hey,
everytime i get attacked with spyware i search for an answer here or google it, this time i couldnt find an answer for my problem so i post.
ive got attacked by spyware, googled some of it and found fixes, but i cant fix the rest, i tried cwsshredder and spybot searche and destory and ive i did some hijackthis fixing myself.. but i still have those processes which are viruses for sure:
rsn.exe
getdns.exe
netssl.exe
before that i had the file clfmon.exe and netssh.exe too and i fixed it.
the spyware comes in a form of couple of pages that appear once in a really long while, which are called "play poker with real girls" and the other one is weird, i bumped into it just now called "search for.." in the titl. I bumped into it now while going to hotmail.com, everytime i enter the page after 2 secs it jumps to the other page ("search for...") and block the "Back button feature", the page doesnt have an address, even when i added it to the favourites the address of the page is still "About:blank"
please help!
here is my hijack log (ive tried to remove some stuff but they keep comming back):
p.s: ive got an ati video card, wacom tablet, palm pilot, ipod, wirless keyboard/mouse.. i mention it so you will know why some of the drivers are there.. thanks a bunch.

Logfile of HijackThis v1.98.2
Scan saved at 13:02:42, on 27/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ICQ\Icq.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\Documents and Settings\Netzer\Desktop\fff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.netvision.net.il/
O2 - BHO: (no name) - {B3BF7C2E-CC27-439D-A2ED-FFE63AB990C7} - C:\WINDOWS\system32\menfoa.dll
O2 - BHO: (no name) - {E9590744-812B-46C3-96EB-33212855927D} - C:\WINDOWS\system32\netcfg.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: &éöà ì- Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.63.219.181.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{FEDF5727-B8E2-4AE3-8DC3-6FC5387539D3}: NameServer = 212.143.212.143 194.90.1.5
O18 - Filter: text/html - {0D3DB303-7112-48B4-92EF-EE7F004B50E3} - C:\WINDOWS\system32\menfoa.dll
O18 - Filter: text/plain - {0D3DB303-7112-48B4-92EF-EE7F004B50E3} - C:\WINDOWS\system32\menfoa.dll

You have two difficult infections. We need to get them one at a time.

Download the file here and unzip it.

Boot to safe mode.

In the folder you uzipped you will find a file titled runme.bat.
Doubleclick it and it will generate a report in a text file. Save that. Then reboot and Copy and paste the contents into your next reply.

First of all THANK YOU SO MUCH!
second of all now that i look how badly it hit many in the registry i can clearly

see im difficulty infected :\

thank you in advance, here is the log:

An Ms4Hd_look by IMM (v0.001)
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd
(key has 4 subkeys and 0 value entries - last modified 10:14(UTC) 25/11/2004)

----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\Files
(key has 0 subkeys and 31 value entries - last modified 10:14(UTC) 25/11/2004)
[taskrun.exe] = "è" (REG_SZ) (0 bytes)
[trayinfo.exe] = "è" (REG_SZ) (0 bytes)
[subsys.exe] = "è" (REG_SZ) (0 bytes)
[spoolsvc.exe] = "è" (REG_SZ) (0 bytes)
[smlogvcc.exe] = "è" (REG_SZ) (0 bytes)
[sessngr.exe] = "è" (REG_SZ) (0 bytes)
[rsvxp.exe] = "è" (REG_SZ) (0 bytes)
[rsn.exe] = "è" (REG_SZ) (0 bytes)
[rexecs.exe] = "è" (REG_SZ) (0 bytes)
[resrvc32.exe] = "è" (REG_SZ) (0 bytes)
[rcip.exe] = "è" (REG_SZ) (0 bytes)
[proxyconf.exe] = "è" (REG_SZ) (0 bytes)
[powerconf.exe] = "è" (REG_SZ) (0 bytes)
[pingnet.exe] = "è" (REG_SZ) (0 bytes)
[dnsping.exe] = "è" (REG_SZ) (0 bytes)
[odcfg.exe] = "è" (REG_SZ) (0 bytes)
[netstart.exe] = "è" (REG_SZ) (0 bytes)
[netdns.exe] = "è" (REG_SZ) (0 bytes)
[getdns.exe] = "è" (REG_SZ) (0 bytes)
[msswchxp.exe] = "è" (REG_SZ) (0 bytes)
[msng.exe] = "è" (REG_SZ) (0 bytes)
[msinfo.exe] = "è" (REG_SZ) (0 bytes)
[netssl.exe] = "è" (REG_SZ) (0 bytes)
[netdetect.exe] = "è" (REG_SZ) (0 bytes)
[sfcver.exe] = "è" (REG_SZ) (0 bytes)
[netcfg.dll] = "è" (REG_SZ) (0 bytes)
[odbcfg32.dll] = "è" (REG_SZ) (0 bytes)
[p2pserv.dll] = "è" (REG_SZ) (0 bytes)
[clfmon.exe] = "è" (REG_SZ) (0 bytes)
[netssh.exe] = "è" (REG_SZ) (0 bytes)
[syspack.dll] = "è" (REG_SZ) (0 bytes)

