Here is my Hijackthis Log, can someone help with telling me what to remove and what to keep? Thanks.

Date: 1:00:37 PM, on 9 / 14 / 2004

Remember DO NOT run hijackthis.exe inside the zip file.  Unzip (extract) it to your desktop then double click on "HijackThis.exe" icon in this way a backup for the removed key will be created on your desktop (useful if you remove them wrongly).

Here is what you should do.

Major problem is this entry
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe
This is a variant of the BlazeFind spyware.  According to blazefind.com website: First close all browser windows. Now go to your Windows Control Panel in Add/Remove Programs, close the Control Panel window if you can and remove 'IE SearchBar ' from the Add/Remove Programs window as well as 'Windows SA' if its present.

Run the scan again and review log that C:\Windows\System32\wsaupdater.exe has been removed before proceeding.  If you are unable to uninstall it, you may need to remove it manually.  Using the procedure on this link, but be very careful.

References:

• IEHOST.EXE
• DP-HIM.EXE
• SEP.DLL
• Bridge.dll
• CDLSP
• browserhelper2.dll
• winactive.exe
• NHelper.dll
• blubstershop.exe

End the below suspicious process :

C: \ Program Files \ AutoUpdate \ AutoUpdate.exe
>>> Re: AutoUpdate.exe
C: \ Program Files \ CxtPls \ CxtPls.exe
>>>
C: \ WINDOWS \ SYSTEM32 \ l?gonui.exe  (???)

Remove these search keys:

file: / / C: \ WINDOWS \ System32 \ SearchBar.htm
R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = website: searchexe.com / passthrough / index.html?website: google.com /
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = website: searchexe.com / searchbar.html
R1 - HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C: \ Program Files \ CxtPls \ CxtPls.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C: \ Program Files \ Adobe \ Acrobat 6.0 \ Reader \ ActiveX \ AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c: \ PROGRA~1 \ mcafee.com \ mps \ mcbrhlpr.dll
O2 - BHO: (no name) - {30AA6D20-9A4E-79CA-D320-665508D52D4A} - C: \ WINDOWS \ System32 \ zmudptgy.dll (file missing)

O2 - BHO: (no name) - {65A86B7B-9F11-00BB-D307-64550DA87212} - C: \ WINDOWS \ System32 \ oofb.dll (file missing)
O2 - BHO: (no name) - {6FFC347D-931B-56B7-8356-65557CAE2811} - C: \ WINDOWS \ System32 \ biu.dll

O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C: \ WINDOWS \ 2_0_1browserhelper2.dll

O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C: \ WINDOWS \ Downloaded Program Files \ bridge.dll

O2 - BHO: NavHelper Class - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C: \ Program Files \ NavExcel \ NavHelper \ v2.0.4c \ NHelper.dll

O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C: \ Program Files \ SEP \ sep.dll (file missing)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C: \ Documents and Settings \ Lou \ Local Settings \ Temp \ vAS.dll

O3 - Toolbar: (no name) - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - (no file)
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C: \ Program Files \ SEP \ sep.dll (file missing)

O4 - HKLM \ .. \ Run: [Belt] C: \ WINDOWS \ Belt.exe

O4 - HKLM \ .. \ Run: [winactive] C: \ Program Files \ Window Active \ winactive.exe
O4 - HKLM \ .. \ Run: [RunDLL] rundll32.exe "C: \ WINDOWS \ Downloaded Program Files \ bridge.dll",Load
O4 - HKLM \ .. \ Run: [Internet Optimizer] "C: \ Program Files \ Internet Optimizer \ optimize.exe"
O4 - HKLM \ .. \ Run: [lohkt] C: \ WINDOWS \ lohkt.exe
O4 - HKLM \ .. \ Run: [zgvkxij] C: \ WINDOWS \ zgvkxij.exe

O4 - HKLM \ .. \ Run: [dyrmtwf] C: \ WINDOWS \ dyrmtwf.exe
O4 - HKLM \ .. \ Run: [upmzyz] C: \ WINDOWS \ upmzyz.exe

O4 - HKLM \ .. \ Run: [WhenUSearch] C: \ PROGRA~1 \ WHENUS~1 \ Search.exe
O4 - HKLM \ .. \ Run: [Windows SA] C: \ Program Files \ WindowsSA \ omniscient.exe
O4 - HKLM \ .. \ Run: [DeadAIM] rundll32.exe "C: \ Program Files \ AIM \ \ DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM \ .. \ Run: [HP Component Manager] "C: \ Program Files \ HP \ hpcoretech \ hpcmpmgr.exe"

