I've run the latest versions of Ad-Aware and Spybot and can't get rid of this pesky parasite. When my browser is open, it opens a new browser window with popups that are based on my previous google searches (even from weeks ago!) When the new window opens, it interrupts whatever application I happen to be using at the time. Highly frustrating. At this point, I'm desperate for some help. Thanks to all!!
Logfile of HijackThis v1.97.6
Scan saved at 10:44:57 AM, on 03/19/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\eCopy\MailRoom\PCLprint\mrmlnc32.exe
C:\Program Files\ViewMail\LFprinttomail\lfsndmng.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\AIM95\aim.exe
C:\Pcdocs\DocsOpen\Progs\docsopen.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\WINNT\system32\MAPISP32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\mpheath\Local Settings\Temporary Internet Files\Content.IE5\MLM5GNGF\hjtlog[1].exe
c:\hijackthis\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet/home.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {08227B4B-54FE-4C4D-809F-BCA46292FC5B} - C:\WINNT\system32\Zedd4.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {971387E1-EAA4-45F3-BA6E-A2C1857C68C2} - C:\WINNT\system32\Yoko.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Unidoc NT Tray Service] C:\PROGRA~1\eCopy\MailRoom\PCLprint\mrmlnc32.exe
O4 - HKLM\..\Run: [lfsndmngav] C:\Program Files\ViewMail\LFprinttomail\lfsndmng.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Docs Open.lnk = C:\Pcdocs\DocsOpen\Progs\docsopen.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\PTPNDFLS\PTPNDFLS.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .lio: c:\PROGRA~1\INTERN~1\plugins\Npmad32l.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .WebForm: C:\Program Files\Internet Explorer\PLUGINS\NPRun32.DLL
O16 - DPF: {0FFFFFFF-0FFF-0FFF-0FFF-0FFFFFFFFFFF} - http://ntt-body.com/msft2.exe
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (FormFlow Form Control) - http://workflow2/intempo/FormFlow/codebase/FormCtl.cab
O16 - DPF: {1469FF24-47F6-11D2-8805-006008C537E3} (FormFlow Mail Control) - http://workflow/intempo/formflow/codebase/ffmail.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.5.cab
O16 - DPF: {292CBB36-AC91-11D1-B911-080009EF1192} (jfEnvelope Class) - http://workflow2/intempo/CabFiles/jfITEnvelopeCtrl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} (FormFlowScriptObject Class) - http://workflow2/intempo/formflow/codebase/scriptobject.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://thomsonelite.webex.com/client/lates...bex/ieatgpc.cab
O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (FormFlow Soft Font Installer) - http://workflow2/intempo/formflow/codebase/fontinstaller.cab
O16 - DPF: {F02C6B3B-AB1A-48D3-914D-169954A11142} (WebForm Launch Control) - http://files.stf.com/ActiveX/WebformControl2.cab
O16 - DPF: {F4F6546F-FBA9-11D1-8AFB-080009ECFDC5} (FormFlow ListBox Control) - http://workflow2/intempo/formflow/codebase/listbox.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = reedsmith.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = reedsmith.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = reedsmith.com
Full Version: I've been Hijacked!
Hello martinmp, and welcome to our forum 
I've sent you a private message (check the message box at the top of the forum). I would like for you to email to me several suspicious files for analysis. I described the one in detail but forgot to mention that I would like the last two as well.
These are the files to look for:
O16 - DPF: {0FFFFFFF-0FFF-0FFF-0FFF-0FFFFFFFFFFF} - http://ntt-body.com/msft2.exe <---the site is called booby babes, features (hardcore videos) If you did not install this yourself, I would like to have it analyzed. It is located in your Downloaded Program Files (probably: C:\WINDOWS\Downloaded Program Files).
Also please send me these two files as well (they are unknown Browser Helper Objects)
C:\WINNT\system32\Zedd4.dll
C:\WINNT\system32\Yoko.dll
..............................................................
Ok, lets get started then,
First you have an old version of HijackThis? The latest version is 1.97.7 and it needs to be put in it's own folder so the proper backup can be made. So first do this:
Download *Hijack This!*
http://www.spywareinfo.com/downloads/tools/HijackThis.exe
Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use something like "C:\Program Files\HijackThis" but feel free to use any name. This is to ensure it makes the necessary backups for recovery if needed. Download and save the contents to the new folder you made and then navigate to the HijackThis.exe.
Next, please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an x in the boxes next to these items, then press *fix checked* Then, doubleclick HijackThis.exe, and hit "Scan".