----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\Processes
(key has 0 subkeys and 27 value entries - last modified 10:14(UTC) 25/11/2004)
[taskrun.exe] = "è" (REG_SZ) (0 bytes)
[trayinfo.exe] = "è" (REG_SZ) (0 bytes)
[subsys.exe] = "è" (REG_SZ) (0 bytes)
[spoolsvc.exe] = "è" (REG_SZ) (0 bytes)
[smlogvcc.exe] = "è" (REG_SZ) (0 bytes)
[sessngr.exe] = "è" (REG_SZ) (0 bytes)
[rsvxp.exe] = "è" (REG_SZ) (0 bytes)
[rsn.exe] = "è" (REG_SZ) (0 bytes)
[rexecs.exe] = "è" (REG_SZ) (0 bytes)
[resrvc32.exe] = "è" (REG_SZ) (0 bytes)
[rcip.exe] = "è" (REG_SZ) (0 bytes)
[proxyconf.exe] = "è" (REG_SZ) (0 bytes)
[powerconf.exe] = "è" (REG_SZ) (0 bytes)
[pingnet.exe] = "è" (REG_SZ) (0 bytes)
[dnsping.exe] = "è" (REG_SZ) (0 bytes)
[odcfg.exe] = "è" (REG_SZ) (0 bytes)
[netstart.exe] = "è" (REG_SZ) (0 bytes)
[netdns.exe] = "è" (REG_SZ) (0 bytes)
[getdns.exe] = "è" (REG_SZ) (0 bytes)
[msswchxp.exe] = "è" (REG_SZ) (0 bytes)
[msng.exe] = "è" (REG_SZ) (0 bytes)
[msinfo.exe] = "è" (REG_SZ) (0 bytes)
[netssl.exe] = "è" (REG_SZ) (0 bytes)
[netdetect.exe] = "è" (REG_SZ) (0 bytes)
[sfcver.exe] = "è" (REG_SZ) (0 bytes)
[clfmon.exe] = "è" (REG_SZ) (0 bytes)
[netssh.exe] = "è" (REG_SZ) (0 bytes)

----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\RegKeys
(key has 0 subkeys and 8 value entries - last modified 10:14(UTC) 25/11/2004)
[{98DBBF16-CA43-4c33-BE80-99E6694468A4}] = "è" (REG_SZ) (0 bytes)
[{E9590744-812B-46C3-96EB-33212855927D}] = "è" (REG_SZ) (0 bytes)
[Files] = "è" (REG_SZ) (0 bytes)
[Ms4Hd] = "è" (REG_SZ) (0 bytes)
[Processes] = "è" (REG_SZ) (0 bytes)
[RegKeys] = "è" (REG_SZ) (0 bytes)
[RegValues] = "è" (REG_SZ) (0 bytes)
[Vendor] = "è" (REG_SZ) (0 bytes)

----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\RegValues
(key has 0 subkeys and 4 value entries - last modified 10:14(UTC) 25/11/2004)
[clfmon.exe] = "è" (REG_SZ) (0 bytes)
[netssh.exe] = "è" (REG_SZ) (0 bytes)
[sessngr.exe] = "è" (REG_SZ) (0 bytes)
[spoolsvc.exe] = "è" (REG_SZ) (0 bytes)

Download pocket killbox from http://download.broadbandmedic.com/ unzip it & put it on the desktop where you can find it easily

Download this reg file please and save it to desktop. Do not run it yet

http://www.thespykiller.co.uk/files/Removems4hd.reg

Edit - Corrected Link is now above.

Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot

Note: Not all the files actually exist despite the reg listing but killbox everything listed regardless and KillBox will tell you if it doesn't exist.

C:\WINDOWS\system32\taskrun.exe
C:\WINDOWS\system32\trayinfo.exe
C:\WINDOWS\system32\subsys.exe
C:\WINDOWS\system32\spoolsvc.exe
C:\WINDOWS\system32\smlogvcc.exe
C:\WINDOWS\system32\sessngr.exe
C:\WINDOWS\system32\smlogvcc.exe
C:\WINDOWS\system32\rsn.exe
C:\WINDOWS\system32\rexecs.exe
C:\WINDOWS\system32\resrvc32.exe
C:\WINDOWS\system32\rcip.exe
C:\WINDOWS\system32\proxyconf.exe
C:\WINDOWS\system32\powerconf.exe
C:\WINDOWS\system32\pingnet.exe]
C:\WINDOWS\system32\dnsping.exe
C:\WINDOWS\system32\odcfg.exe
C:\WINDOWS\system32\netstart.exe
C:\WINDOWS\system32\netdns.exe
C:\WINDOWS\system32\getdns.exe
C:\WINDOWS\system32\msswchxp.exe
C:\WINDOWS\system32\msng.exe
C:\WINDOWS\system32\msinfo.exe
C:\WINDOWS\system32\netssl.exe
C:\WINDOWS\system32\netdetect.exe
C:\WINDOWS\system32\sfcver.exe
C:\WINDOWS\system32\clfmon.exe
C:\WINDOWS\system32\netssh.exe
C:\WINDOWS\system32\syspack.dll
C:\WINDOWS\system32\netcfg.dll
C:\WINDOWS\system32\odbcfg32.dll
C:\WINDOWS\system32\p2pserv.dll
C:\WINDOWS\system32\rsvxp.exe

When it has rebooted

Now please run the reg file you downloaded earlier make sure IE and OE and all other windows are closed before running it. It will remove some reg values and keys that are causing the problem run it by double clicking it,

You should get a warning that it will merge to the registry or similar say yes to the prompt you should then get a message saying file successfully merged with registry. Did you?

Then check your favorites folder as this pest puts a lot of unwanted links in there as well and they need manually deleting

Once it reboots post a fresh HJT log and run the Ms4Hd_look file you first downloaded and post a new log from that please

OK
so couple of things, first of all you told me to download some .reg file, i didnt have any reg file in the url u gave me. in that url i got "ms4hd.zip". so i didnt launch any registry file, it might be the reason why i still have that stupid "Search for..." page. in the part u told me to run the .reg i actually ran the .bat. i did what u told me and killed those files + a file called "rasautou.exe" which i had couple of times in the process list and it was in the same location.
ive attached HJT log and the ms4look.exe log:

Logfile of HijackThis v1.98.2
Scan saved at 12:39:13, on 28/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Netzer\Desktop\fff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.netvision.net.il/
O2 - BHO: (no name) - {B3BF7C2E-CC27-439D-A2ED-FFE63AB990C7} - C:\WINDOWS\system32\menfoa.dll
O2 - BHO: (no name) - {E9590744-812B-46C3-96EB-33212855927D} - C:\WINDOWS\system32\netcfg.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: &éöà ì- Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.63.219.181.7
O18 - Filter: text/html - {3F18D282-440E-4A88-9A15-9C6577076065} - C:\WINDOWS\system32\menfoa.dll
O18 - Filter: text/plain - {3F18D282-440E-4A88-9A15-9C6577076065} - C:\WINDOWS\system32\menfoa.dll


An Ms4Hd_look by IMM (v0.001)
----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd
(key has 4 subkeys and 0 value entries - last modified 10:14(UTC) 25/11/2004)

