Hello all,
I finaly got this machine back to it's proper place and have run AdAware, Spybot SD, and spywareblaster.
Here is the HJT log following all of that. Would apreciate any advice as I do not know where to begin.
Thanks
Frank

Logfile of HijackThis v1.99.1
Scan saved at 4:44:20 PM, on 6/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\programs\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: 180search Toolbar - {93CECBB2-6B1B-448D-91B9-72604EF70105} - C:\Program Files\180search Assistant Programs\180search Toolbar\180ST.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102992939515
O17 - HKLM\System\CCS\Services\Tcpip\..\{632BE4D7-F765-4267-9516-D55D7FDBDC58}: NameServer = 204.127.203.135,216.148.225.135
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

A description of whatever problems you are having would have been helpful... Without that all I can see is this:

Open and HJT scan and put a check by:

O3 - Toolbar: 180search Toolbar - {93CECBB2-6B1B-448D-91B9-72604EF70105} - C:\Program Files\180search Assistant Programs

Close all open windows except HJT and press Fix checked...

Find and delete this folder:

C:\Program Files\180search Assistant Programs

Reboot and post a fresh HJT log with a description of any problems you are having...

Thanks Budfred
Sorry about that. Not sure what I was thinking :rolleyes: I just figured when I spoke, everyone knew exactly what I was talking about :eek: :D
I have an office machine that is also used as a personal machine by my father. It had an issue the other day where it would not completely boot up. It would come to the black screen telling you "Sorry, Windows was not properly shut down or Yadda Yadda Yadda" and several selections for ways to try and start. No matter what I did I would always come back to that screen.
With some help from mjc and ski, I ended taking the machine back to my house (an hour and a half away), putting the HDD in another machine and chkdsk seems to have fixed the problem. It is starting and running faster now then for some time before this problem occured.
Posting an HJT log is just the next step in checking for malicious problems. Here is the fresh log.
Oh yea, I was not able to find anything 180 Search Assistant in C: or D: and I looked through several folders on each. I know that AdAware or SD dealt with it on their scans.

Logfile of HijackThis v1.99.1
Scan saved at 7:16:07 AM, on 6/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ntvdm.exe
D:\programs\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102992939515
O17 - HKLM\System\CCS\Services\Tcpip\..\{632BE4D7-F765-4267-9516-D55D7FDBDC58}: NameServer = 204.127.203.135,216.148.225.135
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Well, the log looks clean... If you are not seeing any more problems, now would be the time to install the SP2 update and any security software needed to fill any gaps... If you have AVG and ZA, you are mostly covered... I would also add SpywareBlaster and probably TeaTimer from Spybot S&D...

Thanks Budfred,
SpywareBlaster is there and I was under the impression that we should not use Tea Timer so I will rectify that. ;)
SP2 is coming also. I need to use a disk :rolleyes:

TeaTimer is a nice tool if it is the only resident antispyware program running... The problem is that it can interfere with fixes, so we ask that it be turned off to run the fix and it can conflict with things like Windows Defender which also has resident spyware protection... SpywareBlaster doesn't conflict with anything because of the way that it works...

OK, one more issue with this machine. I do not know if this is related but it was happening just before the crash and appears to still be happening.
When my dad saves an e-mail that he opens with Thunderbird, it converts to OE mail. In doing this, most times when he tries to open it back up to view a pic that was attached, it tells him "OE removed access to attachment due to possible virus" and the pic is gone. No where to be found. I have tried changing the docs association to Thunderbird but it does not open. if I R-click and click "Open with"- "Thunderbird", nothing happens. If I R-click and click "Open with" "OE", it opens.
Any ideas on that???

I haven't heard of that as a malware issue... I would look in Outlook and see if you can change the security settings so that it doesn't strip out attachments without asking first... I would try uninstalling and reinstalling Thunderbird after first making a copy of the folders so that you make sure the emails are not lost... It is possible that Spybot's SDHelper is interfering with making the changes you need, so I would probably disable it at least temporarily and turn off TeaTimer if you turned that on... Also, some of these issues may be fixed once you get Windows completely updated... Finally, I would save those pictures to another folder before saving the email... It should be possible to save them in whatever image viewer he is using to look at them or to save them using Save As in the T-bird File menu...

When my dad saves an e-mail that he opens with Thunderbird, it converts to OE mail.

Exactly the same thing happens with me (mentioned in another post), and it is a recognised thing on the Thunderbird forums. The only way retrieve any attachments, photos etc, in Mails is to install Outlook Express, then save them in another format.

Not sure I am following you there mike2002. Outlook Express is an integrated component of Windows. It is installed by default and can not (or should not) be removed (to the best of my knowledge).
What is happening is, in saving an e-mail that is retrieved with Thnderbird to another location (flash drive, CD ROM, even another folder on HDD) it becomes an Outlook file. Just for giggles, while I was writing this (on another computer), I tried saving an e-mail off of Thunderbird to MyDocuments and it did the same thing. it appears this is not an isolated issue but rather a generic one with Windows. :rolleyes:
Sorry, I guess I should have tried that before I brought this up.
Never mind :D

I could be wrong, but I believe it is possible to at least disable OE and maybe even to remove it since it is not as deeply integrated into the OS as IE... Go to Control Panel... Add/Remove Programs... Add/Remove Windows Components and choose to remove it...

Budfred: Go to Control Panel... Add/Remove Programs... Add/Remove Windows Components and choose to remove it. Yes, in my case, that's what I did. But the fact that the Mail is still saved with an OE icon indicates that OE is not completely removed. I did not, however, go though my Registry and remove all references to it. Even then it may have not been successful, seeing that a lot of keys have alpha-numerical strings which bear no indication as to their 'owner'.