg - D:\WINDOWS\adsldpbd.dll (file missing)
O20 - Winlogon Notify: javacr - D:\WINDOWS\Fonts\javacr.dll (file missing)
O20 - Winlogon Notify: req - D:\WINDOWS\System32\req.dat (file missing)3. Now restart your system in Safe Mode. This step is very important!
4.   Use the Pocket KillBox utility to delete the following files:

D:\WINDOWS\System32\dcomcfg.exe
D:\WINDOWS\System32\atmclk.exe

The following files and Windows registry entries are marked as "unknown". Currently, the HijackThis Log Analyzer cannot provide required information on these items. The files and entries in the list below can be both malicious and fully legitimate. Because of this, please do not take any action! Wait for the forum responders or other forum users to provide you with necessary details and further instructions.
D:\WINDOWS\System32\sndraw32.exe
D:\WINDOWS\System32\mshtb.exe.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\EarthLink TotalAccess\FastLane\ARUpld32.exe
D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - D:\WINDOWS\System32\hpF4F8.tmp
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - D:\WINDOWS\AppPatch\webiis.dll
O4 - HKLM\..\Run: [sndraw32] D:\WINDOWS\System32\sndraw32.exe
O4 - HKLM\..\Run: [mshtb.exe] D:\WINDOWS\System32\mshtb.exe.exe
O4 - HKLM\..\RunServices: [sndraw32] D:\WINDOWS\System32\sndraw32.exe
O4 - HKLM\..\RunServices: [mshtb.exe] D:\WINDOWS\System32\mshtb.exe.exe
O4 - HKCU\..\Run: [sndraw32] D:\WINDOWS\System32\sndraw32.exe
O4 - HKCU\..\Run: [mshtb.exe] D:\WINDOWS\System32\mshtb.exe.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -noauth
O20 - Winlogon Notify: browsela - D:\WINDOWS\system32\browsela.dll
O20 - Winlogon Notify: cfgmngr32 - D:\WINDOWS\system32\cfgmngr32.dll
O20 - Winlogon Notify: iexplore - D:\WINDOWS\SYSTEM32\lf3ds.dll
O20 - Winlogon Notify: st3 - D:\WINDOWS\system32\st3.dll
O20 - Winlogon Notify: webiis - D:\WINDOWS\AppPatch\webiis.dll
O20 - Winlogon Notify: wingom32 - D:\WINDOWS\SYSTEM32\wingom32.dll
After going through all the steps, run another HijackThis scan and post a fresh log to the HijackThis analyzer. It is possible that some parasites your system was infected with were not removed completely and may restore themselves later.


If you want to see more detailed analysis of your log, click here.

Thank you for using the 2-Spyware.com HijackThis log analyzer!

[GTO]

Hi, harmful_if_swallowed. Welcome to the 2-Spyware.com forums!

Your system is badly infected. You have not just SpyFalcon, but also a lot of other parasites. Please follow these steps:

1. Download the smitRem tool and unpack its files to a chosen folder.

2. Download Pocket KillBox or KillBox utility.

3. Use HijackThis to fix the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=explorer.exe "D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe"
O1 - Hosts: nd.com
O1 - Hosts: nd.com
O1 - Hosts: ind.com
O1 - Hosts: ind.com
O1 - Hosts: find.com
O1 - Hosts: find.com
O1 - Hosts: yfind.com
O1 - Hosts: yfind.com
O1 - Hosts: tyfind.com
O1 - Hosts: tyfind.com
O1 - Hosts: styfind.com
O1 - Hosts: styfind.com
O1 - Hosts: estyfind.com
O1 - Hosts: estyfind.com
O1 - Hosts: .zestyfind.com
O1 - Hosts: .zestyfind.com
O1 - Hosts: w.zestyfind.com
O1 - Hosts: w.zestyfind.com
O1 - Hosts: o.offeroptimizer.com
O1 - Hosts:



O1 - Hosts: 1
O1 - Hosts: m
O1 - Hosts: om
O1 - Hosts: .com
O1 - Hosts: ar.com
O1 - Hosts: lbar.com
O1 - Hosts: oolbar.com
O1 - Hosts: rtoolbar.com
O1 - Hosts: sertoolbar.com
O1 - Hosts: owsertoolbar.com
O1 - Hosts: 2.browsertoolbar.com
O1 - Hosts: ww2.browsertoolbar.com
O1 - Hosts: 1
O1 - Hosts: .www2.browsertoolbar.com
O1 - Hosts: ww.www2.browsertoolbar.com
O1 - Hosts: 127.0.0
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - D:\WINDOWS\System32\hpF4F8.tmp
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - D:\WINDOWS\AppPatch\webiis.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [sndraw32] D:\WINDOWS\System32\sndraw32.exe
O4 - HKLM\..\Run: [mshtb.exe] D:\WINDOWS\System32\mshtb.exe.exe
O4 - HKLM\..\RunServices: [sndraw32] D:\WINDOWS\System32\sndraw32.exe
O4 - HKLM\..\RunServices: [mshtb.exe] D:\WINDOWS\System32\mshtb.exe.exe
O4 - HKCU\..\Run: [sndraw32] D:\WINDOWS\System32\sndraw32.exe
O4 - HKCU\..\Run: [mshtb.exe] D:\WINDOWS\System32\mshtb.exe.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://D:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.i-lookup.com
O15 - Trusted Zone: *.offshoreclicks.com
O15 - Trusted Zone: *.searchmeup.com
O15 - Trusted Zone: *.teensguru.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=5071
O20 - Winlogon Notify: browsela - D:\WINDOWS\system32\browsela.dll
O20 - Winlogon Notify: cfgmngr32 - D:\WINDOWS\system32\cfgmngr32.dll
O20 - Winlogon Notify: docanti - D:\WINDOWS\repair\docanti.dll (file missing)
O20 - Winlogon Notify: gg - D:\WINDOWS\adsldpbd.dll (file missing)
O20 - Winlogon Notify: iexplore - D:\WINDOWS\SYSTEM32\lf3ds.dll
O20 - Winlogon Notify: javacr - D:\WINDOWS\Fonts\javacr.dll (file missing)
O20 - Winlogon Notify: req - D:\WINDOWS\System32\req.dat (file missing)
O20 - Winlogon Notify: st3 - D:\WINDOWS\system32\st3.dll
O20 - Winlogon Notify: webiis - D:\WINDOWS\AppPatch\webiis.dll
O20 - Winlogon Notify: wingom32 - D:\WINDOWS\SYSTEM32\wingom32.dll

4. Now restart your system in Safe Mode. This step is very important!

5. Once in Safe Mode, run the smitRem tool by executing the RunThis.bat file.

6. Then use either Pocket KillBox or KillBox to delete the following files:
D:\WINDOWS\system32\browsela.dll
D:\WINDOWS\System32\sndraw32.exe
D:\WINDOWS\System32\mshtb.exe.exe
D:\WINDOWS\AppPatch\webiis.dll
D:\WINDOWS\system32\st3.dll
D:\WINDOWS\SYSTEM32\lf3ds.dll
D:\WINDOWS\system32\cfgmngr32.dll
D:\WINDOWS\System32\dcomcfg.exe
D:\WINDOWS\System32\atmclk.exe
C:\WINDOWS\System32\dfrgsrv.exe
C:\WINDOWS\System32\dxmpp.dll
C:\WINDOWS\System32\ginuerep.dll
C:\WINDOWS\System32\twain32.dll

7. After you get done, restart your computer, run new HijackThis scan and post a fresh log here.


P.S. Your system is not up-to-date! You have to install Service Pack 2 for Microsoft Windows XP and Service Pack 2 for Microsoft Internet Explorer. Also apply all latest updates and security fixes.

[harmful_if_swollowed]

Hey, thanks  everyone:)

Im having a problem though.... when i try to log on in safe mode, i get to where i sign in then it shows a blck screen with "Saf mode" in each corner of the screen. A pop up pops up with 2.5 paragraphs and says something....problem is it gives me a yes or no option.. if i wait more then 3 seconds or if i pick YES it goes away and  the black screen stays, not changing to anything else.... If i click no, another pop up comes up with a paragraph and you have to click "Ok" but the thing still doesnt load...

any ideas?

[GTO]

Hi, harmful_if_swollowed.

Press Yes at the first window. Then wait a couple of seconds or even minutes for system to startup.

[harmful_if_swollowed]

Still having further problems....

I do what you say and everything loads... then i go to click the Start  menu and as soon as i click it the screen goes black like above and does nothing... is this another part where i should wait a little to see if it changes?

[GTO]

Hi, harmful_if_swollowed.

It sounds like your system is messed up. Try following the instructions provided without restarting your system in Safe Mode.