----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\Files
(key has 0 subkeys and 31 value entries - last modified 10:14(UTC) 25/11/2004)
[taskrun.exe] = "Œ" (REG_SZ) (0 bytes)
[trayinfo.exe] = "Œ" (REG_SZ) (0 bytes)
[subsys.exe] = "Œ" (REG_SZ) (0 bytes)
[spoolsvc.exe] = "Œ" (REG_SZ) (0 bytes)
[smlogvcc.exe] = "Œ" (REG_SZ) (0 bytes)
[sessngr.exe] = "Œ" (REG_SZ) (0 bytes)
[rsvxp.exe] = "Œ" (REG_SZ) (0 bytes)
[rsn.exe] = "Œ" (REG_SZ) (0 bytes)
[rexecs.exe] = "Œ" (REG_SZ) (0 bytes)
[resrvc32.exe] = "Œ" (REG_SZ) (0 bytes)
[rcip.exe] = "Œ" (REG_SZ) (0 bytes)
[proxyconf.exe] = "Œ" (REG_SZ) (0 bytes)
[powerconf.exe] = "Œ" (REG_SZ) (0 bytes)
[pingnet.exe] = "Œ" (REG_SZ) (0 bytes)
[dnsping.exe] = "Œ" (REG_SZ) (0 bytes)
[odcfg.exe] = "Œ" (REG_SZ) (0 bytes)
[netstart.exe] = "Œ" (REG_SZ) (0 bytes)
[netdns.exe] = "Œ" (REG_SZ) (0 bytes)
[getdns.exe] = "Œ" (REG_SZ) (0 bytes)
[msswchxp.exe] = "Œ" (REG_SZ) (0 bytes)
[msng.exe] = "Œ" (REG_SZ) (0 bytes)
[msinfo.exe] = "Œ" (REG_SZ) (0 bytes)
[netssl.exe] = "Œ" (REG_SZ) (0 bytes)
[netdetect.exe] = "Œ" (REG_SZ) (0 bytes)
[sfcver.exe] = "Œ" (REG_SZ) (0 bytes)
[netcfg.dll] = "Œ" (REG_SZ) (0 bytes)
[odbcfg32.dll] = "Œ" (REG_SZ) (0 bytes)
[p2pserv.dll] = "Œ" (REG_SZ) (0 bytes)
[clfmon.exe] = "Œ" (REG_SZ) (0 bytes)
[netssh.exe] = "Œ" (REG_SZ) (0 bytes)
[syspack.dll] = "Œ" (REG_SZ) (0 bytes)

----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\Processes
(key has 0 subkeys and 27 value entries - last modified 10:14(UTC) 25/11/2004)
[taskrun.exe] = "Œ" (REG_SZ) (0 bytes)
[trayinfo.exe] = "Œ" (REG_SZ) (0 bytes)
[subsys.exe] = "Œ" (REG_SZ) (0 bytes)
[spoolsvc.exe] = "Œ" (REG_SZ) (0 bytes)
[smlogvcc.exe] = "Œ" (REG_SZ) (0 bytes)
[sessngr.exe] = "Œ" (REG_SZ) (0 bytes)
[rsvxp.exe] = "Œ" (REG_SZ) (0 bytes)
[rsn.exe] = "Œ" (REG_SZ) (0 bytes)
[rexecs.exe] = "Œ" (REG_SZ) (0 bytes)
[resrvc32.exe] = "Œ" (REG_SZ) (0 bytes)
[rcip.exe] = "Œ" (REG_SZ) (0 bytes)
[proxyconf.exe] = "Œ" (REG_SZ) (0 bytes)
[powerconf.exe] = "Œ" (REG_SZ) (0 bytes)
[pingnet.exe] = "Œ" (REG_SZ) (0 bytes)
[dnsping.exe] = "Œ" (REG_SZ) (0 bytes)
[odcfg.exe] = "Œ" (REG_SZ) (0 bytes)
[netstart.exe] = "Œ" (REG_SZ) (0 bytes)
[netdns.exe] = "Œ" (REG_SZ) (0 bytes)
[getdns.exe] = "Œ" (REG_SZ) (0 bytes)
[msswchxp.exe] = "Œ" (REG_SZ) (0 bytes)
[msng.exe] = "Œ" (REG_SZ) (0 bytes)
[msinfo.exe] = "Œ" (REG_SZ) (0 bytes)
[netssl.exe] = "Œ" (REG_SZ) (0 bytes)
[netdetect.exe] = "Œ" (REG_SZ) (0 bytes)
[sfcver.exe] = "Œ" (REG_SZ) (0 bytes)
[clfmon.exe] = "Œ" (REG_SZ) (0 bytes)
[netssh.exe] = "Œ" (REG_SZ) (0 bytes)

