When I try to launch IE, it wont let me load any sites. Any URL I type in takes me to the same error page, saying that I have spyware, and giving me a link I could click on to fix it, but I dont.
I ran my virus program, and it said everything is fine.. but when I run my ad-aware, it comes up with a 'CoolWebPage' thing. I get rid of it, re-scan, and everything is fine.. so I launch IE, it still doesn't work. Scan again, and the CoolWebPage thing is back. Arg.


Logfile of HijackThis v1.99.1
Scan saved at 10:45:22 AM, on 6/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\SMSSU.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\Tmntsrv32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\SMSSU.EXE
C:\WINDOWS\System32\Tmntsrv32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [SMSSU] C:\WINDOWS\System32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\System32\Tmntsrv32.EXE
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {11111111-1111-1111-1111-111111111111} -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/128adbb864e83b...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1113016893103
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB7AF462-1D06-445B-9375-2A5DB2C8EB61}: NameServer = 150.199.178.1 150.199.8.1
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Hi exellin, welcome to SAF

It seems that you have some malware running... as I'm not a "specialist" on HJT, I strongly recommend that you wait for some advices (people uses to hang out on the week-end (and hangover too ))

try running updated AdAware and Spybot S&D and post a new HijackThis log after... If you did'nt disabled system restore, try first to restore it to a point that it was running fine.

Have a good and safe week-end.

Chris

Yes, you've got some Trojans on board there. Can you do the following please:

• Please set your system to show
  all files; please see here if you're unsure how to do this.
  
  
• Press Control-Alt-Del to enter the Task Manager. Click on the Processes tab and end the following processes:
  
  C:\WINDOWS\System32\SMSSU.EXE
  C:\WINDOWS\System32\Tmntsrv32.EXE
  
  Exit the Task Manager when finished.
  
  
• Do you recognise this as your ISP or as something legitimate:
  
  

  QUOTE

  150.199.8.1 = [ meramec.coreserv.more.net ]    OrgName:    MOREnet   OrgID:      MORE   Address:    3212 LeMone Ind. Blvd.   City:       Columbia   StateProv:  MO   PostalCode: 65201   Country:    US   NetRange:   150.199.0.0 - 150.199.255.255   CIDR:       150.199.0.0/16   NetName:    MORENET   NetHandle:   NET-150-199-0-0-1   Parent:     NET-150-0-0-0-0   NetType:    Direct Allocation   NameServer: ARGUS.MORE.NET   NameServer: MERAMEC.CORESERV.MORE.NET   NameServer: GASCONADE.CORESERV.MORE.NET   NameServer: OSAGE.CORESERV.MORE.NET   Comment:   RegDate:    1991-06-07   Updated:    2002-05-28   TechHandle: DR261-ORG-ARIN   TechName:   MOREnet   TechPhone:  1-573-884-7200   TechEmail:  register@more.net

  
  
  If so, then leave the blue entry in the lines to fix below. Otherwise, fix it along with the others as described.
  
  
• Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:
  
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
  O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll
  O4 - HKCU\..\Run: [SMSSU] C:\WINDOWS\System32\SMSSU.EXE
  O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\System32\Tmntsrv32.EXE
  O16 - DPF: {11111111-1111-1111-1111-111111111111} -
  O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/128adbb864e83b...ip/RdxIE601.cab
  O17 - HKLM\System\CCS\Services\Tcpip\..\{CB7AF462-1D06-445B-9375-2A5DB2C8EB61}: NameServer = 150.199.178.1 150.199.8.1
  
  Click on Fix Checked when finished and exit HijackThis.
  
  
• Reboot into Safe Mode: please see here if you are not sure how to do this.
  
  Using Windows Explorer, locate the following files/folders, and delete them:
  
  C:\WINDOWS\System32\SMSSU.EXE
  C:\WINDOWS\System32\Tmntsrv32.EXE
  
  Exit Explorer, and reboot as normal afterwards.
  
  
• If you were unable to find any of the files then please follow these additional instructions:
  
  Download Pocket Killbox and unzip it; save it to your Desktop.
  
  Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
  
  The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
  
  Let the system reboot.
  
  

Go to the top of this page, under Virus Info and choose Free Virus Scan. Install and run Trend Micro's HouseCall Free Virus Scanner and get it to scan your hard drive and fix any viruses it detects.

Do install and run Ad-Aware as suggested by Ironbender; update it and have it perform a full system scan and get it to fix any problems it finds.

Post back a fresh HijackThis log and we will take another look.