Posts by dlh6213

To change your seticon to start manually, click on Start, point to Settings, click on Control Panel. In the Control Panel, double-click on Administrative Tools, and double-click on Services. Find seticon in the Name list on the left side (you may wish to maximize the window to make it easier), right-click on it, click on Properties, find Startup Type and click on the dropdown arrow on the far right, select Manual. Click OK at the bottom, and close the services window. Caution: keep track of any changes you make in Services so you can undo them if problems arise.

Apparently WTSrv is a driver for a Genius WizardPen.
http://www.what-process.com/process-info.aspx?p=WTSrv.exe
And is probably related to WService.EXE
http://startup.iamnotageek.com/srch-WService.exe.html

I don't see anything else in your log -- and I'm not sure why you're having that error. Maybe someone else will have some suggestions.

To get more info on processes and recommended settings, check these sites:
http://startup.iamnotageek.com/
http://www.blackviper.com/WinXP/servicecfg.htm

I overlooked this one before, sorry. Close all browser windows, scan with HJT, and have it fix the following:
O4 - HKLM\..\Run: [mediamotor.exe] C:\WINDOWS\mmups.exe

Reboot into Safe Mode
Go to C:\WINDOWS and delete mmups.exe

Reboot normally.

You have several processes running that don't really need to be all the time, you can either disable them or set them to start manually instead of automatically. This will help your computer run a bit more efficiently. To get more info on processes and recommended settings, check these sites:
http://startup.iamnotageek.com/
http://www.blackviper.com/WinXP/servicecfg.htm
Caution: keep track of any changes you make in Services so you can undo them if problems arise. You shouldn't change more than one or two at a time so that if there is a problem, you know what caused it.

And here's some additional info on 'CTSvcCDA.EXE' http://www.liutilities.com/products/wintaskspro/processlibrary/ctsvccda/

That's all I see, though I may have overlooked something again. I'm not sure what could be causing your DNS error. Hopefully someone else will have some ideas.

To help protect your computer, you should install SpywareBlaster and/or SpywareGaurd. Links to both can be found in this thread:
http://www.daniweb.com/techtalkforums/thread5690.html

Here's what it's for:
http://www.liutilities.com/products/wintaskspro/dlllibrary/msnp32/

And here's a site where you can get it:
http://www.dll-files.com/dllindex/dll-files.shtml?msnp32

Sounds to me like your drive is going (or has gone) bad. You should try to hook it up as a slave in a working computer ASAP and save as much of your data as you can.

Does this thread help at all?
http://www.daniweb.com/techtalkforums/thread10958-gridlines.html

Have you checked your firewall settings to see if it's preventing you from updating?

Norton has some issues with SP2 that are mentioned in this thread:
http://www.daniweb.com/techtalkforums/thread10031.html

Did you install Norton before or after upgrading to SP2?

Norton's phone support isn't free, here's a link that will lead to online or phone support:
http://www.symantec.com/techsupp/support_options.html

After reading some previous email on this website, I believe I caused the problem by accidently deleting a Registry key. I found this key {2CF0B992-5EEB-4143-99C0-5297EF71F444} but don't know where it came from or how to replace it.

Where did you find it and why do you think you deleted it? I don't see it listed in any of your HJT logs. :confused:

Okay, I've done some more checking and I deleted what I was pretty sure should be. Below is what's left. I think the dll's should all go, but I can't find enough info to be sure. The others I'm not so sure about -- I just think they are bad because they were created at the same time as the rest of the junk.

date.dat (I had dte.dat before, I guess that must have been a typo)
dnsauth.dll
iecust.dll
menu.txt
msij.dll
msvw.dll
mswx.dll

I haven't had any experience with it, but I know it can be done. Why do you ask?

Reboot into Safe Mode (you can get to the Safe Mode boot option by hitting the F8 key as your computer is starting up)

Open Windows Explorer, and in the Folder Options, Tools, View, select "show hidden files and folders," and uncheck "Hide protected operating system files."

For every user account listed under C:\Documents and Settings, delete the entire contents of these folders:

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your
C:\Windows\Temp folder
C:\Temp folder

(If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll automatically be regenerated by Windows if they're needed.

Empty your Recycle Bin, and then reboot normally.

Download Killbox from here:
http://www.downloads.subratam.org/KillBox.exe
and put it on your desktop. Open Killbox and select the option Delete on Reboot.