----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\RegKeys
(key has 0 subkeys and 8 value entries - last modified 10:14(UTC) 25/11/2004)
[{98DBBF16-CA43-4c33-BE80-99E6694468A4}] = "Œ" (REG_SZ) (0 bytes)
[{E9590744-812B-46C3-96EB-33212855927D}] = "Œ" (REG_SZ) (0 bytes)
[Files] = "Œ" (REG_SZ) (0 bytes)
[Ms4Hd] = "Œ" (REG_SZ) (0 bytes)
[Processes] = "Œ" (REG_SZ) (0 bytes)
[RegKeys] = "Œ" (REG_SZ) (0 bytes)
[RegValues] = "Œ" (REG_SZ) (0 bytes)
[Vendor] = "Œ" (REG_SZ) (0 bytes)

----------------------------------------
Handle OK.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\RegValues
(key has 0 subkeys and 4 value entries - last modified 10:14(UTC) 25/11/2004)
[clfmon.exe] = "Œ" (REG_SZ) (0 bytes)
[netssh.exe] = "Œ" (REG_SZ) (0 bytes)
[sessngr.exe] = "Œ" (REG_SZ) (0 bytes)
[spoolsvc.exe] = "Œ" (REG_SZ) (0 bytes)

You needed to unzip the ms4hd.zip file because it contained the .reg file. You need to repeat the process from before but this time unzip that file before you use it.

I am sorry I posted a link to the incorrect file.

Here is the correct link. I edited my post from before. You need to repeat the entire process.

ok, ive done all from the begining.. i didnt get any new favourites to the favourites menu so i didnt have anything to remove from there... but the "search for..." page still is my default IE page for some reason and sometimes it just jumps instead of my current page..
here it how it looks: (ive attached the log files after it)

the start menu is changed by me and the systray icon that looks like a sign post with "ip" in it is a program that i know- so dont think those are related to the spyware

Logfile of HijackThis v1.98.2
Scan saved at 18:22:46, on 28/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Netzer\Desktop\fff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Netzer\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Netzer\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Netzer\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Netzer\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Netzer\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Netzer\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.netvision.net.il/
O2 - BHO: (no name) - {30A09518-DAEE-4FCC-8C94-5942E4656FB8} - C:\WINDOWS\system32\maagh.dll
O2 - BHO: (no name) - {E9590744-812B-46C3-96EB-33212855927D} - C:\WINDOWS\system32\netcfg.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: &éöà ì- Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{FEDF5727-B8E2-4AE3-8DC3-6FC5387539D3}: NameServer = 212.143.212.143 194.90.1.5
O18 - Filter: text/html - {9BB570AD-CC2C-4B3E-9C9D-6171F954E6C3} - C:\WINDOWS\system32\maagh.dll
O18 - Filter: text/plain - {9BB570AD-CC2C-4B3E-9C9D-6171F954E6C3} - C:\WINDOWS\system32\maagh.dll





An Ms4Hd_look by IMM (v0.001)
----------------------------------------
Error: Couldn't open HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd
Return code was 0XC0000034

----------------------------------------
Error: Couldn't open HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\Files
Return code was 0XC0000034

----------------------------------------
Error: Couldn't open HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\Processes
Return code was 0XC0000034

----------------------------------------
Error: Couldn't open HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\RegKeys
Return code was 0XC0000034

----------------------------------------
Error: Couldn't open HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\RegValues
Return code was 0XC0000034

Remember at the beginning I said we would get them one at a time? It looks like we got the first one and now we can get the other one.