O4 - HKLM \ .. \ Run: [NPG] C: \ documents and settings \ lou \ local settings \ temp \ NPG.exe
O4 - HKLM \ .. \ Run: [xjsV] C: \ documents and settings \ lou \ local settings \ temp \ xjsV.exe
O4 - HKLM \ .. \ Run: [Bakra] C: \ WINDOWS \ System32 \ IEHost.exe
O4 - HKLM \ .. \ Run: [Dsi] C: \ WINDOWS \ System32 \ dp-him.exe
O4 - HKLM \ .. \ Run: [24AKE#E5XFG36K] C: \ WINDOWS \ System32 \ Elq0i.exe
O4 - HKLM \ .. \ Run: [4F7V39j] sclpubw.exe
O4 - HKLM \ .. \ Run: [AutoUpdater] "C: \ Program Files \ AutoUpdate \ AutoUpdate.exe"
O4 - HKLM \ .. \ Run: [WhenUSearchWHSE] C: \ PROGRA~1 \ WHENUS~1 \ whse.exe

O4 - HKCU \ .. \ Run: [Ciml] C: \ Documents and Settings \ Lou \ Application Data \ oopo.exe
O4 - HKCU \ .. \ Run: [xpsp1res] C: \ WINDOWS \ System32 \ xpsp1res.exe
O4 - HKCU \ .. \ Run: [ares] "C: \ Program Files \ Ares \ Ares.exe" -h
O4 - HKCU \ .. \ Run: [Uqdneieh] C: \ WINDOWS \ System32 \ l?gonui.exe
O4 - HKCU \ .. \ Run: [Loo9RVHnO] sdbngl32.exe
O4 - HKCU \ .. \ RunOnce: [Web Offer] C: \ ezStub.exe

Remove these extra items in IE menu (O8...O9):

O8 - Extra context menu item: Blubster Support - file: / / C: \ Program Files \ BlubsterSupport \ System \ Temp \ blubstershop_script0.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C: \ WINDOWS \ System32 \ ms.exe
O9 - Extra ´Tools´ menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C: \ WINDOWS \ System32 \ ms.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C: \ WINDOWS \ web \ related.htm
O9 - Extra ´Tools´ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C: \ WINDOWS \ web \ related.htm

Remove these ActiveX Objects (aka Downloaded Program Files) if you are not using them (O16):

O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - website: www2.flingstone.com / cab / 2000XP / ClickYesToContinue / bridge.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - website: mt-download.com / MediaTicketsInstaller.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - website: download.overpro.com / WildApp.cab

Remove these auto run shell delay load object registry key if you are not using them (O21):

O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C: \ WINDOWS \ System32 \ mssaru.dll

Reboot the computer and put it to safe mode.  Then delete these files from your C: drive.

C: \ Program Files \ AutoUpdate \ AutoUpdate.exe
C: \ Program Files \ CxtPls \ CxtPls.exe
C: \ WINDOWS \ System32 \ mssaru.dll

Original log but with private information removed.

Logfile of HijackThis v1.98.2
Scan saved at 1:00:37 PM, on 9 / 14 / 2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ WINDOWS \ system32 \ services.exe
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ WINDOWS \ system32 \ spoolsv.exe
C: \ WINDOWS \ Explorer.EXE
C: \ WINDOWS \ System32 \ PackethSvc.exe
C: \ WINDOWS \ System32 \ drivers \ CDAC11BA.EXE
C: \ WINDOWS \ System32 \ svchost.exe
C: \ WINDOWS \ wanmpsvc.exe
C: \ Program Files \ AutoUpdate \ AutoUpdate.exe
C: \ Program Files \ AIM \ aim.exe
C: \ WINDOWS \ System32 \ wuauclt.exe
C: \ Program Files \ Internet Explorer \ IEXPLORE.EXE
C: \ Program Files \ CxtPls \ CxtPls.exe
C: \ WINDOWS \ SYSTEM32 \ l?gonui.exe
C: \ Program Files \ WinRAR \ WinRAR.exe
C: \ DOCUME~1 \ Lou \ LOCALS~1 \ Temp \ Rar$EX00.281 \ HijackThis.exe
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = file: / / C: \ WINDOWS \ System32 \ SearchBar.htm
R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = website: searchexe.com / passthrough / index.html?website: google.com /
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = website: searchexe.com / searchbar.html
R1 - HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=C: \ Windows \ System32 \ wsaupdater.exe,
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C: \ Program Files \ CxtPls \ CxtPls.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C: \ Program Files \ Adobe \ Acrobat 6.0 \ Reader \ ActiveX \ AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c: \ PROGRA~1 \ mcafee.com \ mps \ mcbrhlpr.dll
O2 - BHO: (no name) - {30AA6D20-9A4E-79CA-D320-665508D52D4A} - C: \ WINDOWS \ System32 \ zmudptgy.dll (file missing)
O2 - BHO: (no name) - {65A86B7B-9F11-00BB-D307-64550DA87212} - C: \ WINDOWS \ System32 \ oofb.dll (file missing)
O2 - BHO: (no name) - {6FFC347D-931B-56B7-8356-65557CAE2811} - C: \ WINDOWS \ System32 \ biu.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C: \ WINDOWS \ 2_0_1browserhelper2.dll
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C: \ WINDOWS \ Downloaded Program Files \ bridge.dll
O2 - BHO: NavHelper Class - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C: \ Program Files \ NavExcel \ NavHelper \ v2.0.4c \ NHelper.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C: \ Program Files \ SEP \ sep.dll (file missing)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C: \ Documents and Settings \ Lou \ Local Settings \ Temp \ vAS.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C: \ Program Files \ Microsoft Money \ System \ mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C: \ WINDOWS \ System32 \ msdxm.ocx
O3 - Toolbar: (no name) - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - (no file)
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C: \ Program Files \ SEP \ sep.dll (file missing)
O4 - HKLM \ .. \ Run: [Microsoft Works Portfolio] C: \ Program Files \ Microsoft Works \ WksSb.exe / AllUsers
O4 - HKLM \ .. \ Run: [MoneyStartUp10.0] "C: \ Program Files \ Microsoft Money \ System \ Activation.exe"
O4 - HKLM \ .. \ Run: [HPDJ Taskbar Utility] C: \ WINDOWS \ System32 \ spool \ drivers \ w32x86 \ 3 \ hpztsb09.exe
O4 - HKLM \ .. \ Run: [WebScan] C: \ PROGRA~1 \ ACCELE~1 \ ANTI-V~1 \ DEFSCA~1.EXE -k
O4 - HKLM \ .. \ Run: [QuickTime Task] "C: \ Program Files \ QuickTime \ qttask.exe" -atboottime
O4 - HKLM \ .. \ Run: [mmtask] C: \ Program Files \ MusicMatch \ MusicMatch Jukebox \ mmtask.exe
O4 - HKLM \ .. \ Run: [Belt] C: \ WINDOWS \ Belt.exe
O4 - HKLM \ .. \ Run: [NeroFilterCheck] C: \ WINDOWS \ system32 \ NeroCheck.exe
O4 - HKLM \ .. \ Run: [winactive] C: \ Program Files \ Window Active \ winactive.exe
O4 - HKLM \ .. \ Run: [Facepoke] C: \ PROGRA~1 \ Wave Bolt Media \ Loud Two.exe
O4 - HKLM \ .. \ Run: [RunDLL] rundll32.exe "C: \ WINDOWS \ Downloaded Program Files \ bridge.dll",Load
O4 - HKLM \ .. \ Run: [Internet Optimizer] "C: \ Program Files \ Internet Optimizer \ optimize.exe"
O4 - HKLM \ .. \ Run: [lohkt] C: \ WINDOWS \ lohkt.exe
O4 - HKLM \ .. \ Run: [zgvkxij] C: \ WINDOWS \ zgvkxij.exe
O4 - HKLM \ .. \ Run: [MCUpdateExe] C: \ PROGRA~1 \ McAfee.com \ Agent \ mcupdate.exe
O4 - HKLM \ .. \ Run: [MCAgentExe] C: \ Program Files \ McAfee.com \ Agent \ mcagent.exe
O4 - HKLM \ .. \ Run: [MPSExe] C: \ Program Files \ McAfee.com \ MPS \ mscifapp.exe / embedding