One at a time, copy & paste the full path of these files into Killbox's topmost box.
C:\Program Files\Admilli Service\AdmilliKeep.exe
C:\Program Files\Admilli Service\AdmilliServ.exe

With the full path to the file name in the topmost textbox, click the Red X, for the confirmation message that will appear, you will need to click Yes; A second message will ask to Reboot now? Click No after the first entry (since you are not finished yet), and after the last one, click Yes and let the system reboot.

Whenever you …

well yeah when i used my computer yesturday well i always use the internet!!! and yeah i couldn;t access any sites!! i think the problem is winpack.exe beacause my computer didn't have this process well yeah i will like to get some help of removing this??? any help guys???

Could you, like, you know, maybe not say 'yeah' so much? Makes it hard to understand your post.

Why would you want winpack.exe on your computer? It's an adware and trojan downloader (http://computercops.biz/startuplist-6623.html) -- or do you want help removing it? Your post isn't very clear...

What would help us the most to help you, would be Hijackthis. Can you access the net long enough to download it? If not, do you have access to a computer where you can download it and burn it onto a CD?

Once you get Hijackthis, scan with it, save the log, and post it here. If you can't get Hijackthis, we would need more information in order to assist you.

Download Killbox from here:
http://www.downloads.subratam.org/KillBox.exe
and put it on your desktop. Open Killbox and select the option Delete on Reboot.

Copy & paste the full path of this file into Killbox's topmost box.
C:\Program Files\Admilli Service\AdmilliServ.exe

With the full path to the file name in the topmost textbox, and click the Red X. For the confirmation message that will appear, you will need to click Yes; A second message will ask to Reboot now? Click Yes and let the system reboot.

Whenever you scan with HJT, be sure all browser windows are closed. Now, close all browser windows, scan with HJT, and have it fix the following entries:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe, if found
If you did not put this into your Trusted Zone, have HJT fix it:
O15 - Trusted Zone: www.mail.com

Reboot into Safe Mode and go to
C:\Program Files and delete the Admilli Service folder, if found

Reboot normally, close all browser window, scan with HJT, and post a new log please.

Reboot into Safe Mode (you can get to the Safe Mode boot option by hitting the F8 key as your computer is starting up)

Open Windows Explorer, and in the Folder Options, Tools, View, select "show hidden files and folders," and uncheck "Hide protected operating system files."

For every user account listed under C:\Documents and Settings, delete the entire contents of these folders:

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your
C:\Windows\Temp folder
C:\Temp folder

(If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll automatically be regenerated by Windows if they're needed.

Empty your Recycle Bin, and then reboot normally.

Download Killbox from here:
http://www.downloads.subratam.org/KillBox.exe
and put it on your desktop. Open Killbox and select the option Delete on Reboot.

One at a time, copy & paste the full path of these files into Killbox's topmost box.
C:\Program Files\Admilli Service\AdmilliKeep.exe
C:\Program Files\Admilli Service\AdmilliServ.exe

With the full path to the file name in the topmost textbox, click the Red X, for the confirmation message that will appear, you will need to click Yes; A second message will ask to Reboot now? Click No after the first entry (since you are not finished yet), and after the last one, click Yes and let the system reboot.

Whenever you …

Hey, it's my turn for some help again! I got this hijacker that put a FreshBar toolbar on my computer, kept getting Strip Poker popups, and a balloon in the taskbar saying I needed to update my MS firewall.

I think I've got most of it fixed, just want some final cleanup advice. I'll tell you what I've done in case it will help -- or help someone else doing a search for any of the words listed (it's rather lengthy so you can probably skip the next few paragraphs if you like, to the *). This probably isn't the exact sequence either.

Ran HJT and had it fix some O17 entries that led to IP 69-50-166-94 and 69-31-80-244. I found out these were Atrivo Technologies and Nlayer Communications, respectively, by using Arin's "Whois." I also had it fix all the R0's & R1's that now said About:Blank, and an R3 (I think), that said FreshBar. I did some research (links at the end, at least one of them has a screen shot that matches my problem -- don't recall which one though), and found that this infection includes a package of the following files:
Unlodctl.exe
Nlsfuncs.exe
Pentxpl.exe
Openconf.exe
Iecust.exe

I found all of these in my System32 folder except for the pentxpl.exe. Interestingly, HJT didn't find any of these. I also found a number of other files in the same folder that were installed at about the same time, which is …

Have you tried using System Restore to set your system back to a date prior to Sunday?

AIUpdate could be part of some software from a Taiwanese computer company (http://www.ktop.com.tw/kautai/index-english.htm) as it can be found in thier code (http://www.ktop.com.tw/kautai/32.htm). Unfortunately, I don't read Chinese, so I don't know what kind of program it is. You can take a look at their site and if any of that type of stuff is something you use, you may want to contact them to see what AIUpdate is and if you need it.

