I keep getting directed to the http://your-searcher.com/index.htm

I used HiJack this, and it gave me this log. Please help.

Logfile of HijackThis v1.98.2
Scan saved at 2:25:14 PM, on 12/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\System32\ctfmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\257386.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\rrosello\Local Settings\Temporary Internet Files\Content.IE5\O1U3452V\hijackthis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [oehoksl] c:\winnt\pdxxxtc.exe
O4 - Global Startup: 257386.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ymcanyc.int
O17 - HKLM\Software\..\Telephony: DomainName = ymcanyc.int
O17 - HKLM\System\CCS\Services\Tcpip\..\{F5C47BE3-5307-4FFA-9432-2E2C5AB0A236}: NameServer = 172.16.1.195
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ymcanyc.int

Download and run CWShredder.
Close all windows & browsers
click Fix (not just 'Scan Only'),
Let it fix everything it finds.


Download Ad-Aware SE from HERE
Update the definitions and scan. Let it remove everything it finds.


Run an online virus scan at TrendMicro using the 'Autoclean' option and an Online Trojan Scan. Let them fix everything they find.



Now close all windows and browsers, run HijackThis again and check mark the following:-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [oehoksl] c:\winnt\pdxxxtc.exe
O4 - Global Startup: 257386.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ymcanyc.int
O17 - HKLM\Software\..\Telephony: DomainName = ymcanyc.int
O17 - HKLM\System\CCS\Services\Tcpip\..\{F5C47BE3-5307-4FFA-9432-2E2C5AB0A236}: NameServer = 172.16.1.195
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ymcanyc.int



Click FIX CHECKED



Please set Windows to 'Show all files & folders'.
Click Start > My Computer > Tools> Folder Options>
On the View tab
Select 'Show Hidden Files & Folders'
Uncheck 'Hide file extensions for known file types'.
Uncheck 'Hide protected operating system files'.
Click OK.


Reboot into 'Safe Mode'.
Tap F8 repeatedly when your machine starts to boot up.
Select 'Safe Mode' from the options that appear.

Go to c:\windows and delete pdxxxtc.exe

Go to C:\windows\system32 and delete 257386.exe


Turn off Windows messenger. Go to Start -> Programs. Go to MS Messenger > Tools > Options > Preferences and uncheck "Run this program when Windows starts"



Reboot and post a fresh log.