Posts by dlh6213

If you look through this thread, you should find a patch for SP2 that may fix this problem:
http://www.daniweb.com/techtalkforums/thread10031.html

If you decide to uninstall SP2 (not recommended by me), you can do it from Add/Remove Programs, but you need to be in Safe Mode.

Sorry about the delay in responding to your post, it's been pretty busy here lately and yours seems to have gotten overlooked.

If you can't find an .exe file using Google, it's usually a pretty good indication that it's bad.

Before you fix anything with hijackthis, it needs to be in it's own permanent folder; right now you have it in a Temp folder which most likely need to be emptied as a part of your cleanup. If you still require assistance, please move HJT into a folder, like C:\HJT\hijackthis.exe, and post a new log.

How'd you guess? I'm trying to hit 1,000 before the end of the year! :D

I almost missed this one because it's a legit file when it's in the correct place (but it's not! Thanks crunchie!)

Have HJT fix this one as well:
O4 - HKLM\..\RunServices: [RA Server] C:\WINDOWS\Slave.exe

And while your in Safe Mode, go to
C:\WINDOWS and delete Slave.exe, if found

Follow the suggestions in this thread (including the free antivirus scanners):
http://www.daniweb.com/techtalkforums/thread5690.html

Get hijackthis, explained in that thread (make sure you get version 1.99) and put it in it's own folder. Close all browser windows, scan with HJT, save the log, then copy and paste it here.

No worries. You do realise that we don't get paid for helping the helpers :D.

I appologize for diverting your revenue stream; is there any way I can make it up to you?

Next time please post a copy of your log instead of an attachment. Oops, guess you did that when I wasn't looking :o

Close all browser windows before fixing anything with hijackthis. Scan with HJT and have it fix the following entries:

These only if walla.co is not your ISP:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find.walla.co.il/ts.cgi?tsscript=find&ie=searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://find.walla.co.il/ts.cgi?tsscript=ie/config
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.walla.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find.walla.co.il/ts.cgi?tsscript=find&ie=searchbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://find.walla.co.il/ts.cgi?tsscript=ie/config
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://find.walla.co.il/ts.cgi?tsscript=find&ie=searchbar
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://find.walla.co.il/ts.cgi?tsscript=ie/config

This only if RIPE is not your ISP:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.56.254.21:80

R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\MSDXM.OCX (file missing)

This one appears to be related to Walla:
O4 - Startup: ååàìä! îáæ÷éí.lnk = C:\Program Files\Walla\Online\wie.exe
If you don't know what this is, have HJT fix it and then...

Reboot into Safe Mode

Go to C:\Program Files and delete the Walla folder (but do this only if you're sure it's not something you use)

Reboot normally, close any open browser windows, scan with HJT, copy and paste the new log here please.

I don't see anything bad in your log.

As far as the Norton notice, I find it hard to believe, but it seems that reminder can't be stopped unless you uninstall the program or update it (http://www.dealtime.com/xPR-Symantec_SYMANTEC_Norton_SystemWorks_2004_Professional~RD-158249684612, http://www.gripe2ed.com/scoop/story/2003/5/23/124055/405)

NAV Cfgwiz is a resource hog (according to this http://startup.iamnotageek.com/srch-cfgwiz.exe.html), but they don't recommend removing it here (http://startup.iamnotageek.com/srch-cfgwiz.exe.html), so I guess it's up to you on that.

Sorry about the slow response, but it's been rather busy here lately.

Please update your hijackthis to version 1.99 and post a new log.

Sorry for the slow response, been busy here lately.

Go to Add/Remove Programs in your Control Panel and remove 'Window Search', 'Window Searching', 'Lop.com', 'LOP SEARCH', 'Browser Enhancer', or 'Ultimate Browser Enhancer' if found. You may be given a code to insert, if so, insert it and reboot.