RPrice, the 'Running processes' list in your log looks rather skimpy; was this log generated while in Safe Mode? If so, please post your next log while in Normal Mode.

Oh my! You certainly do have a case of the nasties. There are some things you should do to help clean up this mess before we get to you HJT log. Go to this thread and follow the instructions listed in Post #2. Make sure your antivirus program is up-to-date.
http://www.daniweb.com/techtalkforums/thread14449-cleanup+temp.html

You can find more suggestions here:
http://www.daniweb.com/techtalkforums/thread5690.html

After you've done that, close all browser windows, scan with HJT, and post a new log for specific removal of any remaining items.

You still need to go to Windows Update to get the Critical Updates for your computer :).

I would also recommend SpywareBlaster; there is a link to it in crunchie's signature block. (Keep it updated!)

Is that Nightmedia.net, or Rightmedia.net? If it's Nightmedia, it shouldn't really be a problem (though I don't like anything that won't deleted from a Temp folder).

If it's Rightmedia, it, as well as spe.atdmt.com, and a.tribalfusion.com are all related to adware and should be removed. Unfortunately, I don't know how to remove things from a Temp folder that won't delete, even while in Safe Mode (having a similar problem in another thread). Hopefully someone will come along that can assist with this.

Your log looks clean to me, so this should be your only problem.
(I'm not sure about the O17 either, don't know enough about that. :( )

Wow! That log sure looks a lot better now!

Sorry about the PartyPoker thing... Guess I should have asked first.

The first thing I would try to get the stuff out of your Startup list is to go to Start, Programs, Startup. Then go to each one that shows up, right-click on it and select Delete. If that doesn't work, let us know.

*I don't know how I missed the AutoUpdater thing, I remember looking it up and finding out it was bad. Good thing someone's following up :).*

Say where and how would i go about learning all about the computer, im not really talking about programming. Like learning all about the hardware and such, taking a class would be cool but in my little hick town they offer no such classes in high school. where exactly should i start?

DaniWeb threads and Google!! :) (Better than any classroom or book learnin' I got)

Your log looks okay to me -- don't know what to do about your Hotmail & MSN, hopefully someone else will have some ideas.

Since you already have Opera, you don't need Mozilla -- unless you don't like Opera for some reason.

***Merry Christmas!***

To answer your question, "Hijack this log anything look dangerous?" The answer is "YES!"

Delete the contents of all Temp and Temporary Internet folders for all users on the computer.

Go to Add/Remove Programs in your Control Panel and remove these if (if found):
WeatherBug
WinTools
WildTangent
VBouncer or VirtualBouncer

Close all browser windows, scan with HJT, and have it fix the following entries:
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Jonathan\Local Settings\Temp\0YI.dll
(This one shouldn't be there anymore if you emptied your Temp folder)
O2 - BHO: (no name) - {EF3FF2F2-B518-455D-BAB4-B19BD55EE9C4} - C:\WINDOWS\System32\lmcch.dll (file missing)
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
(More info on this here: http://www.liutilities.com/products/wintaskspro/processlibrary/WToolsA/)
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
(More info on this here: http://www.liutilities.com/products/wintaskspro/processlibrary/wcmdmgrl/)
O4 - HKLM\..\Run: [qXkWw] C:\documents and settings\jonathan\local settings\temp\qXkWw.exe
(This should also be gone if the Temp folders were emptied)
O4 - HKLM\..\Run: [neOKky3u] C:\documents and settings\jonathan\local settings\temp\neOKky3u.exe
(This should also be gone if the Temp folders were emptied)
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
(More info on this here: http://www.liutilities.com/products/wintaskspro/processlibrary/IEHost/)
O4 - HKLM\..\Run: [2Hj] c:\windows\2Hj.exe
O4 - …

Like I said, I've never used it, but I'm sure it will work in Safe Mode. Before you download it though, go into Safe Mode and see if they're still there -- I have a feeling they won't be.

How did I get a 't' in professional? :confused:

This should help with the 01 entries:
Download and run the program Hoster which gives you the ability to restore the default host file back onto your machine. To do so, when it opens, click on the Restore Original Hosts button and then exit Hoster. You can get Hoster here:
http://members.aol.com/toadbee/hoster.zip

Go to Add/Remove Programs in your Control Panel and remove WildTangent if it's there

Close all browser windows, scan with HJT, and have it fix the following:

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

Reboot into Safe Mode

Go to C:\Program Files and delete the WildTangent folder

Reboot normally

The problem that was in your Temp folder before is gone now so you must have been able to delete that one. I'm still concerned about the ones you couldn't delete though. Can you tell us what they are?

