As the title of this thread states my computer will no longer even boot up regularly. Windows will open, pop-ups will open and then it will reboot. It only works if I reboot it in safemode. I followed the HMS removal guide but several of the first steps require normal mode which I can't even get into. I have a HiJackThis log that I was able to generate yesterday in normal mode while I still could. Whatever help I receive would be greatly appreciated because at this point I am considering buying a new comptuer the problem is so bad.
Logfile of HijackThis v1.99.0
Scan saved at 10:41:04 AM, on 2/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\sm.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\appyh32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dustin\video.exe
C:\WINDOWS\system32\msdg32.exe
C:\DOCUME~1\Dustin\LOCALS~1\Temp\6.tmp
C:\WINDOWS\system32\cmd.exe
C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\WINDOWS\system32\rundll32.exe
C:\program files\hijackthis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\dqcuc.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dqcuc.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\dqcuc.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\dqcuc.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dqcuc.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\dqcuc.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\dqcuc.dll/sp.html#96676
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\system32\soft.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1C8F6C92-F487-3D4E-95E9-04FB02E4540F} - C:\WINDOWS\system32\winkq32.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [msdg32.exe] C:\WINDOWS\system32\msdg32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\system32\tibs3.exe
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [6.tmp] C:\DOCUME~1\Dustin\LOCALS~1\Temp\6.tmp.exe 1 10001
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .3g2: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/20382085/enter.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab
O18 - Protocol hijack: mhtml -
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\appyh32.exe

Your problems are caused by more than just HSA. Let's see if we can get rid of some of this other stuff to allow your computer to run a little bit better and then get HSA. Do you have an antivirus program on your computer?

Show hidden files
http://www.short-media.com/forum/showpost.php?p=172588&postcount=3



Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\system32\soft.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\system32\tibs3.exe
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [6.tmp] C:\DOCUME~1\Dustin\LOCALS~1\Temp\6.tmp.exe 1 10001
O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\system32\sm.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/20382085/enter.cab
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

Reboot your computer into Safe Mode (http://www.bleepingcomputer.com/forums/tutorial61.html)



Then delete these files or directories (Do not be concerned if they do not exist):

C:\WINDOWS\zeta.exe
C:\WINDOWS\system32\soft.exe
C:\WINDOWS\system32\tibs3.exe
C:\WINDOWS\system32\sm.exe
C:\Program Files\ISTsvc



Delete temp files

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Navigate to the C:\Windows\Prefetch folder. Open the Prefetch folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Prefetch folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin.



Reboot back to normal mode and post a new hijackthis log. Let me know if your computer is running any better.

To answer your question, no I don't have any anti-virus software installed. I follwed all the steps you gave me and my computer still won't boot up into Normal Mode, only Safe Mode. I noticed when trying to delete all the temp files I couldn't delete "index.dat" because it was being used by a program. Here's a new HiJackThis log file that was generated in Safe Mode. I don't know if that makes a difference, but like I said I am not able to get into Normal Mode. Thank you very much for the help you have given me so far. This is such a problem I am considering even buying a new computer since this one is over four years old. But if the problem can be solved that would be great. Thanky ou again.
Logfile of HijackThis v1.99.0
Scan saved at 6:34:58 PM, on 2/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hijackthis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\dqcuc.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll
O2 - BHO: SDWin32 Class - {05CCA43C-F086-4CE7-B957-C89CD856F0C2} - C:\WINDOWS\system32\uxkbs.dll
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: SDWin32 Class - {82FE2D66-10D8-4C3C-A83A-059433A11FFA} - C:\WINDOWS\system32\hfgbq.dll
O2 - BHO: (no name) - {84914404-C81E-EC9D-533F-664BF188B386} - (no file)
O2 - BHO: mtxcbus - {99C766BD-3721-6D26-B923-0FC07604B5F1} - C:\WINDOWS\system32\mtxcbus.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O4 - HKLM\..\Run: [msdg32.exe] C:\WINDOWS\system32\msdg32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [obfh269z] C:\Program Files\obfh269z\obfh269z.exe
O4 - HKLM\..\Run: [stkt] C:\WINDOWS\stkt.exe
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [vcmpin] C:\windows\bundles\adl_mteststub.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [HPNT] C:\Program Files\hpdll\hpdll.exe
O4 - HKLM\..\Run: [TinkoPal] C:\Program Files\TinkoPal\AppStart.exe
O4 - HKLM\..\Run: [cwspyml] C:\WINDOWS\system32\cwspyml.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Ptumyy.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Jlycff.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvsxc32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\system32\sysmonnt
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O12 - Plugin for .3g2: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: v3cab - http://searchmiracle.com/cab/10.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install007.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab
O18 - Protocol hijack: mhtml -
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: nrrtdnrtpxbi - Unknown - C:\WINDOWS\system32\tpxetjgk5.exe
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\appyh32.exe (file missing)

I assume that you have another computer that you are using to access the internet while this one is in safe mode. We're going to have to download some tools to use on your computer. Do you have a way to download them and move them over to the infected computer?

Yes I do have another computer but no way to get them to the infected computer. Isn't it possible to download the programs in safe mode and install them from there? I downloaded aboutbuster and installed it that way so I assume it will work for other programs as well.

Yes, that will work just fine. And do not worry. Everything you have we can get cleaned up. It may take a few steps, but you don't worry about having to buy a new computer. :thumbsup:

Now let's get started.



Download LSPFix from http://www.cexx.org/lspfix.zip and run it.

Check the I know what I'm doing box.

In the Keep box you should see one or more instances of the following files.

aklsp.dll

Select every instance of this file, but no others, and move each one to the Remove box by clicking the >> button.

When you are done click Finish>>.





Please download CWShredder but don't run it yet.
http://cwshredder.net/bin/CWSInstall.exe


Download Ad-aware SE from: http://www.majorgeeks.com/download506.html

Install the program and launch it. First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files. Exit Adaware for now.



Please remove these entries from Add/Remove Programs in the Control Panel(if present):

Desktop Search
Surf Side Kick
Ebates
Web Offers
Web Rebates
Tinko Pal
My Search
Search Bar
Elite Toolbar
Virtual Bouncer





Make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows (http://www.bleepingcomputer.com/forums/tutorial62.html)

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\dqcuc.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll
O2 - BHO: SDWin32 Class - {05CCA43C-F086-4CE7-B957-C89CD856F0C2} - C:\WINDOWS\system32\uxkbs.dll
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: SDWin32 Class - {82FE2D66-10D8-4C3C-A83A-059433A11FFA} - C:\WINDOWS\system32\hfgbq.dll
O2 - BHO: (no name) - {84914404-C81E-EC9D-533F-664BF188B386} - (no file)
O2 - BHO: mtxcbus - {99C766BD-3721-6D26-B923-0FC07604B5F1} - C:\WINDOWS\system32\mtxcbus.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O4 - HKLM\..\Run: [msdg32.exe] C:\WINDOWS\system32\msdg32.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [obfh269z] C:\Program Files\obfh269z\obfh269z.exe
O4 - HKLM\..\Run: [stkt] C:\WINDOWS\stkt.exe
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [vcmpin] C:\windows\bundles\adl_mteststub.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [HPNT] C:\Program Files\hpdll\hpdll.exe
O4 - HKLM\..\Run: [TinkoPal] C:\Program Files\TinkoPal\AppStart.exe
O4 - HKLM\..\Run: [cwspyml] C:\WINDOWS\system32\cwspyml.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Ptumyy.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Jlycff.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvsxc32.exe
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\system32\sysmonnt
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: v3cab - http://searchmiracle.com/cab/10.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install007.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\appyh32.exe (file missing)



Reboot your computer into Safe Mode (http://www.bleepingcomputer.com/forums/tutorial61.html)


Now run CWShredder, making sure to click "Fix".


Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\dqcuc.dll
C:\WINDOWS\BTGrab.dll
C:\WINDOWS\Helper101.dll
C:\WINDOWS\stkt.exe
C:\WINDOWS\system32\uxkbs.dll
C:\WINDOWS\system32\hfgbq.dll
C:\WINDOWS\system32\mtxcbus.dll
C:\WINDOWS\system32\msdg32.exe
C:\WINDOWS\system32\cwspyml.exe
C:\WINDOWS\system32\Ptumyy.exe
C:\WINDOWS\system32\sysmonnt
C:\WINDOWS\system32\appyh32.exe
C:\WINDOWS\system32\Jlycff.exe
C:\windows\system32\kalvsxc32.exe
C:\WINDOWS\system32\wsxsvc
C:\windows\bundles\adl_mteststub.exe
C:\Program Files\obfh269z
C:\Program Files\hpdll
C:\Program Files\VBouncer
C:\Program Files\MySearch
C:\Program Files\TinkoPal
C:\Program Files\Web_Rebates
C:\Program Files\SurfSideKick 2
C:\PROGRA~1\COMMON~1\tsa
C:\WINDOWS\EliteToolBar
C:\WINDOWS\EliteSideBar
C:\WINDOWS\isrvs



It's possible that some files and folders may resist being deleted. If that happens right click on the file, select Properties, and make sure the box marked Read-only is unchecked. Please let me know if there are any files or folders that you were not able to delete.


Run a full scan with Adaware.

Reboot your computer and post a new log.

Alright I followed all of your instructions and my computer still won't go all the way into Normal Mode without restarting, but it appears things have improved. I wasn't able to delete c:\windows\system32\mtxcbus.dll, everything else that was there I was able to delete. In HiJackThis a lot of the O2 etries weren't there so I couldn't remove them. When I ran AdAware it wasn't able to get rid of a couple of items and I set it to try and do it again when I restarted. Unfortunately I couldn't get into Normal Mode for it to try it again when I restart. One thing I noticed is that when I ran AdAware I got a windows message with the heading "Data execution prevention" with the application being named "Run a DLL as an APP." Here's my new HiJackThis log. Thank you for the continuing help.

Logfile of HijackThis v1.99.0
Scan saved at 2:35:48 PM, on 2/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\program files\hijackthis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {84914404-C81E-EC9D-533F-664BF188B386} - (no file)
O2 - BHO: mtxcbus - {99C766BD-3721-6D26-B923-0FC07604B5F1} - C:\WINDOWS\system32\mtxcbus.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ayunbtr] c:\windows\system32\ayunbtr.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .3g2: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2****ed.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab
O18 - Protocol hijack: mhtml -
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: nrrtdnrtpxbi - Unknown - C:\WINDOWS\system32\tpxetjgk5.exe

O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {84914404-C81E-EC9D-533F-664BF188B386} - (no file)
O2 - BHO: mtxcbus - {99C766BD-3721-6D26-B923-0FC07604B5F1} - C:\WINDOWS\system32\mtxcbus.dll
O4 - HKLM\..\Run: [ayunbtr] c:\windows\system32\ayunbtr.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2****ed.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O18 - Protocol hijack: mhtml -
O23 - Service: nrrtdnrtpxbi - Unknown - C:\WINDOWS\system32\tpxetjgk5.exe

Fix those entries then find and delete the following files:
C:\WINDOWS\BTGrab.dll
C:\WINDOWS\isrvs\sysupd.dll
C:\WINDOWS\system32\mtxcbus.dll
c:\windows\system32\ayunbtr.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\isrvs\ffisearch.exe
C:\WINDOWS\system32\tpxetjgk5.exe

Then reboot and post a new log.

Alright, much improvement after those last steps. I finally managed to get into Normal Mode but I'm still getting some pop-ups but not nearly as much. I wasn't able to delete c:\windows\system32\mtxcbus.dll again. Also, most of the O2 entries on HiJackThis weren't there, only the no name one. Here's my new log, thank you so much for the help!

Logfile of HijackThis v1.99.0
Scan saved at 4:17:29 PM, on 2/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\SED\SED.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\ezula\mmod.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
c:\windows\system32\ayunbtr.exe
c:\windows\system32\calc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dustin\dddd.exe
C:\WINDOWS\system32\rundll32.exe
C:\program files\hijackthis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {84914404-C81E-EC9D-533F-664BF188B386} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [ayunbtr] c:\windows\system32\ayunbtr.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .3g2: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2****ed.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

Do this in Normal Mode if you can.

O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {84914404-C81E-EC9D-533F-664BF188B386} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [ayunbtr] c:\windows\system32\ayunbtr.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

Then find and delete the following files:
C:\WINDOWS\BTGrab.dll
C:\WINDOWS\systb.dll
C:\Program Files\SED\
C:\WINDOWS\isrvs\
c:\windows\system32\ayunbtr.exe
C:\WINDOWS\wupdt.exe
C:\WINDOWS\farmmext.exe
C:\PROGRAM FILES\ezula\
C:\PROGRAM FILES\Web Offer\wo.exe

Then reboot back into Normal Mode and post a new log.

We will need something else to remove all the O15 entries, so I'll have you do that after we clear up the rest of the log.

Here's the new log and I also noticed that when I try to empty my recycle bin I cannot. It says there are 14 items in there every time but none of these 14 are visible it's just blank.

Logfile of HijackThis v1.99.0
Scan saved at 6:25:21 PM, on 2/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
C:\WINDOWS\system32\vmss\vmss.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\program files\hijackthis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmiracle.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {84914404-C81E-EC9D-533F-664BF188B386} - (no file)
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvpax32.exe
O4 - HKLM\..\Run: [ntechin] C:\WINDOWS\system32\installer.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\system32\vmss\vmss.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .3g2: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

Your recycle bin problem is part of a nasty VX2 infection that just started showing in your last few logs. We can fix it later, but first we need to get rid of everything else.



Download(right click and select Save file as or Save link as): DelDomains.inf
http://mvps.org/winhelp2002/DelDomains.inf

To use: Close all open browsers
Right-click DelDomains.inf and select: Install

This should remove those 015 entries.



Have hijackthis fix these lines:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmiracle.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
O2 - BHO: (no name) - {84914404-C81E-EC9D-533F-664BF188B386} - (no file)
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvpax32.exe
O4 - HKLM\..\Run: [ntechin] C:\WINDOWS\system32\installer.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\system32\vmss\vmss.exe
O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll




Reboot your computer into Safe Mode (http://www.bleepingcomputer.com/forums/tutorial61.html)


Now run CWShredder, making sure to click "Fix".


Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\EliteToolBar
C:\WINDOWS\isrvs
C:\WINDOWS\system32\wsxsvc
C:\WINDOWS\system32\vmss
C:\windows\system32\kalvpax32.exe
C:\WINDOWS\system32\installer.exe


Reboot back to normal mode and post a new hijackthis log.

It appears something keeps re-infecting me. Quick question, can these problems spread over a network? I want to make sure the other computers in my house don't get them.

Logfile of HijackThis v1.99.0
Scan saved at 12:13:30 PM, on 2/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dustin\dddd.exe
C:\program files\hijackthis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: (no name) - {84914404-C81E-EC9D-533F-664BF188B386} - (no file)
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvpys32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O12 - Plugin for .3g2: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2****ed.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O16 - DPF: v3cab - http://searchmiracle.com/cab/10.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

You do have a few things that are very resistant to being removed. The programs that are showing in your log should not spread over your network. And if it hasn't happened yet, then it's not going to happen now. I know it's hard to tell, but we are making progress.


Run LSPFix that you downloaded before.

Check the I know what I'm doing box.

In the Keep box you should see one or more instances of the following files.

dolsp.dll

Select every instance of this file, but no others, and move each one to the Remove box by clicking the >> button.

When you are done click Finish>>.



Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Here you go:

L2MFIX find log 1.02a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NetCache]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hr0405dqe.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{23E1454D-30FC-4CC8-9AA8-DCD7D3306096}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{acb4a560-3606-11d3-aef4-00104bd0f92d}"="KodakShellExtension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{9A05EE03-AB3B-4290-A791-E7B2482F6DFD}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9A05EE03-AB3B-4290-A791-E7B2482F6DFD}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9A05EE03-AB3B-4290-A791-E7B2482F6DFD}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9A05EE03-AB3B-4290-A791-E7B2482F6DFD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9A05EE03-AB3B-4290-A791-E7B2482F6DFD}\InprocServer32]
@="C:\\WINDOWS\\system32\\dl32gt.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
2ndsrch.dll Fri Feb 4 2005 6:04:34p A.... 69,632 68.00 K
aflbg32.dll Wed Feb 2 2005 10:07:32p A.... 229,736 224.35 K
akcore.dll Wed Feb 2 2005 10:48:24p A.... 188,416 184.00 K
aklsp.dll Wed Feb 2 2005 10:48:26p A.... 196,608 192.00 K
akrules.dll Wed Feb 2 2005 10:48:24p A.... 110,592 108.00 K
akupd.dll Wed Feb 2 2005 10:48:18p A.... 155,648 152.00 K
ampem32.dll Wed Feb 2 2005 10:56:42p ..S.R 230,411 225.01 K
antodisc.dll Fri Feb 4 2005 2:20:46p ..S.R 229,298 223.92 K
appem32.dll Fri Jan 14 2005 11:56:42p A.... 11,514 11.24 K
atl71.dll Thu Feb 3 2005 8:23:12a A.... 89,088 87.00 K
atpvg32.dll Thu Feb 3 2005 8:16:00a ..S.R 231,652 226.22 K
axrace.dll Thu Feb 3 2005 6:06:44p ..S.R 231,652 226.22 K
aza805~1.dll Thu Feb 3 2005 6:32:30p ..S.R 229,876 224.49 K
azwut.dll Wed Dec 8 2004 4:54:32a A.SH. 55,808 54.50 K
brew.dll Fri Feb 4 2005 4:14:36p A.... 7,680 7.50 K
brew32.dll Fri Feb 4 2005 6:06:36p A.... 27 0.02 K
bwqvh.dll Fri Jan 14 2005 12:37:46p A.SH. 68,096 66.50 K
cicfg32.dll Wed Feb 2 2005 11:04:16p ..S.R 230,411 225.01 K
clbjmon.dll Wed Feb 2 2005 10:22:38p ..S.R 229,736 224.35 K
d3og32.dll Sun Dec 12 2004 7:21:44a A.... 11,514 11.24 K
djd9.dll Thu Feb 3 2005 8:24:32a ..S.R 231,652 226.22 K
dl32gt.dll Sat Feb 5 2005 12:11:10p ..S.R 228,918 223.55 K
dl7vb.dll Wed Feb 2 2005 10:51:02p ..S.R 230,411 225.01 K
docore.dll Sat Feb 5 2005 11:03:28a A.... 151,552 148.00 K
dolsp.dll Sat Feb 5 2005 11:03:30a A.... 139,264 136.00 K
dosync.dll Sat Feb 5 2005 11:03:24a A.... 114,688 112.00 K
dsktrf.dll Wed Jan 19 2005 9:08:42a A.... 147,456 144.00 K
eigsq.dll Wed Dec 8 2004 9:12:48p A.SH. 55,808 54.50 K
en62l1~1.dll Wed Feb 2 2005 11:19:52p ..S.R 231,672 226.24 K
en66l1~1.dll Wed Feb 2 2005 10:56:42p ..S.R 232,072 226.63 K
en86l1~1.dll Wed Feb 2 2005 11:32:04p ..S.R 230,411 225.01 K
enj4l1~1.dll Wed Feb 2 2005 10:52:28p ..S.R 231,822 226.39 K
enjsl1~1.dll Wed Feb 2 2005 10:13:08p ..S.R 231,447 226.02 K
enp6l1~1.dll Thu Feb 3 2005 8:24:32a ..S.R 229,035 223.66 K
erjsl1~1.dll Wed Feb 2 2005 10:58:14p ..S.R 230,411 225.01 K
fbtps.dll Mon Dec 6 2004 3:26:40a A.SH. 55,808 54.50 K
fcbmi.dll Thu Dec 16 2004 10:13:52p A.SH. 55,808 54.50 K
h4l20e~1.dll Wed Feb 2 2005 10:58:14p ..S.R 230,645 225.24 K
haafk.dll Tue Dec 28 2004 6:52:02p A.SH. 70,144 68.50 K
had.dll Thu Feb 3 2005 8:17:44a ..S.R 231,652 226.22 K
hr0405~1.dll Sat Feb 5 2005 10:55:20a ..S.R 228,918 223.55 K
hr0805~1.dll Thu Feb 3 2005 8:14:28a ..S.R 228,602 223.24 K
hr4805~1.dll Sat Feb 5 2005 12:11:10p ..S.R 229,763 224.38 K
hr8s05~1.dll Thu Feb 3 2005 8:19:18a ..S.R 228,592 223.23 K
hypertrm.dll Wed Nov 17 2004 9:41:24a A.... 347,136 339.00 K
i0060a~1.dll Fri Feb 4 2005 2:37:44p ..S.R 230,303 224.90 K
i060la~1.dll Fri Feb 4 2005 2:32:12p ..S.R 229,298 223.92 K
i6jqlg~1.dll Thu Feb 3 2005 8:22:34a ..S.R 228,958 223.59 K
idleui.dll Fri Feb 4 2005 6:04:36p A.... 41,472 40.50 K
iekmr.dll Sat Jan 15 2005 1:39:30a A.SH. 68,096 66.50 K
inagr5.dll Wed Feb 2 2005 11:19:52p ..S.R 230,411 225.01 K
ipgy.dll Wed Nov 24 2004 8:45:58a A.... 10,812 10.56 K
iprnonce.dll Thu Feb 3 2005 8:25:50a ..S.R 231,652 226.22 K
ipxw32.dll Tue Jan 4 2005 9:00:38a A.... 11,514 11.24 K
iqakeng.dll Wed Feb 2 2005 10:09:24p A.... 229,736 224.35 K
j46m0e~1.dll Fri Feb 4 2005 2:18:34p ..S.R 229,159 223.79 K
j6j6lg~1.dll Wed Feb 2 2005 10:54:14p ..S.R 232,027 226.59 K
javamx32.dll Sun Jan 2 2005 12:59:54p A.... 11,514 11.24 K
jwefs.dll Sat Nov 27 2004 9:15:46a A.SH. 55,808 54.50 K
k208lc~1.dll Thu Feb 3 2005 8:17:44a ..S.R 229,101 223.73 K
kgrberos.dll Wed Feb 2 2005 10:52:28p ..S.R 230,411 225.01 K
khnql.dll Tue Jan 4 2005 4:51:12a A.SH. 68,096 66.50 K
kt8ul7~1.dll Wed Feb 2 2005 10:50:12p ..S.R 229,736 224.35 K
kurnel32.dll Thu Feb 3 2005 6:31:08p ..S.R 228,755 223.39 K
kyohu.dll Tue Jan 25 2005 3:51:14a A.SH. 68,096 66.50 K
l2j80c~1.dll Wed Feb 2 2005 11:04:16p ..S.R 231,223 225.80 K
l66olg~1.dll Thu Feb 3 2005 8:16:00a ..S.R 228,883 223.52 K
lldik.dll Fri Dec 24 2004 1:03:22p A.SH. 55,808 54.50 K
ltj027~1.dll Thu Feb 3 2005 8:25:50a ..S.R 229,208 223.84 K
lv2o09~1.dll Thu Feb 3 2005 8:20:58a ..S.R 231,981 226.54 K
lv8m09~1.dll Fri Feb 4 2005 2:20:46p ..S.R 229,487 224.11 K
lvlo09~1.dll Thu Feb 3 2005 6:31:08p ..S.R 229,094 223.72 K
lvno09~1.dll Wed Feb 2 2005 10:22:38p ..S.R 230,095 224.70 K
lvr009~1.dll Wed Feb 2 2005 11:21:34p ..S.R 230,510 225.11 K
lvrm09~1.dll Wed Feb 2 2005 10:09:24p ..S.R 229,935 224.54 K
m0rmla~1.dll Wed Feb 2 2005 10:10:48p ..S.R 230,926 225.51 K
meidle.dll Wed Feb 2 2005 11:21:34p ..S.R 230,411 225.01 K
micndmgr.dll Fri Feb 4 2005 2:33:06p ..S.R 230,303 224.90 K
mjdimap.dll Thu Feb 3 2005 8:11:38a ..S.R 231,652 226.22 K
msai32.dll Thu Dec 16 2004 1:41:18a A.... 11,514 11.24 K
mzidle.dll Thu Feb 3 2005 8:19:18a ..S.R 231,652 226.22 K
n48o0e~1.dll Thu Feb 3 2005 8:13:00a ..S.R 232,036 226.60 K
nctapi.dll Thu Feb 3 2005 6:32:32p ..S.R 228,755 223.39 K
netcw32.dll Wed Jan 19 2005 11:26:02p A.... 11,514 11.24 K
ogbcji32.dll Thu Feb 3 2005 8:13:00a ..S.R 231,652 226.22 K
phrfdisk.dll Thu Feb 3 2005 8:20:58a ..S.R 231,652 226.22 K
poevr.dll Sat Jan 22 2005 7:14:18p A.SH. 68,096 66.50 K
r6p8lg~1.dll Wed Feb 2 2005 11:23:08p ..S.R 232,287 226.84 K
rgcrt4.dll Wed Feb 2 2005 11:23:08p A.... 230,411 225.01 K
rrwzl.dll Sat Jan 8 2005 6:36:10a A.SH. 68,096 66.50 K
sporder.dll Wed Feb 2 2005 10:48:24p A.... 8,464 8.27 K
syhannel.dll Wed Feb 2 2005 10:13:08p ..S.R 229,736 224.35 K
tormmgr.dll Thu Feb 3 2005 8:14:28a ..S.R 231,652 226.22 K
treph.dll Sun Dec 12 2004 5:11:30a A.SH. 55,808 54.50 K
utrra.dll Sat Jan 1 2005 11:07:50p A.SH. 55,808 54.50 K
uurvoica.dll Fri Feb 4 2005 2:19:30p ..S.R 229,298 223.92 K
vtdex.dll Thu Feb 3 2005 8:22:34a ..S.R 231,652 226.22 K
winkq32.dll Tue Jan 4 2005 3:05:24p A.... 96,747 94.48 K
winsuck.dll Tue Feb 1 2005 10:31:54a A.... 17,920 17.50 K
wintitle.dll Tue Feb 1 2005 10:31:54a ..... 16,896 16.50 K
wteun.dll Fri Dec 3 2004 11:18:04p A.SH. 55,808 54.50 K

101 items found: 101 files (73 H/S), 0 directories.
Total of file sizes: 16,783,007 bytes 16.00 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 54D0-0C29

Directory of C:\WINDOWS\System32

02/05/2005 12:11 PM 228,918 dl32gt.dll
02/05/2005 12:11 PM 229,763 hr4805hue.dll
02/05/2005 10:55 AM 228,918 hr0405dqe.dll
02/04/2005 02:37 PM 230,303 i0060adsed060.dll
02/04/2005 02:33 PM 230,303 micndmgr.dll
02/04/2005 02:32 PM 229,298 i060lajm1doa.dll
02/04/2005 02:20 PM 229,298 antodisc.dll
02/04/2005 02:20 PM 229,487 lv8m09l1e.dll
02/04/2005 02:19 PM 229,298 uurvoica.dll
02/04/2005 02:18 PM 229,159 j46m0ej1eho.dll
02/03/2005 06:32 PM 228,755 nctapi.dll
02/03/2005 06:32 PM 229,876 aza805due.dll
02/03/2005 06:31 PM 228,755 kurnel32.dll
02/03/2005 06:31 PM 229,094 lvlo0933e.dll
02/03/2005 06:06 PM 231,652 axrace.dll
02/03/2005 08:25 AM 231,652 iprnonce.dll
02/03/2005 08:25 AM 229,208 ltj0271mg.dll
02/03/2005 08:24 AM 231,652 dJd9.dll
02/03/2005 08:24 AM 229,035 enp6l17s1.dll
02/03/2005 08:22 AM 231,652 vtdex.dll
02/03/2005 08:22 AM 228,958 i6jqlg1516.dll
02/03/2005 08:20 AM 231,652 phrfdisk.dll
02/03/2005 08:20 AM 231,981 lv2o09f3e.dll
02/03/2005 08:19 AM 231,652 mzidle.dll
02/03/2005 08:19 AM 228,592 hr8s05l7e.dll
02/03/2005 08:17 AM 231,652 had.dll
02/03/2005 08:17 AM 229,101 k208lcdu1f08.dll
02/03/2005 08:15 AM 231,652 atpvg32.dll
02/03/2005 08:15 AM 228,883 l66olgj316o.dll
02/03/2005 08:14 AM 231,652 tormmgr.dll
02/03/2005 08:14 AM 228,602 hr0805due.dll
02/03/2005 08:12 AM 231,652 ogbcji32.dll
02/03/2005 08:12 AM 232,036 n48o0el3ehq.dll
02/03/2005 08:11 AM 231,652 mjdimap.dll
02/02/2005 11:32 PM 230,411 en86l1ls1.dll
02/02/2005 11:23 PM 232,287 r6p8lg7u16.dll
02/02/2005 11:21 PM 230,411 meidle.dll
02/02/2005 11:21 PM 230,510 lvr0099me.dll
02/02/2005 11:19 PM 230,411 inagr5.dll
02/02/2005 11:19 PM 231,672 en62l1jo1.dll
02/02/2005 11:04 PM 230,411 cicfg32.dll
02/02/2005 11:04 PM 231,223 l2j80c1uef.dll
02/02/2005 10:58 PM 230,411 erjsl1171.dll
02/02/2005 10:58 PM 230,645 h4l20e3oeh.dll
02/02/2005 10:56 PM 230,411 ampem32.dll
02/02/2005 10:56 PM 232,072 en66l1js1.dll
02/02/2005 10:54 PM 232,027 j6j6lg1s16.dll
02/02/2005 10:52 PM 230,411 kgrberos.dll
02/02/2005 10:52 PM 231,822 enj4l11q1.dll
02/02/2005 10:51 PM 230,411 dl7vb.dll
02/02/2005 10:50 PM 229,736 kt8ul7l91.dll
02/02/2005 10:22 PM 229,736 clbjmon.dll
02/02/2005 10:22 PM 230,095 lvno0953e.dll
02/02/2005 10:13 PM 229,736 syhannel.dll
02/02/2005 10:13 PM 231,447 enjsl1171.dll
02/02/2005 10:10 PM 230,926 m0rmla911d.dll
02/02/2005 10:09 PM 229,935 lvrm0991e.dll
02/02/2005 10:06 PM <DIR> dllcache
01/25/2005 03:51 AM 68,096 kyohu.dll
01/22/2005 07:14 PM 68,096 poevr.dll
01/21/2005 10:43 AM 10,077 addqq32.exe
01/15/2005 01:39 AM 68,096 iekmr.dll
01/14/2005 04:43 PM 3,547 inamg.dat
01/14/2005 12:37 PM 68,096 bwqvh.dll
01/08/2005 06:36 AM 68,096 rrwzl.dll
01/07/2005 01:56 PM 10,102 iexi32.exe
01/05/2005 06:13 AM 10,212 ipei.exe
01/04/2005 04:51 AM 68,096 khnql.dll
01/03/2005 09:39 AM 3,547 wvpgl.txt
01/01/2005 11:07 PM 55,808 utrra.dll
01/01/2005 03:10 AM 4,402 vhwpf.txt
12/28/2004 06:52 PM 70,144 haafk.dll
12/24/2004 01:03 PM 55,808 lldik.dll
12/16/2004 10:13 PM 55,808 fcbmi.dll
12/12/2004 05:11 AM 55,808 treph.dll
12/08/2004 09:12 PM 55,808 eigsq.dll
12/08/2004 04:54 AM 55,808 azwut.dll
12/06/2004 03:26 AM 55,808 fbtps.dll
12/03/2004 11:18 PM 55,808 wteun.dll
11/27/2004 09:15 AM 55,808 jwefs.dll
05/13/2004 07:39 PM 16,032 mpr16.dll
11/11/2003 06:13 PM <DIR> Microsoft
80 File(s) 14,171,861 bytes
2 Dir(s) 11,183,345,664 bytes free

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

I followed all your instructions and here are the logs.

Here's the HiJackThis log:
Logfile of HijackThis v1.99.0
Scan saved at 12:36:20 PM, on 2/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\isrvs\desktop.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\program files\hijackthis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://searchmiracle.com/sp.php
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} -
C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: (no name) - {84914404-C81E-EC9D-533F-664BF188B386} - (no file)
O2 - BHO: mtxcbus - {99C766BD-3721-6D26-B923-0FC07604B5F1} -
C:\WINDOWS\system32\mtxcbus.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} -
C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} -
C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program
Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared
Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvpys32.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe wnim.dll, DllRegisterServer
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe"
/background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak
EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK
Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -
C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program
Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program
Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .3g2: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2****ed.biz
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate)
- http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate
Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} -
C:\WINDOWS\isrvs\mfiltis.dll
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} -
C:\WINDOWS\system32\wnim.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -
C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company -
C:\WINDOWS\system32\drivers\KodakCCS.exe

Here's the L2Mfix log:
L2Mfix 1.02a

Running From:
C:\Documents and Settings\Dustin\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C access for really "Everyone"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Dustin\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Dustin\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1428 'explorer.exe'
Killing PID 1428 'explorer.exe'
Killing PID 1428 'explorer.exe'
Killing PID 1428 'explorer.exe'
Killing PID 1428 'explorer.exe'
Killing PID 1428 'explorer.exe'
Killing PID 1428 'explorer.exe'
Killing PID 1428 'explorer.exe'
Killing PID 1428 'explorer.exe'
Killing PID 1428 'explorer.exe'
Killing PID 1428 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1644 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\aflbg32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ampem32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\antodisc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\atpvg32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\axrace.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\aza805due.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cfmaddin.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\cicfg32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\clbjmon.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dJd9.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dl32gt.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dl7vb.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en62l1jo1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en66l1js1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\en86l1ls1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\enj4l11q1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\enjsl1171.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\enp6l17s1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\erjsl1171.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\h4l20e3oeh.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\had.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hr0805due.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hr4805hue.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hr8s05l7e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i0060adsed060.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i060lajm1doa.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i6jqlg1516.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\inagr5.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iprnonce.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iqakeng.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j46m0ej1eho.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j6j6lg1s16.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\k208lcdu1f08.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kgrberos.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kt8ul7l91.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kurnel32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l2j80c1uef.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\l66olgj316o.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ltj0271mg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv2o09f3e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lv8m09l1e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lvlo0933e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lvno0953e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lvr0099me.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\lvrm0991e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\m0rmla911d.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\meidle.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\micndmgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mjdimap.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mzidle.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\n48o0el3ehq.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nctapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ogbcji32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\phrfdisk.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\r6p8lg7u16.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rgcrt4.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\syhannel.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\tormmgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\uurvoica.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\vtdex.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\aflbg32.dll
Successfully Deleted: C:\WINDOWS\system32\aflbg32.dll
deleting: C:\WINDOWS\system32\ampem32.dll
Successfully Deleted: C:\WINDOWS\system32\ampem32.dll
deleting: C:\WINDOWS\system32\antodisc.dll
Successfully Deleted: C:\WINDOWS\system32\antodisc.dll
deleting: C:\WINDOWS\system32\atpvg32.dll
Successfully Deleted: C:\WINDOWS\system32\atpvg32.dll
deleting: C:\WINDOWS\system32\axrace.dll
Successfully Deleted: C:\WINDOWS\system32\axrace.dll
deleting: C:\WINDOWS\system32\aza805due.dll
Successfully Deleted: C:\WINDOWS\system32\aza805due.dll
deleting: C:\WINDOWS\system32\cfmaddin.dll
Successfully Deleted: C:\WINDOWS\system32\cfmaddin.dll
deleting: C:\WINDOWS\system32\cicfg32.dll
Successfully Deleted: C:\WINDOWS\system32\cicfg32.dll
deleting: C:\WINDOWS\system32\clbjmon.dll
Successfully Deleted: C:\WINDOWS\system32\clbjmon.dll
deleting: C:\WINDOWS\system32\dJd9.dll
Successfully Deleted: C:\WINDOWS\system32\dJd9.dll
deleting: C:\WINDOWS\system32\dl32gt.dll
Successfully Deleted: C:\WINDOWS\system32\dl32gt.dll
deleting: C:\WINDOWS\system32\dl7vb.dll
Successfully Deleted: C:\WINDOWS\system32\dl7vb.dll
deleting: C:\WINDOWS\system32\en62l1jo1.dll
Successfully Deleted: C:\WINDOWS\system32\en62l1jo1.dll
deleting: C:\WINDOWS\system32\en66l1js1.dll
Successfully Deleted: C:\WINDOWS\system32\en66l1js1.dll
deleting: C:\WINDOWS\system32\en86l1ls1.dll
Successfully Deleted: C:\WINDOWS\system32\en86l1ls1.dll
deleting: C:\WINDOWS\system32\enj4l11q1.dll
Successfully Deleted: C:\WINDOWS\system32\enj4l11q1.dll
deleting: C:\WINDOWS\system32\enjsl1171.dll
Successfully Deleted: C:\WINDOWS\system32\enjsl1171.dll
deleting: C:\WINDOWS\system32\enp6l17s1.dll
Successfully Deleted: C:\WINDOWS\system32\enp6l17s1.dll
deleting: C:\WINDOWS\system32\erjsl1171.dll
Successfully Deleted: C:\WINDOWS\system32\erjsl1171.dll
deleting: C:\WINDOWS\system32\h4l20e3oeh.dll
Successfully Deleted: C:\WINDOWS\system32\h4l20e3oeh.dll
deleting: C:\WINDOWS\system32\had.dll
Successfully Deleted: C:\WINDOWS\system32\had.dll
deleting: C:\WINDOWS\system32\hr0805due.dll
Successfully Deleted: C:\WINDOWS\system32\hr0805due.dll
deleting: C:\WINDOWS\system32\hr4805hue.dll
Successfully Deleted: C:\WINDOWS\system32\hr4805hue.dll
deleting: C:\WINDOWS\system32\hr8s05l7e.dll
Successfully Deleted: C:\WINDOWS\system32\hr8s05l7e.dll
deleting: C:\WINDOWS\system32\i0060adsed060.dll
Successfully Deleted: C:\WINDOWS\system32\i0060adsed060.dll
deleting: C:\WINDOWS\system32\i060lajm1doa.dll
Successfully Deleted: C:\WINDOWS\system32\i060lajm1doa.dll
deleting: C:\WINDOWS\system32\i6jqlg1516.dll
Successfully Deleted: C:\WINDOWS\system32\i6jqlg1516.dll
deleting: C:\WINDOWS\system32\inagr5.dll
Successfully Deleted: C:\WINDOWS\system32\inagr5.dll
deleting: C:\WINDOWS\system32\iprnonce.dll
Successfully Deleted: C:\WINDOWS\system32\iprnonce.dll
deleting: C:\WINDOWS\system32\iqakeng.dll
Successfully Deleted: C:\WINDOWS\system32\iqakeng.dll
deleting: C:\WINDOWS\system32\j46m0ej1eho.dll
Successfully Deleted: C:\WINDOWS\system32\j46m0ej1eho.dll
deleting: C:\WINDOWS\system32\j6j6lg1s16.dll
Successfully Deleted: C:\WINDOWS\system32\j6j6lg1s16.dll
deleting: C:\WINDOWS\system32\k208lcdu1f08.dll
Successfully Deleted: C:\WINDOWS\system32\k208lcdu1f08.dll
deleting: C:\WINDOWS\system32\kgrberos.dll
Successfully Deleted: C:\WINDOWS\system32\kgrberos.dll
deleting: C:\WINDOWS\system32\kt8ul7l91.dll
Successfully Deleted: C:\WINDOWS\system32\kt8ul7l91.dll
deleting: C:\WINDOWS\system32\kurnel32.dll
Successfully Deleted: C:\WINDOWS\system32\kurnel32.dll
deleting: C:\WINDOWS\system32\l2j80c1uef.dll
Successfully Deleted: C:\WINDOWS\system32\l2j80c1uef.dll
deleting: C:\WINDOWS\system32\l66olgj316o.dll
Successfully Deleted: C:\WINDOWS\system32\l66olgj316o.dll
deleting: C:\WINDOWS\system32\ltj0271mg.dll
Successfully Deleted: C:\WINDOWS\system32\ltj0271mg.dll
deleting: C:\WINDOWS\system32\lv2o09f3e.dll
Successfully Deleted: C:\WINDOWS\system32\lv2o09f3e.dll
deleting: C:\WINDOWS\system32\lv8m09l1e.dll
Successfully Deleted: C:\WINDOWS\system32\lv8m09l1e.dll
deleting: C:\WINDOWS\system32\lvlo0933e.dll
Successfully Deleted: C:\WINDOWS\system32\lvlo0933e.dll
deleting: C:\WINDOWS\system32\lvno0953e.dll
Successfully Deleted: C:\WINDOWS\system32\lvno0953e.dll
deleting: C:\WINDOWS\system32\lvr0099me.dll
Successfully Deleted: C:\WINDOWS\system32\lvr0099me.dll
deleting: C:\WINDOWS\system32\lvrm0991e.dll
Successfully Deleted: C:\WINDOWS\system32\lvrm0991e.dll
deleting: C:\WINDOWS\system32\m0rmla911d.dll
Successfully Deleted: C:\WINDOWS\system32\m0rmla911d.dll
deleting: C:\WINDOWS\system32\meidle.dll
Successfully Deleted: C:\WINDOWS\system32\meidle.dll
deleting: C:\WINDOWS\system32\micndmgr.dll
Successfully Deleted: C:\WINDOWS\system32\micndmgr.dll
deleting: C:\WINDOWS\system32\mjdimap.dll
Successfully Deleted: C:\WINDOWS\system32\mjdimap.dll
deleting: C:\WINDOWS\system32\mzidle.dll
Successfully Deleted: C:\WINDOWS\system32\mzidle.dll
deleting: C:\WINDOWS\system32\n48o0el3ehq.dll
Successfully Deleted: C:\WINDOWS\system32\n48o0el3ehq.dll
deleting: C:\WINDOWS\system32\nctapi.dll
Successfully Deleted: C:\WINDOWS\system32\nctapi.dll
deleting: C:\WINDOWS\system32\ogbcji32.dll
Successfully Deleted: C:\WINDOWS\system32\ogbcji32.dll
deleting: C:\WINDOWS\system32\phrfdisk.dll
Successfully Deleted: C:\WINDOWS\system32\phrfdisk.dll
deleting: C:\WINDOWS\system32\r6p8lg7u16.dll
Successfully Deleted: C:\WINDOWS\system32\r6p8lg7u16.dll
deleting: C:\WINDOWS\system32\rgcrt4.dll
Successfully Deleted: C:\WINDOWS\system32\rgcrt4.dll
deleting: C:\WINDOWS\system32\syhannel.dll
Successfully Deleted: C:\WINDOWS\system32\syhannel.dll
deleting: C:\WINDOWS\system32\tormmgr.dll
Successfully Deleted: C:\WINDOWS\system32\tormmgr.dll
deleting: C:\WINDOWS\system32\uurvoica.dll
Successfully Deleted: C:\WINDOWS\system32\uurvoica.dll
deleting: C:\WINDOWS\system32\vtdex.dll
Successfully Deleted: C:\WINDOWS\system32\vtdex.dll

