Nasty hijack that won't let me do anything...

Hi, I've been a lurker for quite a while now and this site has saved my system on numerous occassions, but this is the first time I've had to post my problem.

Here's the HijackThis Log...

Logfile of HijackThis v1.98.2
Scan saved at 8:04:04 PM, on 12/25/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wurauclt.exe
C:\WINDOWS\System32\scguard.exe
C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
C:\WINDOWS\System32\smsss.exe
C:\Program Files\Admilli Service\AdmilliServ.exe
C:\Program Files\Admilli Service\AdmilliKeep.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Windows ServeAd\WinServAd.exe
C:\Program Files\Windows ServeAd\WinServSuit.exe
c:\temp\salm.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\LVComsX.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SmartPopupBlocker\SmartPopupBlockerTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\winapa.exe
C:\WINDOWS\System32\csmss.exe
C:\fds5gdfgf.exe
C:\WINDOWS\System32\notepad.exe
C:\WINDOWS\System32\crsss.exe
C:\Program Files\Accessories\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar.dll
O4 - HKLM\..\Run: [*windows update] wurauclt.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\pcudl.exe
O4 - HKLM\..\Run: [start uploading] smsss.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvirv32.exe
O4 - HKLM\..\Run: [MS Windows Update] scguard.exe
O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [puhqj] C:\WINDOWS\puhqj.exe
O4 - HKLM\..\Run: [Winamp media player] winapa.exe
O4 - HKLM\..\Run: [Win Driver] csmss.exe
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\RUNDLL16.EXE
O4 - HKLM\..\Run: [Notepad] notepad.exe
O4 - HKLM\..\Run: [Windows media service] crsss.exe
O4 - HKLM\..\RunServices: [Windows Media Player] msa.exe
O4 - HKLM\..\RunServices: [*windows update] wurauclt.exe
O4 - HKLM\..\RunServices: [start uploading] smsss.exe
O4 - HKLM\..\RunServices: [MS Windows Update] scguard.exe
O4 - HKLM\..\RunServices: [Winamp media player] winapa.exe
O4 - HKLM\..\RunServices: [Win Driver] csmss.exe
O4 - HKLM\..\RunServices: [Notepad] notepad.exe
O4 - HKLM\..\RunServices: [Windows media service] crsss.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [Winamp media player] winapa.exe
O4 - HKLM\..\RunOnce: [Win Driver] csmss.exe
O4 - HKLM\..\RunOnce: [Notepad] notepad.exe
O4 - HKCU\..\Run: [*windows update] wurauclt.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [start uploading] smsss.exe
O4 - HKCU\..\Run: [Notepad] notepad.exe
O4 - HKCU\..\RunServices: [start uploading] smsss.exe
O4 - HKCU\..\RunOnce: [Notepad] notepad.exe
O15 - Trusted Zone: http://www.hotmail.com
O15 - Trusted Zone: http://www.the-w.com
O15 - Trusted Zone: http://*.windowsupdate.com

...I try logging on to most sites and I get a blank page, then two pop-ups. With Hotmail, all I'm getting is a white page. Some sites, I have to hit refresh multiple times for anything to come up. Also, I'm not able to download anything from any sites.

again, this is killing me here... any help will be greatly apprecieated. Thanks in advance.

Hi Cerebus,

Please update HijackThis, you are using an outdated version. The new version does a better job of detecting malware:

Open HijackThis, click Config > Misc Tools > Check for Update online

Or download a copy of version 1.99 at:

http://www.majorgeeks.com/download3155.html

If you downloaded the newer version, please delete the older version you are using now.

Post a fresh log with this new version.

Tom

Go into safe mode and delete these files :

C:\WINDOWS\System32\wurauclt.exe
C:\Program Files\Admilli Service\AdmilliServ.exe
C:\Program Files\Admilli Service\AdmilliKeep.exe
C:\Program Files\Windows ServeAd\WinServAd.exe
C:\Program Files\Windows ServeAd\WinServSuit.exe

The first one is the key, its running disguised as the windows updater. It is a hidden file. The actual windows update service is wurauclt.dll.

Hi jsharris,

Please keep in mind, deleting the files does not remove the registry entries! That's why we use HijackThis to remove the reg entries first, then delete the files.

Tom

Hi Cerebus,

Please update HijackThis, you are using an outdated version. The new version does a better job of detecting malware:

Open HijackThis, click Config > Misc Tools > Check for Update online

Or download a copy of version 1.99 at:

http://www.majorgeeks.com/download3155.html

If you downloaded the newer version, please delete the older version you are using now.

Post a fresh log with this new version.

Tom