Do you know if this is this your ISP? O17 - HKLM\System\CCS\Services\Tcpip\..\{A3367F46-8ED0-445D-9415-110C55DA5EF8}: NameServer = 198.68.210.2 204.117.214.10

Close all browser windows, scan with HJT, and post a new log
(This is about it for me tonight, have a Merry Christmas!)

Hmmmm... Well, for now, reboot normally, make sure Hijackthis is in it's own folder (as suggested earlier), close all browser windows, scan with HJT, and post a new log. We'll get to those temp things later.

OK thanks, and yes it was in safe mode, and I also had some things disabled from startup items and services... Should all of those be checked when I run it as well?

It would be best if everything were enabled until we get your system clean.

Danielle, are you still having problems?

Ok, I've got 3 things in temporary internet files that won't delete.

Did you try it from Safe Mode? If not, give that a try.

Of course twiddle is a professtional term; it's what you use to fix the thingy.

I've never had a need to use this program (MoveOnBoot), but I've seen crunchie recommend it and it usually seems to work:
http://www.softwarepatch.com/software/moveonboot.html

**Merry Christmas!**

I wouldn't recommend getting SP2 until after you've got your system clean. You can find more info on SP2 here:
http://www.daniweb.com/techtalkforums/thread10031.html

Before you fix anything with HJT, you should put it in it's own folder. Right-click on your desktop, select New Folder, name it (something like HJT), and then drag the HijackThis.exe on your desktop into that folder.

Your log looks rather skimpy, was it done while in Safe Mode? If so, post your next one from Normal Mode (after you've put HJT in it's own folder).

Do you have admin rights on this computer? If so, are you using XP Home or XP Pro? If XP Home, and you have admin rights, you should be able to access them in Safe Mode. If XP Pro, you should be able to do it from Normal Mode (I think).

By the way, if you're "ANNALEAH" that's the main one we need to worry about right now.

Can you post the log Symantec's tool gave you as crunchie requested?

You need to go to Windows Update to get all the Critical Updates for your system.

Whenever you scan with HJT (or fix anything with it), make sure all browser windows are closed. Scan with HJT again and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {DDA23FE1-50DE-11D9-BA2C-4445051083BF} - C:\WINDOWS\SYSTEM\NNBN.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O13 - WWW. Prefix: http://
O18 - Filter: text/html - {B6F755C0-514B-11D9-BA2C-841FDEC5348E} - C:\WINDOWS\SYSTEM\NNBN.DLL
O18 - Filter: text/plain - {B6F755C0-514B-11D9-BA2C-841FDEC5348E} - C:\WINDOWS\SYSTEM\NNBN.DLL

Scan again with HJT (making sure all browser windows are still closed), and post a new HJT log and the Symantec log.

Here's some more info on the Bouncer (if you're interested):
http://www.iamnotageek.com/a/bundleouter.exe.php

Before you post a new log, empty the contents of all Temp and Temporary Internet folders for all users on the computer.

Wow, a lot happened while I was posting this! :eek:

Do you have a firewall (and is it enabled)? That should be your first line of defense (a hardware firewall is better, but a software firewall at least -- both is best!).

Next would be an up-to-date anti-virus program.

The third means of protection is to get SpywareBlaster and/or SpywareGuard. These two programs block known malware from getting to your system (as with AV programs, you need to keep them updated for best protection).

Once you have yourself protected, you should have Spybot and Adaware to help catch most of what gets past that protection.

Finally, you should have Hijackthis to help find more specialized problems; many of these can be resolve with HJT itself, but even for the ones that can't be, it is used to identify them so more specific/specialized fixes can be determined.

I realize you already mentioned having some of these, I just listed it all for anyone else that comes across this thread.

... And, how much RAM do you have?

This is a good site to check out most anti-spyware products:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Before you reinstall Windows, go to this thread:
http://www.daniweb.com/techtalkforums/thread5690.html, and get Hijackthis. Post the log it generates in the Virus forum.

If you do decide to reinstall, complete instructions can be found here:
http://www.daniweb.com/techtalkforums/thread6632-clean+install.html

I don't know if there is anyone here familiar with X-RAYPC, you would probably get better support if you got Hijackthis and posted the log in the Virus forum.

D'oh! Dave beat me to it!

