Hi, running XP pro, run Ad-aware, spysweeper and spybotSD regularly. Haven't run HJT yet, as I haven't read the tutorial on how to deal with the results yet.
I'm getting odd keywords in text in IE browser windows turned into links- words like spyware, adware, worm, sex, trojan, and others.
any ideas on how to deal w/this?
TIA,
karinne

Can you post a Hijack This Log to the forum please. You don't need to know how to use Hijack This because we'll look at the log and give you instructions. Instructions for posting a log are available by clicking the link in my signature.

Here are my HJT logs- 2 of them. the first was the original log, the second was the log after I went in and tried to fix. The problem I had trying to fix the log was that there's one item I could not get rid of after multiple fixes. Listed below:


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html

I don't know much about BHO's so didn't alter any of them.

(I sent as attachments, if you are unable /unwilling to open them, email/post again and I will post the log in message to list.
TIA,
kwallace

I see attachments didn't attach. I didn't pay attention to the file extentions. Here they are in .doc format. TIA again,
kwallace

Edited: Here is the log:

Logfile of HijackThis v1.98.2
Scan saved at 6:18:56 PM, on 9/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\DataStudio\PASPortal.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\DataStudio\PASPortal.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\karinne wallace\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\w32time.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mathworld.wolfram.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html
O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\SYSTEM32\winb2s32.dll
O2 - BHO: SetupHtml Class - {51641EF3-8A7A-4D84-8659-B0911E947CC8} - C:\WINDOWS\DOWNLO~1\DOWNLO~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ad-aware] C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe +c
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [flulauvesn] C:\WINDOWS\System32\nifblxx.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [w32time] C:\WINDOWS\System32\w32time.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: PASPortal.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: http://www.cartoonnetwork.com
O15 - Trusted Zone: http://www.comcast.net
O15 - Trusted Zone: http://www.linnbenton.edu
O15 - Trusted Zone: http://engr.oregonstate.edu
O15 - Trusted Zone: http://www.onid.orst.edu
O15 - Trusted Zone: http://mathworld.wolfram.com
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/Sha...in/AvSniff.cab
O16 - DPF: {51641EF3-8A7A-4D84-8659-B0911E947CC8} (SetupHtml Class) - http://www.contenidospc.com/instalador.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/29565de2...p/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v5.cab

They are not attached. You shouldn't try fixing things yourself. It just makes things harder for us.

Hello,
Close all browser windows, restart Hijack This and put a checkmark next to the following entries:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html
O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\SYSTEM32\winb2s32.dll
O2 - BHO: SetupHtml Class - {51641EF3-8A7A-4D84-8659-B0911E947CC8} - C:\WINDOWS\DOWNLO~1\DOWNLO~1.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [flulauvesn] C:\WINDOWS\System32\nifblxx.exe
O4 - HKCU\..\Run: [w32time] C:\WINDOWS\System32\w32time.exe
O4 - Global Startup: PASPortal.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/29565de...ip/RdxIE601.cab

Click Fix Checked

Then boot into Safe Mode and ensure that you are showing Hidden Files and Folders.

Delete the following files and folders:
C:\WINDOWS\System32\nifblxx.exe
C:\WINDOWS\System32\w32time.exe
C:\WINDOWS\DOWNLO..........folder begins with these letters

Then reboot and post a fresh log.

Hi,
ran HJT, fixed selected items. Set to show hidden folders, etc, in folder view mode & rebooted in Safe.
Once in C:\Win\sys32 etc, did not show a nifblxx.exe file at all, would not let me delete w32time.exe, said "protected".
also, I'm a bit unsure about the deletion of the win\download....anything at all files. Some of those seem to be things I *want*....or are they just 'residue' from the download process?
Didn't want to go ahead before totally sure.
thank you for your assistance...I appreciate it.
TIA,
kwallace
new HJT log attached.