Use ctrl-alt-del to access Task Manager, click on the Processes tab, and End Process on any of these that are running:
wupdt.exe
erfock.exe
salm.exe
conscorr.exe
satmat.exe

For every user account listed under C:\Documents and Settings, delete the entire contents of these folders:

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

Delete the entire content of your C:\Windows\Temp folder
Delete the entire content of your C:\Temp folder
Do a search for *.tmp and delete everything found

Empty your Recycle Bin.

Close all browser windows before fixing anything with hijackthis. Scan with HJT and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: …

Okay, I put pav.sig back where it came from and deleted everything that I had listed in Post #2. Thanks for the help!!

Download moveonboot from here:
http://www.webattack.com/get/moveonboot.html
The file(s) you choose will be deleted on reboot.

MoveOnBoot allows you to copy, move or delete files on the next system boot. This comes in very handy, if you need to replace or delete files which are locked by other applications, loaded into memory or cannot be changed until next system boot. You could manually enter a line to the wininit files, but using MoveOnBoot is much simpler, since the program can be integrated into shell - it creates the "Copy/Move/Delete on boot" context menu item.

Glad to hear everything is working properly :)

Remember to keep all your protection updated and enabled :)

HAPPY NEW YEAR to you too :)

Although pcOrion has reportedly cleaned up it's act, I would still trust the programs caperjack recommened over it. You can find out more about pcOrion here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm#swn_note

Apparently pav.sig is a part of Panda's antivirus; I put it in that folder because it came up shortly after the rest of the bad stuff. But that's because I ran Panda shortly thereafter :). Should I move that back to the System32 folder?

Well, let's see...

Okay, it seems to have worked; it was too big at first though (2mb limit), so I removed a file called pav.sig.

Some of these came back for some reason. Be sure all windows are closed when you hit the FIX button in HJT. Scan again and have it fix these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsearches.com/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsearches.com/sidesearch.html

Do you use gamespot? If not, have it fix this one too:
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

Reboot, close all browser windows, scan with HJT, and post a new log. If these come back again, someone else here will have to assist you cuz I don't know what else to do. :(

Try a search for "Startup Programs" using today's date (or yesterday's, depending on which side of midnight you're on). If that doesn't work, try a search using *.txt

Sorry about that, I didn't see anything that said there was a 'good' version of FlashGet.

You can go ahead and fix everything except the FlashGet stuff; were you having a particular problem?

I had the same problem when I ran Silent Runners, it says it puts the log in the Temporary Internet folder, but I couldn't find it there. What I did was put Silent Runners in it's own folder, then when I ran it, the log showed up in that folder; give that a try.

Got a similar message when trying Yahoo. The folder is zipped.

Guess what? When I tried to attach it (using Hotmail), I got a message saying "The file that you want to attach contains a virus that cannot be cleaned. The file cannot be attached to your message."

What should I do with the things I put in my Temp folder (see post #2)?

Use ctrl-alt-del to access Task Manager and End Process on flashget.exe

Go to Add/Remove Programs in your Control Panel and remove this, if found:
Flashget

Close all browser windows, scan with HJT, and have it fix the following entries:

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh304181.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZN
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {88D8E8B7-A33B-4417-A385-8373484D43ED} (InstallHelper Class) - http://survey.prod.there.com/qualsu...stallHelper.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab

Reboot into Safe Mode

Go to
C:\Program Files and delete the FlashGet folder

Reboot normally, close all browser windows, scan with HJT, and post a new log please.

There are several programs related to Asian language, let us know whether or not you installed them intentionally.

Use ctrl-alt-del to access Windows Task Manager; click on the Processes tab, and look for ?hkdsk.exe; if it's there, click on it to highlight it, and then click End Process down at the bottom. Do the same for eetu.exe and id53.exe. Close Task Manager.

Go to Add/Remove Programs in your Control Panel and remove these, if found:
Winad
NetSvc

Before you fix anything with hijackthis, you should put it in it's own folder. Right-click on an empty area of your desktop, point to New, and then click on Folder. Name the folder what ever you like (something like HJT); then drag the hijackthis.exe that is on your desktop into this new folder.