O4 - HKLM \ .. \ Run: [dyrmtwf] C: \ WINDOWS \ dyrmtwf.exe
O4 - HKLM \ .. \ Run: [upmzyz] C: \ WINDOWS \ upmzyz.exe
O4 - HKLM \ .. \ Run: [UpdateManager] "C: \ Program Files \ Common Files \ Sonic \ Update Manager \ sgtray.exe" / r
O4 - HKLM \ .. \ Run: [WhenUSearch] C: \ PROGRA~1 \ WHENUS~1 \ Search.exe
O4 - HKLM \ .. \ Run: [Windows SA] C: \ Program Files \ WindowsSA \ omniscient.exe
O4 - HKLM \ .. \ Run: [DeadAIM] rundll32.exe "C: \ Program Files \ AIM \ \ DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM \ .. \ Run: [HP Software Update] "C: \ Program Files \ HP \ HP Software Update \ HPWuSchd.exe"
O4 - HKLM \ .. \ Run: [HP Component Manager] "C: \ Program Files \ HP \ hpcoretech \ hpcmpmgr.exe"
O4 - HKLM \ .. \ Run: [RealTray] C: \ Program Files \ Real \ RealPlayer \ RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM \ .. \ Run: [NPG] C: \ documents and settings \ lou \ local settings \ temp \ NPG.exe
O4 - HKLM \ .. \ Run: [xjsV] C: \ documents and settings \ lou \ local settings \ temp \ xjsV.exe
O4 - HKLM \ .. \ Run: [Bakra] C: \ WINDOWS \ System32 \ IEHost.exe
O4 - HKLM \ .. \ Run: [Dsi] C: \ WINDOWS \ System32 \ dp-him.exe
O4 - HKLM \ .. \ Run: [24AKE#E5XFG36K] C: \ WINDOWS \ System32 \ Elq0i.exe
O4 - HKLM \ .. \ Run: [4F7V39j] sclpubw.exe
O4 - HKLM \ .. \ Run: [AutoUpdater] "C: \ Program Files \ AutoUpdate \ AutoUpdate.exe"
O4 - HKLM \ .. \ Run: [WhenUSearchWHSE] C: \ PROGRA~1 \ WHENUS~1 \ whse.exe
O4 - HKCU \ .. \ Run: [AIM] C: \ Program Files \ AIM \ aim.exe -cnetwait.odl
O4 - HKCU \ .. \ Run: [Desktop Weather 3] C: \ Program Files \ The Weather Channel \ The Weather Channel.exe
O4 - HKCU \ .. \ Run: [Ciml] C: \ Documents and Settings \ Lou \ Application Data \ oopo.exe
O4 - HKCU \ .. \ Run: [xpsp1res] C: \ WINDOWS \ System32 \ xpsp1res.exe
O4 - HKCU \ .. \ Run: [ares] "C: \ Program Files \ Ares \ Ares.exe" -h
O4 - HKCU \ .. \ Run: [Uqdneieh] C: \ WINDOWS \ System32 \ l?gonui.exe
O4 - HKCU \ .. \ Run: [Loo9RVHnO] sdbngl32.exe
O4 - HKCU \ .. \ RunOnce: [Web Offer] C: \ ezStub.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: CompuServe 7.0 Tray Icon.lnk = C: \ Program Files \ CompuServe 7.0 \ cstray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C: \ Program Files \ HP \ Digital Imaging \ bin \ hpqtra08.exe
O4 - Global Startup: hp instant support.lnk = C: \ Program Files \ Hewlett-Packard \ hpis \ bin \ matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C: \ Program Files \ Microsoft Office \ Office \ OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Blubster Support - file: / / C: \ Program Files \ BlubsterSupport \ System \ Temp \ blubstershop_script0.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C: \ WINDOWS \ System32 \ ms.exe
O9 - Extra ´Tools´ menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C: \ WINDOWS \ System32 \ ms.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C: \ Program Files \ AIM \ aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C: \ WINDOWS \ web \ related.htm
O9 - Extra ´Tools´ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C: \ WINDOWS \ web \ related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C: \ WINDOWS \ System32 \ Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C: \ Program Files \ Microsoft Money \ System \ mnyviewer.dll
O16 - DPF: Yahoo! Pool 2 - website: download.games.yahoo.com / games / clients / y / potc_x.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - website: a1540.g.akamai.net / 7 / 1540 / 52 / 20030530 / qtinstall.info.apple.com / bonnie / us / win / QuickTimeInstaller.exe
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - website: www2.flingstone.com / cab / 2000XP / ClickYesToContinue / bridge.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - website: mt-download.com / MediaTicketsInstaller.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - website: download.overpro.com / WildApp.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C: \ Program Files \ HP \ hpcoretech \ comp \ hpuiprot.dll
O20 - AppInit_DLLs: C: \ Program Files \ Stardock \ Object Desktop \ WindowBlinds \ skincast \
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C: \ WINDOWS \ System32 \ mssaru.dll

blubstershop.exe

browserhelper2.dll

MS.EXE

NHelper.dll

winactive.exe