Hey everyone, my ie's homepage has been taken over with something. Please inspect this HijackThis log:

Logfile of HijackThis v1.98.2
Scan saved at 5:00:39 PM, on 8/7/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Karna\Razer\razertra.exe
C:\WINDOWS\system32\nettf32.exe
C:\program files\steam\steam.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\netkj.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\kelp\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xicwt.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xicwt.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\xicwt.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://C:\WINDOWS\system32\xicwt.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xicwt.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xicwt.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xicwt.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\xicwt.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xicwt.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xicwt.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 127.0.0.1:8088
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {F741EAF7-6D33-0ABE-BCF4-5C3371DBD34A} - C:\WINDOWS\system32\addoh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [razertra] C:\Program Files\Karna\Razer\razertra.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nettf32.exe] C:\WINDOWS\system32\nettf32.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Anonymization - C:\WINDOWS\System32\sys32.htm
O9 - Extra button: Anonymization.Net - {8B466019-1E6E-4552-A096-7C0A2876E50E} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...22384e480b9c0d
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab



I've tried to get rid of the R1's and R0's with the EVIL .dll, but everyime i restart, they come back with a newly generated name. I've also ran avg and trendmicro, and came up with many trojans, but if I restart they come back also.

Download Ad-aware from: http://www.lavasoft.de/res/aaw6.exe

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Now we need to configure Ad-aware for a full scan.

Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:

• Automatically save log-file
• Automatically quarantine objects prior to removal
• Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :

• Scan Within Archives
• Scan Active Processes
• Scan Registry
• Deep Scan Registry
• Scan my IE favorites for banned URL’s
• Scan my Hosts file
• Under Click here to select drives + folders, choose:
• All of your hard drives

Click on the Advanced button on the left and select:

• Include additional process information
• Include additional file information
• Include environment information
• Include additional object details

Click the Tweak button and select:

• Under the Scanning Engine:
  • Unload recognized processes during scanning
  • Include basic Ad-aware settings in logfile
  • Include additional Ad-aware settings in logfile
• Under the Cleaning Engine:
  • Let Windows remove files in use at next reboot

Click on Proceed to save the settings.

Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:

• Use Custom Scanning Options

Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

Save the log file when it asks and then click Finish

When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Then download About:Buster and unzip it to your desktop. Start it, hit Ok, Start, And Ok again to start the scan. It will generate a log. Post that log along with a new Hijack this log here.

<>If this doesnt work, boot into safe mode and try. How to boot into safe mode?

Okay, here's how it went down: I ran adaware with all the settings you gave me, got rid of the 76 problems. As I ran about:buster, after it started, a blue screen came and it dumped physical memory and I restarted my computer manually since it froze. I got in and ran about:buster with no errors this time. Then I ran hijackthis. Sometimes my notepad mysteriously disappears if I open one of the logs. Here's my logs:

Scanned at: 9:24:34 PM on: 8/7/2004


-- Scan 1 --------
About:Buster Version 2.11
Reference List : 11

Removed 2 Random Key Entries
Failed to Delete Service Key 4
Failed to Delete Service Key 5
Removed! : C:\WINDOWS\jmfeu.dat
Removed! : C:\WINDOWS\kapme.dat
Removed! : C:\WINDOWS\ldaiz.dat
Removed! : C:\WINDOWS\livvr.dll
Removed! : C:\WINDOWS\majev.dat
Removed! : C:\WINDOWS\mjpnb.dat
Removed! : C:\WINDOWS\mwnkb.dll
Removed! : C:\WINDOWS\mxwkv.dll
Removed! : C:\WINDOWS\ntchm.dat
Removed! : C:\WINDOWS\oauxc.dat
Removed! : C:\WINDOWS\oguqn.dat
Removed! : C:\WINDOWS\ogvjl.dll
Removed! : C:\WINDOWS\oqhkp.dat
Removed! : C:\WINDOWS\ovhvt.dat
Removed! : C:\WINDOWS\pzkjn.dll
Removed! : C:\WINDOWS\rlysj.dat
Removed! : C:\WINDOWS\rvxsa.dll
Removed! : C:\WINDOWS\rwsnz.dat
Removed! : C:\WINDOWS\syspw32.exe
Removed! : C:\WINDOWS\ttloj.dat
Removed! : C:\WINDOWS\tyero.dat
Removed! : C:\WINDOWS\ucydl.dat
Removed! : C:\WINDOWS\umupg.dll
Removed! : C:\WINDOWS\unhnh.dat
Removed! : C:\WINDOWS\vczul.dll
Removed! : C:\WINDOWS\vdmsq.dat
Removed! : C:\WINDOWS\vkwgy.dat
Removed! : C:\WINDOWS\vydsh.dat
Removed! : C:\WINDOWS\wbvwr.dll
Removed! : C:\WINDOWS\wgzyu.dat
Removed! : C:\WINDOWS\wqsjc.dll
Removed! : C:\WINDOWS\xguxv.dat
Removed! : C:\WINDOWS\xiapt.dll
Removed! : C:\WINDOWS\xxwuj.dat
Removed! : C:\WINDOWS\System32\adduq32.exe
Removed! : C:\WINDOWS\System32\aowbm.dat
Removed! : C:\WINDOWS\System32\bnslr.dat
Removed! : C:\WINDOWS\System32\ckekv.dat
Removed! : C:\WINDOWS\System32\crcm32.exe
Removed! : C:\WINDOWS\System32\dcjmg.dat
Removed! : C:\WINDOWS\System32\edqyf.dat
Removed! : C:\WINDOWS\System32\egcit.dat
Removed! : C:\WINDOWS\System32\enjfz.dat
Removed! : C:\WINDOWS\System32\eyfoj.dat
Removed! : C:\WINDOWS\System32\gdjch.dll
Removed! : C:\WINDOWS\System32\gqtul.dll
Removed! : C:\WINDOWS\System32\htdng.dll
Removed! : C:\WINDOWS\System32\imxan.dll
Removed! : C:\WINDOWS\System32\iuskk.dat
Removed! : C:\WINDOWS\System32\jckos.dll
Removed! : C:\WINDOWS\System32\jikrc.dat
Removed! : C:\WINDOWS\System32\kpqbh.dat
Removed! : C:\WINDOWS\System32\lmdlq.dat
Removed! : C:\WINDOWS\System32\meifa.dll
Removed! : C:\WINDOWS\System32\nkpzy.dat
Removed! : C:\WINDOWS\System32\nnhob.dat
Removed! : C:\WINDOWS\System32\nwsmb.dat
Removed! : C:\WINDOWS\System32\oecqm.dat
Removed! : C:\WINDOWS\System32\ojivr.dat
Removed! : C:\WINDOWS\System32\omijo.dll
Removed! : C:\WINDOWS\System32\pnvbq.dat
Removed! : C:\WINDOWS\System32\putre.dat
Removed! : C:\WINDOWS\System32\pxpkx.dat
Removed! : C:\WINDOWS\System32\qfglp.dll
Removed! : C:\WINDOWS\System32\qjntq.dll
Removed! : C:\WINDOWS\System32\qlntx.dat
Removed! : C:\WINDOWS\System32\raahk.dat
Removed! : C:\WINDOWS\System32\rbsyh.dat
Removed! : C:\WINDOWS\System32\risso.dat
Removed! : C:\WINDOWS\System32\rpxpk.dll
Removed! : C:\WINDOWS\System32\rqfms.dat
Removed! : C:\WINDOWS\System32\rtfju.dll
Removed! : C:\WINDOWS\System32\rvcrc.dll
Removed! : C:\WINDOWS\System32\sjsod.dat
Removed! : C:\WINDOWS\System32\tauwd.dat
Removed! : C:\WINDOWS\System32\tkoqv.dat
Removed! : C:\WINDOWS\System32\tsrye.dat
Removed! : C:\WINDOWS\System32\twqoe.dat
Removed! : C:\WINDOWS\System32\uupmd.dat
Removed! : C:\WINDOWS\System32\uvcmr.dat
Removed! : C:\WINDOWS\System32\uzpyz.dat
Removed! : C:\WINDOWS\System32\vbyrg.dll
Removed! : C:\WINDOWS\System32\vdpch.dat
Removed! : C:\WINDOWS\System32\vfkav.dat
Removed! : C:\WINDOWS\System32\vgmhs.dat
Removed! : C:\WINDOWS\System32\vmmyw.dat
Removed! : C:\WINDOWS\System32\wjqco.dat
Removed! : C:\WINDOWS\System32\wnpdt.dat
Removed! : C:\WINDOWS\System32\xicwt.dll
Removed! : C:\WINDOWS\System32\zgzju.dat
Removed! : C:\WINDOWS\System32\zyrwg.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 2.11
Reference List : 11

Removed 2 Random Key Entries
Failed to Delete Service Key 4
Failed to Delete Service Key 5
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!