Go to Add/Remove Programs in your Control Panel and remove these if they are there:
SearchUpgrader
Webshots

Close all browser windows (IE, Opera, and any others you may have), scan with HJT and have it fix the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O4 - HKLM\..\Run: [SearchUpgrader] D:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
(More info on this one here: http://www.liutilities.com/products/wintaskspro/processlibrary/SearchUpgrader/)
O4 - Startup: Webshots.lnk = E:\Program Files\Webshots\Launcher.exe
(More info: http://www.liutilities.com/products/wintaskspro/processlibrary/launcher/)
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
(DialerPlatform Dialer)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/261ea77...ip/RdxIE601.cab
(Netster)
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O19 - User stylesheet: (file missing)

Reboot into Safe Mode

Go to D:\Program Files\Common files and delete this folder: SearchUpgrader

Reboot normally

Click on Start, Programs, Startup and if Webshots is there, delete it

Let us know if you know what these are:
D:\WINDOWS\SYSTEM32\Mounter.exe
NameServer = 192.168.20.1 192.168.20.3 <--- Is this your ISP?

Make sure all browser windows are closed, scan with HJT, and post a new log please.

Merry Christmas!!! :)

I couldn't find anything on the Strawberry stuff -- almost looks like some kind of catalog entries. I don't understand why they won't delete in Safe Mode :confused:

Robotman, your log looks okay to me; are you still having problems?

Hey Danielle, welcome to DaniWeb! :) All hijackthis logs are supposed to be posted in the Virus forum.

Close all broswer windows, scan with HJT, and have it fix the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R3 - Default URLSearchHook is missing
O2 - BHO: DOMP Class - {4C1B116F-2860-46db-8E6C-B4BFC4DFD683} - C:\WINDOWS\ietlbass.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
O4 - Startup: DLHelperEXE.exe
Review all of the 08 entries, if you did not set any of these, have HJT fix them. If you're not sure about any, do a google search to find out about them
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/21a4b9a...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k00719/sb028.cab
O23 - Service: Symantec Enterprise VPN Client - Unknown - vpnservices.exe (file missing)
O23 - Service: WLTRYSVC - Unknown - C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe (file missing)

Reboot into Safe Mode

Go to C:\WINDOWS and delete ietlbass.dll (if found)
Go to C:\WINDOWS\System32 and delete IETie.dll (if found)
Go to C:\WINDOWS\Downloaded Program Files and delete SbCIe028.dll (if found)

Reboot normally

Click on Start, Programs, Startup; if DLHelperEXE.exe is there, delete it
Close all browser windows, scan with HJT, …

You may want to consider disabling CTHELPER.EXE
Quote from sysinfo:
"CTHELPER is a background task that is a plug-in manager for Creative drivers. The theory is that 3rd party manufacturers can use the CTHELPER plug-in interface to produce drivers, add-on features, and fixes that will integrate with a tighter fit with Creative’s sound drivers and utilities. Given its purpose CTHELPER would normally be classified as a "leave alone" background task. It also allows Creative speaker setup to be synchronized with Windows Control Panel speaker setting. Without it running that check box in Creative speaker setting is not functional (settings are not in sync). Unfortunately there are often problems with CTHELPER, most notably that it can use 100% of CPU time so it's best left disabled unless you need it."

Well, if you didn't install it, and you don't use it, I would think you should just get rid of it. See if it's in the Add/Remove Programs first; if not, then just delete the folder. You might need to boot into Safe Mode to do that. (Again, you may want to wait for confirmation on this)

You can try this:
http://www.snapfiles.com/get/restoration.html

Ravengal, do you know what 'Business Logic' is? Is it something you installed?

Remember to have all browser windows closed when you scan with HJT. Scan again and have HJT fix these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O2 - BHO: DOMP Class - {4C1B116F-2860-46db-8E6C-B4BFC4DFD683} - C:\WINDOWS\ietlbass.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O13 - DefaultPrefix: http://www.yahoo.com
O13 - WWW Prefix: http://www.yahoo.com
O13 - WWW. Prefix: http://www.yahoo.com
O13 - Home Prefix: http://www.yahoo.com
O13 - Mosaic Prefix: http://www.yahoo.com
O15 - Trusted IP range: 206.161.125.149 (HKLM) (Fix this one only if you didn't put it in your Trusted Zone yourself)
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - ms-its:mhtml:file://C:\ss.MHT!http://toolbar.isearch.com/install/...les/initial.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA48796E-98C6-466A-AD1F-BDBAA53FA8A0}: Domain = aaos.org (Fix this only if the domain is not from your ISP or company network)

Reboot into Safe Mode
Go to C:\WINDOWS and delete ietlbass.dll

Reboot normally

Download CWShredder …