After you've moved hijackthis, close all browser windows, scan with HJT, and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
O2 - BHO: (no name) - {1EF06E5C-B860-52E6-D770-63557F867339} - C:\WINDOWS\System32\qfhg.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINDOWS\System32\dsktrf.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [gnbhisjyzi] C:\WINDOWS\System32\fywlpo.exe
O4 - HKCU\..\Run: [Bttx] C:\WINDOWS\System32\?hkdsk.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Joanie Stumpf\Application Data\eetu.exe
O4 - Startup: PowerReg Scheduler V3.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...ba4f3abd0557676
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/sof...nch/alaunch.cab
O16 - …

Close all browser windows, scan with HJT, and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: ohb - {285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} - C:\WINDOWS\System32\hsrb.dll (file missing)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/drm.cab
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar.com/toolbar2/winhot32.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

Reboot into Safe Mode

Go to
C:\WINDOWS and delete the isrvs folder
C:\WINDOWS\System32 and delete hsrb.dll, if found

Reboot normally, close all browser windows, scan with HJT, and post a new log please.

Yes, it's an O2 entry; here's the whole log (without 'List all minor sections'):

Logfile of HijackThis v1.99.0
Scan saved at 11:50:28 PM, on 12/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Utilities\PestPatrol\CookiePatrol.exe
C:\Utilities\PestPatrol\PPMemCheck.exe
C:\Utilities\PestPatrol\PPControl.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\dllcache\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Utilities\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {80F11BC6-310B-42AD-98E5-4AC76B43F42A} - C:\WINDOWS\System32\msmn.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Office\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\Media Players\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Utilities\PestPatrol\CookiePatrol.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\Utilities\PestPatrol\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Utilities\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Office\Microsoft Works\wkssb.exe /AllUsers
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\Utilities\PestPatrol\CookiePatrol.exe
O4 - …

Take your time, I'm taking a break for awhile :)

Here's the dllCompare log:

* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\msexcl35.dll Thu Sep 9 1999 9:06:38p A.S.. 252,688 246.77 K
C:\WINDOWS\SYSTEM32\msjet35.dll Tue Sep 28 1999 8:42:48p A.S.. 1,050,896 1.00 M
C:\WINDOWS\SYSTEM32\msltus35.dll Thu Sep 9 1999 9:06:38p A.S.. 168,720 164.77 K
C:\WINDOWS\SYSTEM32\mspdox35.dll Mon Jun 7 1999 5:59:34p A.S.. 250,128 244.27 K
C:\WINDOWS\SYSTEM32\msrepl35.dll Wed Aug 25 1999 1:57:26p A.S.. 415,504 405.77 K
C:\WINDOWS\SYSTEM32\mstext35.dll Thu Sep 30 1999 6:21:24p A.S.. 166,672 162.77 K
C:\WINDOWS\SYSTEM32\msxbse35.dll Sun Apr 25 1999 4:00:00p A.S.. 287,504 280.77 K
________________________________________________

1,275 items found: 1,275 files (7 H/S), 0 directories.
Total of file sizes: 245,905,816 bytes 234.51 M

Administrator Account = True

--------------------End log---------------------

Here's the HJT log:
StartupList report, 12/29/2004, 10:10:56 PM
StartupList version: 1.52.2
Started from : C:\Utilities\hijackthis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Utilities\PestPatrol\CookiePatrol.exe
C:\Utilities\PestPatrol\PPMemCheck.exe
C:\Utilities\PestPatrol\PPControl.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Utilities\hijackthis\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