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: aflbg32.dll (164 bytes security) (deflated 5%)
adding: ampem32.dll (164 bytes security) (deflated 5%)
adding: antodisc.dll (164 bytes security) (deflated 5%)
adding: atpvg32.dll (164 bytes security) (deflated 5%)
adding: axrace.dll (164 bytes security) (deflated 5%)
adding: aza805due.dll (164 bytes security) (deflated 5%)
adding: cfmaddin.dll (164 bytes security) (deflated 4%)
adding: cicfg32.dll (164 bytes security) (deflated 5%)
adding: clbjmon.dll (164 bytes security) (deflated 5%)
adding: dJd9.dll (164 bytes security) (deflated 5%)
adding: dl32gt.dll (164 bytes security) (deflated 4%)
adding: dl7vb.dll (164 bytes security) (deflated 5%)
adding: en62l1jo1.dll (164 bytes security) (deflated 5%)
adding: en66l1js1.dll (164 bytes security) (deflated 5%)
adding: en86l1ls1.dll (164 bytes security) (deflated 5%)
adding: enj4l11q1.dll (164 bytes security) (deflated 5%)
adding: enjsl1171.dll (164 bytes security) (deflated 5%)
adding: enp6l17s1.dll (164 bytes security) (deflated 4%)
adding: erjsl1171.dll (164 bytes security) (deflated 5%)
adding: h4l20e3oeh.dll (164 bytes security) (deflated 5%)
adding: had.dll (164 bytes security) (deflated 5%)
adding: hr0805due.dll (164 bytes security) (deflated 4%)
adding: hr4805hue.dll (164 bytes security) (deflated 5%)
adding: hr8s05l7e.dll (164 bytes security) (deflated 4%)
adding: i0060adsed060.dll (164 bytes security) (deflated 5%)
adding: i060lajm1doa.dll (164 bytes security) (deflated 5%)
adding: i6jqlg1516.dll (164 bytes security) (deflated 4%)
adding: inagr5.dll (164 bytes security) (deflated 5%)
adding: iprnonce.dll (164 bytes security) (deflated 5%)
adding: iqakeng.dll (164 bytes security) (deflated 5%)
adding: j46m0ej1eho.dll (164 bytes security) (deflated 5%)
adding: j6j6lg1s16.dll (164 bytes security) (deflated 5%)
adding: k208lcdu1f08.dll (164 bytes security) (deflated 4%)
adding: kgrberos.dll (164 bytes security) (deflated 5%)
adding: kt8ul7l91.dll (164 bytes security) (deflated 5%)
adding: kurnel32.dll (164 bytes security) (deflated 4%)
adding: l2j80c1uef.dll (164 bytes security) (deflated 5%)
adding: l66olgj316o.dll (164 bytes security) (deflated 4%)
adding: ltj0271mg.dll (164 bytes security) (deflated 4%)
adding: lv2o09f3e.dll (164 bytes security) (deflated 5%)
adding: lv8m09l1e.dll (164 bytes security) (deflated 5%)
adding: lvlo0933e.dll (164 bytes security) (deflated 5%)
adding: lvno0953e.dll (164 bytes security) (deflated 5%)
adding: lvr0099me.dll (164 bytes security) (deflated 5%)
adding: lvrm0991e.dll (164 bytes security) (deflated 5%)
adding: m0rmla911d.dll (164 bytes security) (deflated 5%)
adding: meidle.dll (164 bytes security) (deflated 5%)
adding: micndmgr.dll (164 bytes security) (deflated 5%)
adding: mjdimap.dll (164 bytes security) (deflated 5%)
adding: mzidle.dll (164 bytes security) (deflated 5%)
adding: n48o0el3ehq.dll (164 bytes security) (deflated 5%)
adding: nctapi.dll (164 bytes security) (deflated 4%)
adding: ogbcji32.dll (164 bytes security) (deflated 5%)
adding: phrfdisk.dll (164 bytes security) (deflated 5%)
adding: r6p8lg7u16.dll (164 bytes security) (deflated 6%)
adding: rgcrt4.dll (164 bytes security) (deflated 5%)
adding: syhannel.dll (164 bytes security) (deflated 5%)
adding: tormmgr.dll (164 bytes security) (deflated 5%)
adding: uurvoica.dll (164 bytes security) (deflated 5%)
adding: vtdex.dll (164 bytes security) (deflated 5%)
adding: clear.reg (164 bytes security) (deflated 22%)
adding: echo.reg (164 bytes security) (deflated 10%)
adding: desktop.ini (164 bytes security) (deflated 15%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 87%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 69%)
adding: test.txt (164 bytes security) (deflated 84%)
adding: test2.txt (164 bytes security) (stored 0%)
adding: test3.txt (164 bytes security) (stored 0%)
adding: test5.txt (164 bytes security) (stored 0%)
adding: xfind.txt (164 bytes security) (deflated 80%)
adding: backregs/9A05EE03-AB3B-4290-A791-E7B2482F6DFD.reg (164 bytes security)
(deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for really "Everyone"