Download and run the removal tool here. Post the log that is generated when you post a new hijackthis log.

Download cwshredder here. Close all browser windows and click on the fix/next button.

Boot to safe mode: Instructions here.

Run cwshredder a second time while in safe mode.

Then Close all windows and scan with hijackthis. Place a check mark next to the following items. Then click the "Fix Checked" button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Netzer\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Netzer\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Netzer\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Netzer\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Netzer\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Netzer\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {30A09518-DAEE-4FCC-8C94-5942E4656FB8} - C:\WINDOWS\system32\maagh.dll
O2 - BHO: (no name) - {E9590744-812B-46C3-96EB-33212855927D} - C:\WINDOWS\system32\netcfg.dll (file missing)

O18 - Filter: text/html - {9BB570AD-CC2C-4B3E-9C9D-6171F954E6C3} - C:\WINDOWS\system32\maagh.dll
O18 - Filter: text/plain - {9BB570AD-CC2C-4B3E-9C9D-6171F954E6C3} - C:\WINDOWS\system32\maagh.dll

Then delete the following files or folders:

C:\WINDOWS\System32\maagh.dll <-File

The following step is important as you may have several malware files in your temp directory.

Then browse to the C:\documents and settings\Your User Name(repeat for all users in documents and settings)\local settings\temp folder and delete all files and folders in it.
Then browse to the C:\Windows (Winnt)\Temp folder and delete all files and folders in it.
Then in internet explore click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

Then empty the recycle bin.

Then reboot to normal mode.

Download Ad-aware Second Edition here and install it. If you already have Ad-aware Second Edition skip to the next step.

Open adaware and Click the "Check for updates now" line on the main screen. Click the "Connect" button on the webupdate screen.

If an update is available download it and install it. Click the "Finish" button to go back to the main screen.

Click on the "Settings" button (gear symbol in the upper right corner of the main status screen) in the quick launch toolbar to open the General settings screen. Check the "Automatically quarantine objects prior to removal" setting and then click "Proceed" to save your changes

Click the "Scan now" button in the main menu on the left side of the main status screen or use the "Start" button in lower right corner. This will open the Preparing System Scan screen. Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. Then select "Use custom scanning options" and click "Customize". This will open the "Scan Settings Page. Make sure all of the following are On with a "green" checkmark:

Scan within archives
Scan active processes
Scan Registry
Deep-scan Registry
Scan my IE Favorites for banned URLs
Scan my Hosts File

Then click on the "Tweak" Button to open up the tweak settings.

Open up the Scanning Engine section and make sure all of the following are On with a "green" checkmark:

Scan registry for all users instead of current user only

Make sure the following is unchecked with a "red" X:

Unload recognized processes & modules during scan.

Open up the Cleaning Engine section and make sure all of the following are On with a "green" checkmark:

Always try to unload modules before deletion
During Removal, unload Explorer and IE if necessary
Let Windows remove files in use at next reboot.

Click the "Proceed" button to save settings.

Click the "Next" button to start the scan.

When a scan is completed the Performing System Scan screen will change name to "Scan Complete".

Click the "Next" button to get to the Scanning Results screens where more information about the objects detected during the scan is available.

Click the Critical Objects Tab. In general all of the items listed will be bad. Be carefull with the Hosts file entries. Malware uses the hosts file to redirect you websites. However you can use the hosts file as a way to prevent malware. If the object has 127.0.0.1 in it, it should most likely not be deleted as it is protecting against unwanted sites. For more information on how to use a host file to protect yourself read here. So in short, you may or may not want to fix the hosts file entries.

To fix all the bad critical objects do the following:

Right click on one of them to open up the selection screen. Click the "Select All" button to select all entries. In general all should be selected with the exception of the good hosts file entries.

When all are selected Click "Next" and then "OK" in the pop-up window to confirm the removal.

