Another HijackThis Prob.

As you can see below, the Search Bar HKCU thing will always reform back no matter how many times I fix it. Help ? :O

Logfile of HijackThis v1.98.2
Scan saved at 8:15:51 AM, on 12/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Apache Group\Apache2\bin\Apache.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\anvshell.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
E:\Winamp\winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MYIE2\MyIE.exe
c:\progra~1\intern~1\iexplore.exe
E:\Winamp\winamp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Oem\My Documents\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dqaworjdkhgrh.com/IN4rWoJXlBPZ2hTUQQiZZ25nynwTwDZXzuhwOiqlMUFGnjhXfnciS7wmPOeUcoyr.html
O4 - HKLM\..\Run: [Windows Explorer] Explorer*.exe
O4 - HKLM\..\Run: [Configuration Loader] msloader32.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Anvshell] anvshell.exe
O4 - HKLM\..\Run: [Microsoft Network Daemon for Win32] netd32.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [WinampAgent] E:\Winamp\winampa.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [Configuration Loader] msloader32.exe
O4 - HKLM\..\RunServices: [Microsoft Network Daemon for Win32] netd32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [deletebias] C:\DOCUME~1\Oem\APPLIC~1\TRUSTA~1\Antimodeactive.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

Have you tried to use any other software to fix it?

I recommend Ad-Aware SE for removing spyware.
http://www.lavasoftusa.com

You can do an online virus scan at Trend Micro.
http://housecall.trendmicro.com

And you should get Zone Alarm for extra protection.
http://www.zonelabs.com

If you haven't done so already, hou may wish to enable the Microsoft Firewall. To do so, follow these steps:

1) Go to Start>Control Panel
2) Select "Network and Internet Connections"
3) Select "Network Connections"
4) Select your current network setup. In most cases it's "Local Area Connection"
5) Click on the Properties button at the bottom of the window that pops up
6) Go to the Advanced tab
7) Check the box there
8) Select OK


If the problem doesn't go away after you have installed these programs and followed the steps, create a new Hijack This log and post it here, and we will try to give more help.

Thanks for the advice Lloyd. But I'm afraid I've updated & tried all of them, and yet I still get the same result

Logfile of HijackThis v1.98.2
Scan saved at 7:08:55 PM, on 12/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Apache Group\Apache2\bin\Apache.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\anvshell.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
E:\Winamp\winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
E:\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\MYIE2\MyIE.exe
C:\Program Files\Kazaa Lite K2\Kazaa.kpp
C:\Program Files\Grisoft\AVG6\AvgInet.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\GIANTAntiSpywareMain.exe
C:\Documents and Settings\Oem\My Documents\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.frlastrpswzdjigj.net/IN4rWoJXlBPZ2hTUQQiZZ25nynwTwDZXzuhwOiqlMUExQFQRfEC_BrwmPOeUcoyr.cgi
O4 - HKLM\..\Run: [Windows Explorer] Explorer*.exe
O4 - HKLM\..\Run: [Configuration Loader] msloader32.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Anvshell] anvshell.exe
O4 - HKLM\..\Run: [Microsoft Network Daemon for Win32] netd32.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [WinampAgent] E:\Winamp\winampa.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [Configuration Loader] msloader32.exe
O4 - HKLM\..\RunServices: [Microsoft Network Daemon for Win32] netd32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [deletebias] C:\DOCUME~1\Oem\APPLIC~1\TRUSTA~1\Antimodeactive.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

Hi dodorocks,

You might want to print these instructions for reference or copy and paste them into notepad and save them on your desktop, as you will be off the internet while using HijackThis.

If you have any questions before starting the fix, please don't hesitate to ask!

Download Ad-Aware SE Personal Edition version 1.05 from:

http://www.lavasoft.de/support/download/

Run Adaware, click the "Check for Updates now" link. Install the latest reference file

Just update it for now, you will scan with it later!

Logoff your internet connection. Run HijackThis, click scan, place a checkmark next to the following items. Close all browsers and any other windows or the fix may not work! Click "fix checked". It is OK if some of these items are no longer listed.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.frlastrpswzdjigj.net/IN4rWoJXlBPZ2hTUQQiZZ25nynwTwDZXzuhwOiqlMUExQFQRfEC_BrwmPOeUcoyr.cgi
O4 - HKLM\..\Run: [Windows Explorer] Explorer*.exe
O4 - HKLM\..\Run: [Configuration Loader] msloader32.exe
O4 - HKLM\..\Run: [Microsoft Network Daemon for Win32] netd32.exe
O4 - HKLM\..\RunServices: [Configuration Loader] msloader32.exe
O4 - HKLM\..\RunServices: [Microsoft Network Daemon for Win32] netd32.exe
O4 - HKCU\..\Run: [deletebias] C:\DOCUME~1\Oem\APPLIC~1\TRUSTA~1\Antimodeactive.exe


Boot into Safe Mode. Reboot your computer, start tapping F8 when it first starts booting, select Safe Mode.

Make sure your computer is configured to show all files and folders.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders.
Uncheck hide extensions for known file types.
Uncheck the Hide Protected Operating System Files option.
Click Yes to confirm.
Click OK.

Search for and delete the following files:

msloader32.exe
netd32.exe

Search for and delete the following folders:

C:\DOCUMENTS AND SETTINGS\Oem\APPLICATION DATA\TRUSTA... < delete the entire TRUSTA... folder

Next....

Go to Start > Run > type "cleanmgr" (without the quotes). > Select the drive to clean up (usually C ) > Place a checkmark next to the following:

Temporary Internet Files
Recycle Bin
Temporary Files

Then click OK.

Next...

Perform a "Full system scan" with Adaware. Allow it to remove anything it finds.

Reboot normally.

Next...

Perform an onlne virus scan from this site:

Trend Micro Housecall - Select all of your drives for scanning. Please check "Auto clean" before scanning.

http://housecall.trendmicro.com/

If you can, copy and paste the report logs from the scans into your next post.

Finally...

You have AVG6 installed. This version will no longer be supported in a few weeks.

AVG has a new free version available: AVG7 Free edition.

http://free.grisoft.com/freeweb.php.

AVG7 will automatically remove the previous installation.

After you install it, make sure you update it right away and perform a full system scan.

Please post a fresh HijackThis log.

Tom