First off, thanks for all the tremendous help that is given on this forum. Thanks to you guys and gals, I have firefox to fall back on. I recently opened IE to update and discovered some kind of hijack.

I've ran spybot and Ada-ware SE, along with A-sqaured and CW Shredder but cant get rid of it. I believe its C2 lop... I have a "wonderful" new toolbar on the top and bottom of my screen now in IE...

I ran Hijackthis, but i dont think I got the complete log. I've ran it before but i guess i'm not doing something right. Any help would be much appreciated. Here's the HJT log that i have now.

Logfile of HijackThis v1.97.7
Scan saved at 2:17:14 PM, on 8/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CMMON32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\greg\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://64.225.103.124/cgi-bin/boards/Ultimate.cgi?action=intro&BypassCookie=true
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pldi.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.fysjlvqrkw.net/DkBKw/38oqA8BjtCry7lLsJjKrEwJ3sWO/Pfr78F86pnt8p/84jABjVEhKnLG8Pu.jpg
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0. dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {DAAD36F3-F940-AEED-2BA2-40C30C7A22C7} - C:\PROGRA~1\CURBHE~1\Knobhelp.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0. dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pldi.net
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - [url]http://messenger.zone.msn.com/binary/msgrchkr.cab[/url]
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - [url]http://pcpitstop.com/pcpitstop/PCPitStop.CAB[/url]
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - [url]http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab[/url]
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - [url]http://www.trojanscan.com/trojanscan/TDECntrl.CAB[/url]
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab[/url]
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - [url]http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - [url]http://www.bitdefender.com/scan/Msie/bitdefender.cab[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab[/url]
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - [url]http://autos.msn.com/components/ocx/survid/MSSurVid.cab[/url]
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://www.pandasoftware.com/activescan/as5/asinst.cab[/url]
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - [url]http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38009.3500462963[/url]
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - [url]http://autos.msn.com/components/ocx/exterior/Outside.cab[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{526ABDB2-66A4-4622-B6BE-9FB4F71E073B}: NameServer = 64.250.192.64 64.250.192.65

My teenager recently added the new msn messenger...3plus...i believe, and i think did something with yahoo as well. I'm not a happy camper. I will remove them if you all think its necessary.

You do have a new LOP infection and this is because of Messenger 3Plus... It installs LOP with the user's permission when you do the default install... You have to refuse the sponsor part of the install to avoid it... That said, I would dump it completely and use something like Trillian if you want that kind of program on the system...

I don't think removing it properly removes LOP, so after you remove it in Add/Remove Programs, run HJT and mark:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://64.225.103.124/cgi-bin/board...passCookie=true
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pldi.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.fysjlvqrkw.net/DkBKw/38o...jVEhKnLG8Pu.jpg
O2 - BHO: (no name) - {DAAD36F3-F940-AEED-2BA2-40C30C7A22C7} - C:\PROGRA~1\CURBHE~1\Knobhelp.exe

Then close all open windows and browsers except for HJT and click on FIX...

You will probably need to disable SDHelper in Spybot to do the HJT fixes since it will try to block changes otherwise...

You have the old version of HJT, please download the latest (1.98.2) and install it, then reboot, run only HJT and produce a fresh log, then post it here.... Be sure that there is nothing disabled in msconfig and there is nothing in the ignore list for HJT so we get a complete log....

Ok, will do. Try not to be to upset with me though. I've already been doing homework and reading what you've been doing to help stealth in another thread here. I've already made a few fix's with HJT. I've also already downloaded the newer version. Here it is...I realize i need to extract it to a permanent location and will do that now..

Logfile of HijackThis v1.98.2
Scan saved at 3:47:19 PM, on 8/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CMMON32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\greg\Local Settings\Temp\Temporary Directory 1 for hijackthis-1.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://64.225.103.124/cgi-bin/boards/Ultimate.cgi?action=intro&BypassCookie=true
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pldi.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pldi.net
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{526ABDB2-66A4-4622-B6BE-9FB4F71E073B}: NameServer = 64.250.192.64 64.250.192.65

The first 2 you listed in your original post are ok, i did that.

As you can see i removed the yahoo toolbar also..at least the newer one.
I checked msconfig and dont see anything disabled. I did not do anything with the spybot helper, because i'm a little confused about that. I've also extracted hjt to a permanent location now. :) oh yeah, there's nothing in the ignore list in hjt.

I am not understanding what you are saying about the first two??

This one may be legit:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pldi.net

But this one certainly looks like a hijack... Are you saying it is legit??

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://64.225.103.124/cgi-bin/board...passCookie=true

What I am saying about Spybot is that it looks like you checked for SD Helper to protect your settings in Spybot and that can prevent cleanup... These are the items in HJT that suggest that:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Otherwise your log is looking okay... Did you remove Messenger Plus??

Yes, i'm saying R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://64.225.103.124/cgi-bin/board...passCookie=true is legit.

The toolbars are gone now. Since i use Firefox the majority of the time now
I can live with msn3, i guess. Are you thinking the hijack will reinstall again when my daughter uses it next time? I know nothing about IM services, as i never use them. She lives on them. To totally remove it would cause a MAJOR scene. I'll monitor the situation and if it occurs again, action will be taken. If you think the log looks clean now, then I thank you for your expertise..:)

I don't know if it will reinstall, probably not... I just avoid any software that tries to install malware on my computer, even if it "technically" asks permission first... There are a number of other programs that provide the same functions without the garbage... your choice...

Since you do appear to be clean, here is my prevention speech to help stay that way:

This is a good time to set up protection against further attacks. You need an antivirus that is updated, a good firewall (a router firewall is not enough) and a spyware blocker like SpywareBlaster and also IE-Spyads. All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

Check out this article for more ideas:

http://www.computercops.biz/postlite7736-.html

Again, Thanks for the help, Budfred. Just a quick question. I already use spywareblaster...Would your recomendation be to use IE-Spyads in conjunction with it? I dont see a link in your sig to it, so i've never considered using it. You know how i feel about things...if it isn't highly recomended by you or other regulars here, I don't consider using it. :)

Thanks

IE-Spyads does a different thing than SpywareGuard... SpywareGuard protects you from malicious ActiveX controls primarily... IE-Spyads warns you if you click on a link for a known malicious site and keeps you from going there unless you go around it... If you use IE, I would say to use it... If you use Mozilla, Opera, FireFox or some other browser, don't bother...