Please help with my removal {inactive}

Unknown

I was on vacation, and while I was gone my mother used my computer for some things. When I got back I come to find I have a serious spyware problem. In the background, I can hear a doubleclick noise, it appears to be trying to open something. This sound happens completely randomly, and at different intervuls. When I have firefox open and it happens, it attemps to launch pop up sites. Here is my hjt log and a panda log.
EDIT . now a kaspersky log too.

HJTLOG

Logfile of HijackThis v1.99.1
Scan saved at 8:34:23 PM, on 8/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

Panda Log

Incident Status Location

Spyware:Cookie/Atlas DMT
Not disinfected C:\Documents and Settings\Kyle\Application Data\Mozilla\Firefox\Profiles\ekpknuoa.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick
Not disinfected C:\Documents and Settings\Kyle\Application Data\Mozilla\Firefox\Profiles\ekpknuoa.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/YieldManager
Not disinfected C:\Documents and Settings\Kyle\Application Data\Mozilla\Firefox\Profiles\ekpknuoa.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Com.com
Not disinfected C:\Documents and Settings\Kyle\Application Data\Mozilla\Firefox\Profiles\ekpknuoa.default\cookies.txt[.com.com/]
Spyware:Cookie/AspinallsOnlineCasino
Not disinfected C:\Documents and Settings\Kyle\Application Data\Mozilla\Firefox\Profiles\ekpknuoa.default\cookies.txt[.pacificpoker.com/]
Spyware:Cookie/nCase
Not disinfected C:\Documents and Settings\Kyle\Cookies\kyle@banners.searchingbooth[1].txt
Spyware:Cookie/RealMedia
Not disinfected C:\Documents and Settings\Kyle\Cookies\kyle@realmedia[1].txt
Potentially unwanted tool:Application/DriveCleaner
Not disinfected C:\Documents and Settings\Kyle\Desktop\installdrivecleanerstart.exe
Adware:Adware/ActiveSearch
Not disinfected C:\Program Files\Deskbar\deskbar.dll
Adware:adware/dollarrevenue
Not disinfected C:\WINDOWS\keyboard1.dat
Spyware:Spyware/LinkReplacer
Not disinfected C:\WINDOWS\system32\bez6n4r21.exe.tcf
Spyware:Spyware/LinkReplacer
Not disinfected C:\WINDOWS\system32bez6n4r21.exe.tcf

Kaspersky

---

KASPERSKY ONLINE SCANNER REPORT
Friday, August 25, 2006 1:26:31 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 25/08/2006
Kaspersky Anti-Virus database records: 218100

---

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 53838
Number of viruses found: 5
Number of infected objects: 11 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:39:15

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Kyle\Application Data\Mozilla\Firefox\Profiles\ekpknuoa.default\history.dat Object is locked skipped
C:\Documents and Settings\Kyle\Application Data\Mozilla\Firefox\Profiles\ekpknuoa.default\parent.lock Object is locked skipped
C:\Documents and Settings\Kyle\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kyle\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kyle\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kyle\Local Settings\Application Data\Mozilla\Firefox\Profiles\ekpknuoa.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Kyle\Local Settings\Application Data\Mozilla\Firefox\Profiles\ekpknuoa.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Kyle\Local Settings\Application Data\Mozilla\Firefox\Profiles\ekpknuoa.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Kyle\Local Settings\Application Data\Mozilla\Firefox\Profiles\ekpknuoa.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Kyle\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kyle\Local Settings\History\History.IE5\MSHist012006082520060826\index.dat Object is locked skipped
C:\Documents and Settings\Kyle\Local Settings\Temporary Internet Files\AntiPhishing\2997C193-A464-4307-88C9-F9C00083CD16.dat Object is locked skipped
C:\Documents and Settings\Kyle\Local Settings\Temporary Internet Files\Content.IE5\1AM87QUU\popup[1].htm Infected: Trojan-Clicker.HTML.Agent.a skipped
C:\Documents and Settings\Kyle\Local Settings\Temporary Internet Files\Content.IE5\1AM87QUU\popup[2].htm Infected: Trojan-Clicker.HTML.Agent.a skipped
C:\Documents and Settings\Kyle\Local Settings\Temporary Internet Files\Content.IE5\1AM87QUU\popup[3].htm Infected: Trojan-Clicker.HTML.Agent.a skipped
C:\Documents and Settings\Kyle\Local Settings\Temporary Internet Files\Content.IE5\1AM87QUU\popup[4].htm Infected: Trojan-Clicker.HTML.Agent.a skipped
C:\Documents and Settings\Kyle\Local Settings\Temporary Internet Files\Content.IE5\C2DIHQJO\popup[1].htm Infected: Trojan-Clicker.HTML.Agent.a skipped
C:\Documents and Settings\Kyle\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kyle\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Kyle\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Messenger\qunycy.html Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
C:\Program Files\Valve\Steam\Steam.log Object is locked skipped
C:\Program Files\Valve\Steam\SteamApps\base source engine 2.gcf Object is locked skipped
C:\Program Files\Valve\Steam\SteamApps\counter-strike source client.gcf Object is locked skipped
C:\Program Files\Valve\Steam\SteamApps\counter-strike source shared.gcf Object is locked skipped
C:\Program Files\Valve\Steam\SteamApps\half-life 2 content.gcf Object is locked skipped
C:\Program Files\Valve\Steam\SteamApps\half-life 2 deathmatch.gcf Object is locked skipped
C:\Program Files\Valve\Steam\SteamApps\source engine.gcf Object is locked skipped
C:\Program Files\Valve\Steam\SteamApps\source materials.gcf Object is locked skipped
C:\Program Files\Valve\Steam\SteamApps\source models.gcf Object is locked skipped
C:\Program Files\Valve\Steam\SteamApps\source sounds.gcf Object is locked skipped
C:\Program Files\Valve\Steam\SteamApps\sourceinit.gcf Object is locked skipped
C:\Program Files\Valve\Steam\SteamApps\winui.gcf Object is locked skipped
C:\Program Files\Valve\Steam\SteamLogs\SteamStats.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{64418832-B61B-4CDF-B9FC-A4600D717F3A}\RP157\A0028101.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.g skipped
C:\System Volume Information\_restore{64418832-B61B-4CDF-B9FC-A4600D717F3A}\RP167\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\bez6n4r21.exe.tcf Infected: not-a-virus:AdWare.Win32.SearchAssistant.g skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\iqqr.exe.tcf Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32bez6n4r21.exe.tcf Infected: not-a-virus:AdWare.Win32.SearchAssistant.g skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Just noticed something, it wont let me uninstall my firefox.

Thank you in advance for your help.

jmoney3457

since this issue appears inactive I am going to lock it, if your the original poster and need this thread re opened please PM either myself or 1 of the other mods with a link to this thread and it'll be opened