Its freezing cold outside and i have some time so i've decided to follow some of the outstanding advice of the experts here. I just downloaded HJT and have my log. Could someone take a look at it and make suggestions? Thanks, you folks are awsome..

Logfile of HijackThis v1.97.7
Scan saved at 12:12:15 PM, on 1/29/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CMMON32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\greg\Local Settings\Temporary Internet Files\Content.IE5\OLMRCT2N\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://64.225.103.124/cgi-bin/boards/Ultimate.cgi?action=intro&BypassCookie=true
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pldi.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Pioneer Internet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {a9165c78-7c3e-4800-9c0e-9e5764f63f83} - C:\DOCUME~1\greg_2\APPLIC~1\choawsvckgr.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {b2e4ae25-02fb-434d-874e-6c2c33113726} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {84627E49-50B4-4F81-BE55-FC0D97BBD168} - (no file)
O3 - Toolbar: eassstsyhti - {7f55f6e4-83a1-4d71-ac66-e34d145114bd} - C:\DOCUME~1\greg_2\APPLIC~1\choawsvckgr.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: InterVideo WinCinema Manager.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pldi.net
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - [url]http://messenger.zone.msn.com/binary/msgrchkr.cab[/url]
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - [url]http://www.drivershq.com/DD_v4.CAB[/url]
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - [url]http://www.trojanscan.com/trojanscan/TDECntrl.CAB[/url]
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - [url]http://download.yahoo.com/dl/installs/yinst0309.cab[/url]
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - [url]http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab[/url]
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - [url]http://www.bitdefender.com/scan/Msie/bitdefender.cab[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab[/url]
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - [url]http://autos.msn.com/components/ocx/survid/MSSurVid.cab[/url]
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - [url]http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38009.3500462963[/url]
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - [url]http://autos.msn.com/components/ocx/exterior/Outside.cab[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - [url]https://livesc02.custhelp.com/swoosh/swoosh/rnt/rnl/java//RntX.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{526ABDB2-66A4-4622-B6BE-9FB4F71E073B}: NameServer = 64.250.192.64 64.250.192.65

I believe i made a mistake originally when i downloaded hjt. The problem has been corrected now. (i can find it, anyway) :)
I ran it instead of saving.

I just recently installed the google toolbar. I'm having some second thoughts after reading some of the posts about google in these forums. On install i didn't opt for the page reporting and voting thing, so maybe its ok??

The computer is shared with a teenager so i'm constantly worried about her downloading or opening the wrong thing, although she seems to be cautious.

I'll be quiet now... :)

I don't see anything that looks obviously bad. Assuming you have Pioneer Internet anyway, if you don't we have some clear fixing to do...

Okay, before you do any of these suggestions... To start, please extract HijackThis to a permanent folder such as C:\Documents or one you create like C:\HJT. You are running it from a temp folder which means we won't be able to restore any changes made...

It would be worthwhile to use HJT to fix these:

O2 - BHO: (no name) - {b2e4ae25-02fb-434d-874e-6c2c33113726} - (no file)
O3 - Toolbar: (no name) - {84627E49-50B4-4F81-BE55-FC0D97BBD168} - (no file)

It is not clear what these are, but they seem to have random names and that is often an indication of malware. If you don't recognize them, it is probably worthwhile to find the file, Right click and check Properties. If you don't recognize it, it is probably a good idea to fix these. Since they say "file missing" you may not be able to find them and that is a good reason to fix them too:

O2 - BHO: (no name) - {a9165c78-7c3e-4800-9c0e-9e5764f63f83} - C:\DOCUME~1\greg_2\APPLIC~1\choawsvckgr.dll (file missing)
O3 - Toolbar: eassstsyhti - {7f55f6e4-83a1-4d71-ac66-e34d145114bd} - C:\DOCUME~1\greg_2\APPLIC~1\choawsvckgr.dll (file missing)

These are items I don't recognize and they may be okay. You can safely fix O16 items and they will simply be reestablished when you visit the site again. You take a chance if you fix the other, but you can restore if you installed HJT in a permanent folder....

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://64.225.103.124/cgi-bin/board...passCookie=true
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livesc02.custhelp.com/swoos.../java//RntX.cab

As for Google Toolbar... Most security experts that have addressed it say that most of the negative stuff is from people that have an axe to grind with Google and it is actually a good program to use...

Most importantly!!! You are running naked!! You have WinXP and you have not installed SP1 or the critical updates... These are crucial to patch some huge holes and prevent Blaster infestation among other things...

Once you do whatever you decide to do with these suggestions, it would be a good idea to reboot, run HJT again, open your browser and post the new log to be rechecked....

Thanks for the help Budfred.
Here is the log after fixes...

Logfile of HijackThis v1.97.7
Scan saved at 10:26:23 PM, on 1/29/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CMMON32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\greg\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://64.225.103.124/cgi-bin/boards/Ultimate.cgi?action=intro&BypassCookie=true
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pldi.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Pioneer Internet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pldi.net
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - [url]http://messenger.zone.msn.com/binary/msgrchkr.cab[/url]
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - [url]http://www.trojanscan.com/trojanscan/TDECntrl.CAB[/url]
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - [url]http://download.yahoo.com/dl/installs/yinst0309.cab[/url]
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - [url]http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab[/url]
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - [url]http://www.bitdefender.com/scan/Msie/bitdefender.cab[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab[/url]
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - [url]http://autos.msn.com/components/ocx/survid/MSSurVid.cab[/url]
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - [url]http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38009.3500462963[/url]
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - [url]http://autos.msn.com/components/ocx/exterior/Outside.cab[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{526ABDB2-66A4-4622-B6BE-9FB4F71E073B}: NameServer = 64.250.192.64 64.250.192.65

I was infected with blaster but got rid of it...thanks in no small part to this forum. I have tried to download SP1, which i believe is at the microsoft update page, but without sucess, because of problems with dialup here...I do have Pioneer Internet.