Then,

Download SPYBOT Search and Destroy here if it is not already installed on your computer
Install the program and then start it. Once the program has started make sure you are in the Spybot-S&D section. Click on the "Search for Updates" button. Download all updates. In some cases the program will restart after an update. When updated, click on the "Check for Problems" button. When the Check is over All problems displayed in red are regarded as real threats and should be dealt with. Make sure they are all selected and click the "Fix selected problems" button.

Finally, do an online scan using Trend Micros Housecall. It is available here.

Post a fresh HijackThis log please.

ok so some knowledge on the steps you gave me:
1. cwshredder found 1 spyware.. weird.. i searched with it before posting on castlecops and it didnt find anything
2. i didnt have any of the rows in hijacthis except for the "netcfg.dll" row, weird ah? it got removed alone..
3. the file maag.dll wasnt found in the c:\windows\system32 directory
4. adaware didnt find anything but i searched using adaware like 2 hours before you posted your last reply
5. spybot search& destroy - found 5 dso explots, 1 coolWWWsearch entry and 1 entry of something called "Start page-eh"
6. trend micro's housecall found only 1 virus called "bkdr.padodor.h"

here is hijackthis log:

Logfile of HijackThis v1.98.2
Scan saved at 20:25:46, on 28/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Netzer\Desktop\fff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.netvision.net.il/
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: &éöà ì- Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FEDF5727-B8E2-4AE3-8DC3-6FC5387539D3}: NameServer = 212.143.212.143 194.90.1.5

i forgot to add symantec fxagent log so here it is

Symantec Backdoor.Agent.B Removal Tool 1.0.1.2

process: winlogon.exe, thread: 00000268 (terminated)
process: services.exe, thread: 000002B4 (terminated)
process: lsass.exe, thread: 000002B8 (terminated)
process: ati2evxx.exe, thread: 00000358 (terminated)
process: svchost.exe, thread: 00000378 (terminated)
process: svchost.exe, thread: 000003C8 (terminated)
process: svchost.exe, thread: 00000454 (terminated)
process: svchost.exe, thread: 000004E4 (terminated)
process: spoolsv.exe, thread: 00000564 (terminated)
process: ati2evxx.exe, thread: 000001BC (terminated)
process: explorer.exe, thread: 000001F0 (terminated)
process: MDM.EXE, thread: 0000037C (terminated)
process: svchost.exe, thread: 00000470 (terminated)
process: Tablet.exe, thread: 000004C0 (terminated)
process: dslagent.exe, thread: 000005DC (terminated)
process: CTHELPER.EXE, thread: 00000684 (terminated)
process: type32.exe, thread: 0000073C (terminated)
process: point32.exe, thread: 00000678 (terminated)
process: ctfmon.exe, thread: 000006D0 (terminated)
process: wdfmgr.exe, thread: 00000710 (terminated)
process: TabUserW.exe, thread: 00000720 (terminated)
process: DUC20.exe, thread: 00000704 (terminated)
process: svchost.exe, thread: 0000032C (terminated)
process: alg.exe, thread: 000007C0 (terminated)
process: svchost.exe, thread: 000008A0 (terminated)
process: Icq.exe, thread: 000007FC (terminated)
process: FxAgentB.exe, thread: 00000D8C (terminated)

registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: AppInit_DLLs (value set to "")

C:\System Volume Information: (not scanned)
C:\WINDOWS\system32\msm.dll: (will be deleted on next reboot)
D:\System Volume Information: (not scanned)

The Backdoor.Agent.B removal was successful.
The system will delete 1 Backdoor.Agent.B files from your PC on next reboot.

Here is the report:

1 file(s) could not be deleted.
They will be deleted on next reboot.

The total number of the scanned files: 125201
The number of deleted files: 0
The number of viral processes terminated: 0
The number of viral threads terminated: 27
The number of registry entries fixed: 1

The tool initiated a system reboot.

That is clean now

The removal tool probably took care of most of the stuff that would have been listed in hijackthis. Cwshredder found something after the removal tool because it was not visible to it before.

Hopefully you are back in business now.

Yeah all works
Thanks alot for your help dude

Your Welcome,

Glad we were able to help.

NOTE: This thread is now closed. Should you need it reopened, please PM a moderator.
Everyone else having a similar issue, please launch a new topic for yourselves.