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: aflbg32.dll
deleting local copy: ampem32.dll
deleting local copy: antodisc.dll
deleting local copy: atpvg32.dll
deleting local copy: axrace.dll
deleting local copy: aza805due.dll
deleting local copy: cfmaddin.dll
deleting local copy: cicfg32.dll
deleting local copy: clbjmon.dll
deleting local copy: dJd9.dll
deleting local copy: dl32gt.dll
deleting local copy: dl7vb.dll
deleting local copy: en62l1jo1.dll
deleting local copy: en66l1js1.dll
deleting local copy: en86l1ls1.dll
deleting local copy: enj4l11q1.dll
deleting local copy: enjsl1171.dll
deleting local copy: enp6l17s1.dll
deleting local copy: erjsl1171.dll
deleting local copy: h4l20e3oeh.dll
deleting local copy: had.dll
deleting local copy: hr0805due.dll
deleting local copy: hr4805hue.dll
deleting local copy: hr8s05l7e.dll
deleting local copy: i0060adsed060.dll
deleting local copy: i060lajm1doa.dll
deleting local copy: i6jqlg1516.dll
deleting local copy: inagr5.dll
deleting local copy: iprnonce.dll
deleting local copy: iqakeng.dll
deleting local copy: j46m0ej1eho.dll
deleting local copy: j6j6lg1s16.dll
deleting local copy: k208lcdu1f08.dll
deleting local copy: kgrberos.dll
deleting local copy: kt8ul7l91.dll
deleting local copy: kurnel32.dll
deleting local copy: l2j80c1uef.dll
deleting local copy: l66olgj316o.dll
deleting local copy: ltj0271mg.dll
deleting local copy: lv2o09f3e.dll
deleting local copy: lv8m09l1e.dll
deleting local copy: lvlo0933e.dll
deleting local copy: lvno0953e.dll
deleting local copy: lvr0099me.dll
deleting local copy: lvrm0991e.dll
deleting local copy: m0rmla911d.dll
deleting local copy: meidle.dll
deleting local copy: micndmgr.dll
deleting local copy: mjdimap.dll
deleting local copy: mzidle.dll
deleting local copy: n48o0el3ehq.dll
deleting local copy: nctapi.dll
deleting local copy: ogbcji32.dll
deleting local copy: phrfdisk.dll
deleting local copy: r6p8lg7u16.dll
deleting local copy: rgcrt4.dll
deleting local copy: syhannel.dll
deleting local copy: tormmgr.dll
deleting local copy: uurvoica.dll
deleting local copy: vtdex.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\aflbg32.dll
C:\WINDOWS\system32\ampem32.dll
C:\WINDOWS\system32\antodisc.dll
C:\WINDOWS\system32\atpvg32.dll
C:\WINDOWS\system32\axrace.dll
C:\WINDOWS\system32\aza805due.dll
C:\WINDOWS\system32\cfmaddin.dll
C:\WINDOWS\system32\cicfg32.dll
C:\WINDOWS\system32\clbjmon.dll
C:\WINDOWS\system32\dJd9.dll
C:\WINDOWS\system32\dl32gt.dll
C:\WINDOWS\system32\dl7vb.dll
C:\WINDOWS\system32\en62l1jo1.dll
C:\WINDOWS\system32\en66l1js1.dll
C:\WINDOWS\system32\en86l1ls1.dll
C:\WINDOWS\system32\enj4l11q1.dll
C:\WINDOWS\system32\enjsl1171.dll
C:\WINDOWS\system32\enp6l17s1.dll
C:\WINDOWS\system32\erjsl1171.dll
C:\WINDOWS\system32\h4l20e3oeh.dll
C:\WINDOWS\system32\had.dll
C:\WINDOWS\system32\hr0805due.dll
C:\WINDOWS\system32\hr4805hue.dll
C:\WINDOWS\system32\hr8s05l7e.dll
C:\WINDOWS\system32\i0060adsed060.dll
C:\WINDOWS\system32\i060lajm1doa.dll
C:\WINDOWS\system32\i6jqlg1516.dll
C:\WINDOWS\system32\inagr5.dll
C:\WINDOWS\system32\iprnonce.dll
C:\WINDOWS\system32\iqakeng.dll
C:\WINDOWS\system32\j46m0ej1eho.dll
C:\WINDOWS\system32\j6j6lg1s16.dll
C:\WINDOWS\system32\k208lcdu1f08.dll
C:\WINDOWS\system32\kgrberos.dll
C:\WINDOWS\system32\kt8ul7l91.dll
C:\WINDOWS\system32\kurnel32.dll
C:\WINDOWS\system32\l2j80c1uef.dll
C:\WINDOWS\system32\l66olgj316o.dll
C:\WINDOWS\system32\ltj0271mg.dll
C:\WINDOWS\system32\lv2o09f3e.dll
C:\WINDOWS\system32\lv8m09l1e.dll
C:\WINDOWS\system32\lvlo0933e.dll
C:\WINDOWS\system32\lvno0953e.dll
C:\WINDOWS\system32\lvr0099me.dll
C:\WINDOWS\system32\lvrm0991e.dll
C:\WINDOWS\system32\m0rmla911d.dll
C:\WINDOWS\system32\meidle.dll
C:\WINDOWS\system32\micndmgr.dll
C:\WINDOWS\system32\mjdimap.dll
C:\WINDOWS\system32\mzidle.dll
C:\WINDOWS\system32\n48o0el3ehq.dll
C:\WINDOWS\system32\nctapi.dll
C:\WINDOWS\system32\ogbcji32.dll
C:\WINDOWS\system32\phrfdisk.dll
C:\WINDOWS\system32\r6p8lg7u16.dll
C:\WINDOWS\system32\rgcrt4.dll
C:\WINDOWS\system32\syhannel.dll
C:\WINDOWS\system32\tormmgr.dll
C:\WINDOWS\system32\uurvoica.dll
C:\WINDOWS\system32\vtdex.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell
Extensions\Approved]
"{9A05EE03-AB3B-4290-A791-E7B2482F6DFD}"=-
[-HKEY_CLASSES_ROOT\CLSID\{9A05EE03-AB3B-4290-A791-E7B2482F6DFD}]
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\User Agent\Post Platform]
"{23E1454D-30FC-4CC8-9AA8-DCD7D3306096}"=-
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{23E1454D-30FC-4CC8-9AA8-DCD7D3306096}</IDone>
<IDtwo>VT00</IDtwo>
<VERSION>200</VERSION>
****************************************************************************

Download(right click and select Save file as or Save link as): DelDomains.inf
http://mvps.org/winhelp2002/DelDomains.inf

To use: Close all open browsers
Right-click DelDomains.inf and select: Install

This should remove those 015 entries.



Please download CWShredder but don't run it yet.
http://cwshredder.net/bin/CWSInstall.exe


Download Ad-aware SE from: http://www.majorgeeks.com/download506.html

Install the program and launch it. First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files. Exit Adaware for now.


Make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows (http://www.bleepingcomputer.com/forums/tutorial62.html)

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://searchmiracle.com/sp.php
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} -
C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: (no name) - {84914404-C81E-EC9D-533F-664BF188B386} - (no file)
O2 - BHO: mtxcbus - {99C766BD-3721-6D26-B923-0FC07604B5F1} -
C:\WINDOWS\system32\mtxcbus.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} -
C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} -
C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvpys32.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe wnim.dll, DllRegisterServer
O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} -
C:\WINDOWS\isrvs\mfiltis.dll
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} -
C:\WINDOWS\system32\wnim.dll


Reboot your computer into Safe Mode (http://www.bleepingcomputer.com/forums/tutorial61.html)


Now run CWShredder, making sure to click "Fix".


Then delete these files or directories

C:\WINDOWS\EliteToolBar
C:\WINDOWS\EliteSideBar
C:\WINDOWS\system32\mtxcbus.dll
C:\WINDOWS\isrvs
C:\windows\system32\kalvpys32.exe <- this filename may have changed but should be very similar
C:\WINDOWS\system32\wnim.dll

If anything will not allow you to delete it, right click on the file, select Properties, and make sure Read-only is unchecked. Please let me know if any of these files can not be deleted or do not exist.


Run a full scan with Adaware.

Reboot your computer to go back to normal mode and post a new log.

CWShredder is no longer working when I try to open it. I'm thinking it might be easier to format my hard drive and reinstall windows. If I were to share a couple of folders of important files and copy them to another computer over a network, do you think the other computer would become infected? It would mostly be microsoft word documents and mp3s. Thank you for your help, but I think it might just be easier to start over again.

I always look at formatting your hard drive as a last resort. I don't think we're there yet, but your choice. For what it's worth, you've cleaned up the worst of your problems.

At least try the other steps without running CWShredder. It may be enough. Reboot and post a new log so we can see what's still there.

Here's the new log. I still appear to have the same problems. Thank you again for your help. I plan on copying some important files onto another computer on the network. I know you said earlier that it is unlikely to spread over a network, I'm assuiming this still applies? Thank you.
Logfile of HijackThis v1.99.0
Scan saved at 10:19:44 PM, on 2/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\program files\hijackthis\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {84914404-C81E-EC9D-533F-664BF188B386} - (no file)
O2 - BHO: mtxcbus - {99C766BD-3721-6D26-B923-0FC07604B5F1} - C:\WINDOWS\system32\mtxcbus.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\system32\boln.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe boln.dll, DllRegisterServer
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .3g2: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

Your log looks much better now than I've seen it before. We're making excellent progress. Are you still having the problem booting up or is it something else now?

Show hidden files
http://www.short-media.com/forum/showpost.php?p=172588&postcount=3



Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

O2 - BHO: (no name) - {84914404-C81E-EC9D-533F-664BF188B386} - (no file)
O2 - BHO: mtxcbus - {99C766BD-3721-6D26-B923-0FC07604B5F1} - C:\WINDOWS\system32\mtxcbus.dll
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\system32\boln.dll
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe boln.dll, DllRegisterServer

Reboot your computer into Safe Mode (http://www.bleepingcomputer.com/forums/tutorial61.html)



Then delete these files or directories (Do not be concerned if they do not exist):

C:\WINDOWS\isrvs <- let me know if this folder is not present
C:\WINDOWS\system32\mtxcbus.dll
C:\WINDOWS\system32\boln.dll



Delete temp files

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Navigate to the C:\Windows\Prefetch folder. Open the Prefetch folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Prefetch folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin.



Reboot back to normal mode and post a new log.



On a hunch, please download and run Stinger.
http://download.nai.com/products/mcafee-avert/stinger.exe

Let me know if it finds anything.