I believe i've extracted hjt to a permanent folder, as i indicated in my second post.

I'm really wanting to get something like ZoneAlarm and AVG but keep seeing conflicting things here concerning XP compatibilities.. What would be some suggestions on your part for Firewall and anti-virus capability?

This forum rocks... :D

This shows you are still running HJT from a temp folder:

C:\Documents and Settings\greg\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

It looks like you opted to leave this in, is that true??

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://64.225.103.124/cgi-bin/board...passCookie=true

Is Pioneer Internet your ISP??

You can go here to download the WinXP updates without having to use the Windows Update:

http://www.softwarepatch.com/windows/

For firewalls you will get different opinions from different people, I recommend either Sygate or Kerio, both of which have free versions...

For antivirus, AVG is recommended a lot around here. I am thinking of going with NOD32 when my NAV subscription runs out, but it is not free.

I would also urge you to use SpywareBlaster to protect against spyware infestation automatically. You run it once and update it occasionally, it does the rest without using resources and without effort.

Yes, main page is ok. I'm installing sp1 as we speak, although from winupdate page...only 100 freakin' minutes to go... ;)

For firewall, i was thinking freeware. I've seen Sygate mentioned alot but am still undecided. In what order would you install to avoid the most conflicts? Say, Anti-virus first, and then firewall, or visa-versa?

I do have spyblaster, unless its been uninstalled. I had installed it after it got the greenlight on this forum.

Kerio and Sygate both are good.

As to AV, get one right away!

:D

It is not clear what these are, but they seem to have random names and that is often an indication of malware. If you don't recognize them, it is probably worthwhile to find the file, Right click and check Properties. If you don't recognize it, it is probably a good idea to fix these. Since they say "file missing" you may not be able to find them and that is a good reason to fix them too:

O2 - BHO: (no name) - {a9165c78-7c3e-4800-9c0e-9e5764f63f83} - C:\DOCUME~1\greg_2\APPLIC~1\choawsvckgr.dll (file missing)
O3 - Toolbar: eassstsyhti - {7f55f6e4-83a1-4d71-ac66-e34d145114bd} - C:\DOCUME~1\greg_2\APPLIC~1\choawsvckgr.dll (file missing)


99.99999% they were LOP (C2 Media) leftovers...

Almost everytime you see a random name and the BHO located in the Application Data (Applic~1 in this case) you can be assured it is LOP.

I do appreciate the excellant advice and suggestions. Thankyou very much. I know Budfred is getting a little exsasperated about the temp file thing, but i simply dont know how, i guess. I thought on the second download i had saved it to a Permanent folder. Is that something I could easily fix? I'm sorry about my lack of knowledge on this seemingly simple thing.

I tried updating spywareblaster and it sez available but on a newer version only, so i'll try to get that done today.

SP1 was sucessfully installed last night, so the new log looks like this..

Logfile of HijackThis v1.97.7
Scan saved at 10:01:09 AM, on 1/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\CMMON32.EXE
C:\Documents and Settings\greg\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://64.225.103.124/cgi-bin/boards/Ultimate.cgi?action=intro&BypassCookie=true
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pldi.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Pioneer Internet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pldi.net
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38009.3500462963
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{526ABDB2-66A4-4622-B6BE-9FB4F71E073B}: NameServer = 64.250.192.64 64.250.192.65



Better??

Updated with new version of spywareblaster and hopefully got HJT in a proper folder...New Scan=

Logfile of HijackThis v1.97.7
Scan saved at 7:19:45 PM, on 1/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CMMON32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\greg\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://64.225.103.124/cgi-bin/boards/Ultimate.cgi?action=intro&BypassCookie=true
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pldi.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Pioneer Internet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pldi.net
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38009.3500462963
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{526ABDB2-66A4-4622-B6BE-9FB4F71E073B}: NameServer = 64.250.192.64 64.250.192.65

I've completed almost all the critical updates now..Thanks for the help everyone. :)

Assuming that you have Pioneer Internet and chose to leave that R0, it looks clean to me...:)

And BTW, I wasn't exasperated, I was worried since you might need to restore changes and you can't when HJT is in a temp folder....

:) Concerned would have been a better choice of words on my part. ;)

Thanks again for your help. I know you all realize what a great group of people reside on this forum, but i hope you realize the degree of comfort you provide to dweebs out here. The amount of information you all provide is nothing short of amazing. I learn something everytime i visit... thanks

Oh, this RO is fine...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://64.225.103.124/cgi-bin/board...passCookie=true


This RO i'm not sure about. I believe the kids had the homepage set as yahoo at some point while i was away. Could i remove it?

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr...://my.yahoo.com

You can certainly remove that R0 and the associated R1 and

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab

as well. Yahoo isn't malware, so I didn't suggest removing them, but they are certainly not necessary (although your kids might disagree)....;) :)