Will it ever end? Please help.

Please read and follow the steps in our sticky threads and also read the announcements.
Your version of HijackThis is way out of date too.

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus RemovalMake sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

I see no evidence of your running either the Symantec or the TrendMicro online scanners.

Are the below lines valid?
0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wotmania.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.wotmania.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blizzard.com/register/war3x/

 

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\??plorer.exe


After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKCU\..\Run: [Ivviffp] C:\WINDOWS\system32\??plorer.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\??plorer.exe <--- Make sure you do not try to delete c:\windows\explorer.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.


Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Based on your log you are clean. Please download the attached zip file and extract it someplace you can locate it. Then use windows explorer to locate the getsys32.bat and double click on it to run the bat file. This will create a file named c:\sys32hs.txt

Post the c:\sys32hs.txt file back here as an attachment.

 

In message number seven you said:

Look in the file I had you create. It appears twice (once for hidden and once for system files):

01/02/2005 10:44 AM 413,696 JORDAN\Jordan Conley ??plorer.exe

It is there!

 

Look in the system32 folder (make sure viewing of hidden and system files is enabled and also make sure you can view file extensions like .exe) . Do you see anyfile ending with plorer.exe
If so, what are the first characters in the filename?

I have no idea what you mean about the fonts. What am I supposed to be comparing them too?

 

If you are saying you can see this file:
c:\windows\system32\explorer.exe

Then delete it if you can. The only valid explorer.exe is the one in c:\windows

As for the font size changing, if this is malware, it is a new one that I have not heard of yet.

You could post a message in the Software Forum to see if anyone has heard of this (just in case it is not malware problem).