WorksFUD = C:\Program Files\Microsoft Office\Microsoft Works\wkfud.exe
Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe
SSC_UserPrompt = C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
QuickTime Task = "C:\Program Files\Media Players\QuickTime\qttask.exe" -atboottime
QD FastAndSafe = C:\Utilities\PestPatrol\CookiePatrol.exe
PPMemCheck = C:\Utilities\PestPatrol\PPMemCheck.exe
PestPatrol Control Center = C:\Utilities\PestPatrol\PPControl.exe
mmtask = c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
Microsoft Works Portfolio = C:\Program Files\Microsoft Office\Microsoft Works\wkssb.exe /AllUsers
iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe
CookiePatrol = C:\Utilities\PestPatrol\CookiePatrol.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\system32\dllcache\notepad.exe %1

--------------------------------------------------

Enumerating …

Yeah, the search found nothing. I tried running it again and this time saw that the log was put in the Temporary Internet folder, but I looked and it wasn't there. So I tried it again, but this time I saved it to a folder instead of just running it. This time I was able to find the log; here it is:

"Silent Runners.vbs", revision 28, launched at: 22:03
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows XP

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"WorksFUD" = "C:\Program Files\Microsoft Office\Microsoft Works\wkfud.exe" ["Microsoft® Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe" ["Symantec Corporation"]
"SSC_UserPrompt" = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"QuickTime Task" = ""C:\Program Files\Media Players\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"QD FastAndSafe" = "C:\Utilities\PestPatrol\CookiePatrol.exe" [null data]
"PPMemCheck" = "C:\Utilities\PestPatrol\PPMemCheck.exe" [null data]
"PestPatrol Control Center" = "C:\Utilities\PestPatrol\PPControl.exe" [null data]
"mmtask" = "c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" ["TODO: <Company name>"]
"Microsoft Works Portfolio" = "C:\Program Files\Microsoft Office\Microsoft Works\wkssb.exe /AllUsers" ["Microsoft® Corporation"]
"iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" ["Apple Computer, Inc."]
"CookiePatrol" = "C:\Utilities\PestPatrol\CookiePatrol.exe" [null data]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
">{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default)" = "Outlook Express"
                                        \StubPath   = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
"{8b15971b-5355-4c82-8c07-7e181ea07608}\(Default)" = "Fax"
                                       \StubPath   = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS]
"{94de52c8-2d59-4f1b-883e-79663d2d9a8c}\(Default)" = "Fax Provider"
                                       \StubPath   = "rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{80F11BC6-310B-42AD-98E5-4AC76B43F42A}\(Default) = (no title provided)
  -> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS\System32\msmn.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, …

Okay, now I got this one...

But right after that came up, a message popped up saying something about finding the results somewhere, but it disappeared too fast for me to see where.

I opened Silent Runners and got the message attached.

You already have a thread going dealing with this and got an answer to it -- Get the IE Updates. :)

You need to update HJT to ver 1.99, it may find things this version didn't. The only thing I see here is:
R3 - Default URLSearchHook is missing
(Close all browser windows before fixing)

Post a new log after you update HJT.

Crumba, before fixing anything with hijackthis, you need to put it in it's own pemanent folder (right now you have it in a Temp folder); something like c:\hjt\hijackthis.

Also, close all browser windows when scanning with HJT.

After you've put HJT in it's own folder, close all browser windows, scan with HJT, and post a new log please.

You also need to go to Windows Update and get all the Critical Updates for your system. Hold off on SP2, however, until your system gets cleaned up.

Your log looks okay to me, are you still having a problem?

Forgot about this before, here are instructions for using the firewall with SP2:
http://www.microsoft.com/windowsxp/using/security/internet/sp2_wfintro.mspx

Info about winntold:
WinNTNew (Windows NT 4.0 or higher), WinNTOld (Windows NT 3.51) found here:
http://www.bris.ac.uk/is/services/computers/operatingsystems/winnt/deploy/abcpydoc.ini.txt

I wouldn't uninstall SP2 if Norton is your only problem. Did you check this thread for the link to Norton issues?:
http://www.daniweb.com/techtalkforums/thread10031.html
I believe there is also a link in there to a Norton fix, you may have to look through the thread a bit (or try the search function -- norton sp2).