Logfile of HijackThis v1.98.2
Scan saved at 9:25:34 PM, on 8/7/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Karna\Razer\razertra.exe
C:\program files\powerstrip\pstrip.exe
C:\WINDOWS\system32\nettf32.exe
C:\program files\steam\steam.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\netkj.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\kelp\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xicwt.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xicwt.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xicwt.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xicwt.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 127.0.0.1:8088
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {F741EAF7-6D33-0ABE-BCF4-5C3371DBD34A} - C:\WINDOWS\system32\addoh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [razertra] C:\Program Files\Karna\Razer\razertra.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nettf32.exe] C:\WINDOWS\system32\nettf32.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Anonymization - C:\WINDOWS\System32\sys32.htm
O9 - Extra button: Anonymization.Net - {8B466019-1E6E-4552-A096-7C0A2876E50E} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...22384e480b9c0d
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

Thats looking a bit better, could you run About:Buster but in Safe Mode! Post the log here along with a new Hijack This log! (Run Hijack This after!)

Looks all clear:

Scanned at: 5:32:07 PM on: 8/8/2004


-- Scan 1 --------
About:Buster Version 2.11
Reference List : 11

Removed 2 Random Key Entries
Failed to Delete Service Key 4
Failed to Delete Service Key 5
Removed! : C:\WINDOWS\atdqo.dat
Removed! : C:\WINDOWS\bljsy.dll
Removed! : C:\WINDOWS\vubsm.dll
Removed! : C:\WINDOWS\ycaft.dll
Removed! : C:\WINDOWS\zhlub.dat
Removed! : C:\WINDOWS\System32\qswhj.dll
Removed! : C:\WINDOWS\System32\yxfar.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 2.11
Reference List : 11

Removed 2 Random Key Entries
Failed to Delete Service Key 4
Failed to Delete Service Key 5
Attempted Clean Of Temp folder.
Pages Reset... Done!




Logfile of HijackThis v1.98.2
Scan saved at 5:34:10 PM, on 8/8/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Karna\Razer\razertra.exe
C:\program files\powerstrip\pstrip.exe
C:\WINDOWS\system32\nettf32.exe
C:\program files\steam\steam.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\netkj.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\kelp\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 127.0.0.1:8088
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {73BBFCD2-1DDD-E846-38F4-C12CBBE9C89E} - C:\WINDOWS\sdknd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [razertra] C:\Program Files\Karna\Razer\razertra.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nettf32.exe] C:\WINDOWS\system32\nettf32.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Anonymization - C:\WINDOWS\System32\sys32.htm
O9 - Extra button: Anonymization.Net - {8B466019-1E6E-4552-A096-7C0A2876E50E} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...22384e480b9c0d
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab




Hey, how do I get rid of some viruses avg cant get rid of? If I go afk for a while, when I come back, there's dialogs that says something about Agent BJ and Agent Z, I ran AVG, they're still there.

Getting there....

Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {73BBFCD2-1DDD-E846-38F4-C12CBBE9C89E} - C:\WINDOWS\sdknd.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nettf32.exe] C:\WINDOWS\system32\nettf32.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...022384e480b9c0d

Click Fix Checked

Then boot into Safe Mode and ensure that you are showing Hidden Files and Folders.

Then go to C:\WINDOWS\system32\ and delete the following:
nettf32.exe

Then go to C:\Windows and delete the following:
netkj.exe

Reboot and post a fresh log

Where is AVG detecting the virus in question? (It should usually tell you). And does it just not detect it when scanning or does it just not remove it?

the viruses are in the system restore. Will turning system restore off and turning it back on get rid of the viruses?

It certainly will. Disable it to flush the contents and then reenable it

Then post a fresh log after you have finished the instructions

Here's the new .log:

Logfile of HijackThis v1.98.2
Scan saved at 12:55:42 PM, on 8/9/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Karna\Razer\razertra.exe
C:\program files\powerstrip\pstrip.exe
C:\WINDOWS\system32\mfcjs32.exe
C:\program files\steam\steam.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\bnirov.dat:dxjhq
C:\Documents and Settings\kelp\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 127.0.0.1:8088
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {C0FC6475-F8F5-D574-1959-31BD47C3CA21} - C:\WINDOWS\system32\ntph32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [razertra] C:\Program Files\Karna\Razer\razertra.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [mfcjs32.exe] C:\WINDOWS\system32\mfcjs32.exe
O4 - HKLM\..\RunOnce: [dxjhq] C:\WINDOWS\bnirov.dat:dxjhq
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Anonymization - C:\WINDOWS\System32\sys32.htm
O9 - Extra button: Anonymization.Net - {8B466019-1E6E-4552-A096-7C0A2876E50E} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab