"Only the best" and a new homepage every time

Hello guys!
A couple of days ago, I started to get an annoying pop-up every time I started internet explorer. Sometimes it is an ad for spyware, sometimes for something else.
The homepage also changes every time I open internet explorer. My system is Windows XP and I have found a lot of suspicious files using ad-aware (updated before), and also tried Spybot and a lot of other programs, without luck. The same dll and exe files comes back all the time. Now I downloaded the Hijackthis program and run that one. Notice that the dtjtb.dll file is there again even though I removed it earlier.
Tried the TrendMicro online virusscanner also with the result that it closed down my internet explorer so there was no use trying that.
Can you tell me what files I should remove from my system in order to get rid of the popups and get the homepage to stay as it is ment to be?

Had to remove the 4 - 5 last lines as they had nothing to do with this problem, (security reasons).

Regards,
Annoying

Logfile of HijackThis v1.97.7
Scan saved at 15:08:26, on 23.06.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\System32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\System32\msdtc.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
C:\Windows\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Windows\System32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
C:\Windows\System32\mqsvc.exe
C:\Windows\System32\mqtgsvc.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Windows\System32\ltmsg.exe
C:\Windows\System32\Promon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Compaq Wireless LAN\Client Manager\CMCOM.EXE
C:\PVSW\Bin\w3dbsmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Windows\system32\msdb.exe
C:\Windows\atlwx32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Liinos\L6\Liinos6.exe
C:\LIINOS\L6\L6Menu.exe
C:\LIINOS\L6\VXLIC.EXE
C:\Windows\system32\ntvdm.exe
C:\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.fi/0SEFIFI/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\system32\dtjtb.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://dtjtb.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://dtjtb.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\system32\dtjtb.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://dtjtb.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\Windows\system32\dtjtb.dll/sp.html#96676
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2AC897CD-5154-0F0E-3C23-7FE00E9935D8} - C:\Windows\system32\d3ef32.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [UIUCU] C:\DOCUME~1\willmand\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [FRYMXINS] "C:\Windows\atiimxgl"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [d3ef32.exe] C:\Windows\system32\d3ef32.exe
O4 - HKLM\..\Run: [atlwx32.exe] C:\Windows\atlwx32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Compaq Client Manager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

 

Yes, I have read the Hijack This tutorial, at least the one on these pages. I have scanned with Ad-aware and with Spybot and one that I think had the name Spyblock but I can be wrong about this name. I have read every thread I think where a similar problem have been but still as it is the first time I use HiJackThis, I dont dare to remove the parts unless I ask from someone else first. And also in HiJackThis, it says that I should discuss it with someone if I dont know what files to delete.
I know I did a couple of things wrong before I took this log, as for instance leaving the virus scanner and firewall on, but I have to do that on this computer.
I think the R0 and R1 all could be deleted, as they dont refer to the homepage I have had.
The second O2 line I also think could be deleted, but I don't know for sure.
From the O4 lines I dont't know much, maybe the
O4 - HKLM\..\Run: [d3ef32.exe] C:\Windows\system32\d3ef32.exe and the
O4 - HKLM\..\Run: [atlwx32.exe] C:\Windows\atlwx32.exe

Then I don't know anymore. I discovered yet another thing today with this problem. Shell.dll disappears after a couple of minutes, and also if Notepad is open, it shuts itself down after a couple of minutes. Very strange. The virus scanner don't find any viruses (Symantec) and it is the last version (updates allmost every day).

I really hope someone could help me deside what I can remove and what I have to leave as I want this computer in order again (it is my computer at work).
So please....

 

Hi again!

Well, now I have tried and tried several times, reading the postings in between in order to find the reason why I can't get rid of the pop-ups.
Now I think it is working, at least for this moment it is, without any redirection of homepage and no pop-ups, and Shell.dll seems to be in place also.

The thing that I fixed with hijackthis the last time, was the
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

Of course all the other things at the same time, but after I fixed this line, it seems that it is working. Couldn't find the NPDocBox.dll after Hijackthis had fixed it, but I don't find any problems with that at this time.

As I told you earlier, this is my work computer and I had a real pain in my ass getting it running in safemode as I needed a special password in order to log in, but now it is done and I hope those guys who make spy- and adware someday will get behind bars for a very long time.
Thank you anyway for the help I got from these pages!

Regards,
not so annoying anymore!

 

...hmmm, you are scaring me up... But I dont have Nvidia Video card, it is an ATI Mobility Fire GL 9000 display adapter on this machine, but maybe it uses the Nvidia driver, I don't know. I sure hope it doesn't turn up again, but I can not do anything else than wait and see.
At least the Ad-aware have not found anything new after this, and I did remove also the lines with the atlwx32.exe, ntnm32.exe and d3ef32.dll and also everything with the res://dtjtb.dll mentioned. The first time I started the internet explorer I ofcourse got the About Blank text, but I changed the homepage and it stayed. Then I checked with ad-aware and it found the About blank line and fixed it, and now it has been working without problems so far.
As I told you, I followed the steps found in different postings about similar problems, so I turned off the Network Security Service before doing the changes and then in Safe mode, removed the files that I could find and that Hijackthis mentioned had fixed.

Hope it will continue working, but do you think there is some line still that might be causing me problems?

Regards,
annoying scared.

 

Sorry Chaslang for not mentioning those other steps, I tought it was obvious as I wrote "...Of course all the other things at the same time, but after I fixed this..." but I now understand that it wasn't obvious. Well as you told me, time will tell. At least one day at work without problems, and best of all Shell.dll stays in place also. Can not understand why it affected that file. Also tested opening a pdf file from internet explorer, and it worked perfectly. The only different thing is that there is no pop-up window telling me that it is a Adobe acrobat reader program, so no harm done. And it is possible to re-install adobe if that would have been a problem.
Once again, thank you guys, without these pages I would not have managed to get this far, it really helped me out.

Take care and have a happy midsummer!
Annoying

 

Just a short note that I found out today about this problem of mine. Somehow, the Symantec Virus scanner today, one week after I got this "only the best" pop-up, found a trojan horse. It was in the atlwx32.exe file, that I had removed from the Windows\System32 folder. Now it found it in the C:\Windows folder and removed it by itself. So far everything seems to work without problems, I have not got any problems with these pop-up:s now, and the homepage stays OK also.

 

i got my homepage back to normal again 2 by doing this but try typing in a website without the www. so for instance type "google.com" instead of www.google.com When i did this it mysteriously showed up again I dunno y mayb it will for you 2