If you upgraded to SP2 after you had Norton installed, removing and reinstalling may help, but if you installed Norton after SP2, it probably won't (unless it didn't install properly).

Did you fix the things I suggested? You'll have to wait for one of the mods to look at the rest because it appears to be beyond my capability (for now...)

Derek's Temp folder still has some nasties in it. Empty the contents of the Temp and Temporary Internet folders for all users on this computer daily (at least until we get your system clean, at least once a week thereafter). If they won't delete, try it from Safe Mode. Let us know if they won't go away.

Go to Add/Remove Programs in your Control Panel and remove these, if found:
AIUpdate
WeatherBug
WildTangent
Windows ServeAd

There's still a lot left, so forgive me if I miss something. Close all browser windows, scan with HJT, and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.naupoint.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://hp.naupoint.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zupgl.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zupgl.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zupgl.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zupgl.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zupgl.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zupgl.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://hp.naupoint.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zupgl.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://hp.naupoint.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://hp.naupoint.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us8l.hpwis.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {6D29CBB6-4199-42AC-DD7B-C150601204D2} - C:\WINDOWS\javatg32.dll
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
…

Happy New Year, Ravengal!! :)

Be sure all browser windows are closed before fixing anything with HJT (I've seen users before that said their log showed it when no windows were open -- not sure what causes this, but just make sure they're all closed). Scan with HJT and have it fix the following entries:

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
(More info herehttp://www.liutilities.com/products/wintaskspro/processlibrary/WToolsA/)
O4 - HKLM\..\Run: [SStb.exe] SStb.exe
(More info here http://computercops.biz/startuplist-6561.html)
O4 - HKLM\..\Run: [kalvsys] C:\winntold\system32\kalvgva32.exe
O4 - HKLM\..\Run: [abu] abu.exe

Go to Start, point to Programs, point to Startup, delete kuyttk, if it's there.

Reboot into Safe Mode

Do a search for WToolsA.exe, and delete it, if found
Do a search for SStb.exe, and delete it, if found
Do a search for abu.exe, and delete it, if found
Go to C:\winntold\system32 and delete kalvgva32.exe, if found

Reboot normally, close all browser windows, scan with HJT, and post a new log please.

Some info on Cacheman.exe:
http://startup.iamnotageek.com/srch-Cacheman.exe.html

Before fixing anything with hijackthis, put it in it's own folder. You can do this by right-clicking on an empty area of your desktop, point to New, and then click on Folder. Name the folder something like HJT, and then drag the hijackthis.exe that is on your desktop into that new folder.

After you've done that, close all browser windows, scan with HJT, and have it fix the following entries:
R3 - URLSearchHook: (no name) - _{A045DC85-FC44-45BE-8A50-E4F9C62C9A84} - (no file)
R3 - URLSearchHook: (no name) - _{0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: (no name) - {6AFA4D5F-C745-0AE0-D403-15550D812A4C} - C:\WINDOWS\system32\xci.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
(This is a Web P2P Installer)
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08a349a...ip/RdxIE601.cab
(This is Netster)
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - http://install.wildtangent.com/bgn/...lim/install.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptem...iveSecurity.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx...ior/Outside.cab

Reboot into Safe Mode

Go to C:\WINDOWS and delete BTGrab.dll, if found

Open the Registry Editor: Click Start, click Run, type REGEDIT, …

No one with any suggestions?

I don't see anything in your log, though it wouldn't be the first time I overlooked something :).

I'm not sure about your hotmail problem, but you can take a look at the last post in this thread to see if it will help:
http://www.daniweb.com/techtalkforums/showthread.php?t=16011&page=2

You could also try Firefox or Opera browsers.

Before posting another HJT log, try running all your scans while in Safe Mode. Then reboot into Normal Mode, close all browser windows, scan with HJT, and post a new log.

Well, I'm not one to recommend password 'snatchers' to anyone for any reason. But there is some software available that may help you accomplish your objective:
http://www.computercop.com/standard.html
http://www.computercop.com/index.htm

Good luck.