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {08227B4B-54FE-4C4D-809F-BCA46292FC5B} - C:\WINNT\system32\Zedd4.dll
O2 - BHO: (no name) - {971387E1-EAA4-45F3-BA6E-A2C1857C68C2} - C:\WINNT\system32\Yoko.dll
If you set these two restrictions yourself using Spybot, leave them alone. If you did not set them then let HJT fix them
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm
O16 - DPF: {0FFFFFFF-0FFF-0FFF-0FFF-0FFFFFFFFFFF} - http://ntt-body.com/msft2.exe If you did not install this yourself
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.5.cab
.................................................................
Reboot your PC
Scan once more with HijackThis and post a new log please. Let us know if the popup problem is resolved as well.
I've sent you a private message (check the message box at the top of the forum). I would like for you to email to me several suspicious files for analysis. I described the one in detail but forgot to mention that I would like the last two as well.
These are the files to look for:
O16 - DPF: {0FFFFFFF-0FFF-0FFF-0FFF-0FFFFFFFFFFF} - http://ntt-body.com/msft2.exe <---the site is called booby babes, features (hardcore videos) If you did not install this yourself, I would like to have it analyzed. It is located in your Downloaded Program Files (probably: C:\WINDOWS\Downloaded Program Files).
Also please send me these two files as well (they are unknown Browser Helper Objects)
C:\WINNT\system32\Zedd4.dll
C:\WINNT\system32\Yoko.dll
..............................................................
Ok, lets get started then,
First you have an old version of HijackThis? The latest version is 1.97.7 and it needs to be put in it's own folder so the proper backup can be made. So first do this:
Download *Hijack This!*
http://www.spywareinfo.com/downloads/tools/HijackThis.exe
Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use something like "C:\Program Files\HijackThis" but feel free to use any name. This is to ensure it makes the necessary backups for recovery if needed. Download and save the contents to the new folder you made and then navigate to the HijackThis.exe.
Next, please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an x in the boxes next to these items, then press *fix checked* Then, doubleclick HijackThis.exe, and hit "Scan".
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {08227B4B-54FE-4C4D-809F-BCA46292FC5B} - C:\WINNT\system32\Zedd4.dll
O2 - BHO: (no name) - {971387E1-EAA4-45F3-BA6E-A2C1857C68C2} - C:\WINNT\system32\Yoko.dll
If you set these two restrictions yourself using Spybot, leave them alone. If you did not set them then let HJT fix them
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm
O16 - DPF: {0FFFFFFF-0FFF-0FFF-0FFF-0FFFFFFFFFFF} - http://ntt-body.com/msft2.exe If you did not install this yourself
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.5.cab
.................................................................
Reboot your PC
Scan once more with HijackThis and post a new log please. Let us know if the popup problem is resolved as well.
Many, many thanks. I followed your instructions, and so far, no more pop-ups. I'm forever indebted to you!
Here's my updated log:
Logfile of HijackThis v1.97.7
Scan saved at 10:08:46 AM, on 03/22/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\eCopy\MailRoom\PCLprint\mrmlnc32.exe
C:\Program Files\ViewMail\LFprinttomail\lfsndmng.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Pcdocs\DocsOpen\Progs\docsopen.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\MAPISP32.EXE
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office\msaccess.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet/home.asp
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Unidoc NT Tray Service] C:\PROGRA~1\eCopy\MailRoom\PCLprint\mrmlnc32.exe
O4 - HKLM\..\Run: [lfsndmngav] C:\Program Files\ViewMail\LFprinttomail\lfsndmng.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Docs Open.lnk = C:\Pcdocs\DocsOpen\Progs\docsopen.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\PTPNDFLS\PTPNDFLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .lio: c:\PROGRA~1\INTERN~1\plugins\Npmad32l.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .WebForm: C:\Program Files\Internet Explorer\PLUGINS\NPRun32.DLL
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (FormFlow Form Control) - http://workflow2/intempo/FormFlow/codebase/FormCtl.cab
O16 - DPF: {1469FF24-47F6-11D2-8805-006008C537E3} (FormFlow Mail Control) - http://workflow/intempo/formflow/codebase/ffmail.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {292CBB36-AC91-11D1-B911-080009EF1192} (jfEnvelope Class) - http://workflow2/intempo/CabFiles/jfITEnvelopeCtrl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} (FormFlowScriptObject Class) - http://workflow2/intempo/formflow/codebase/scriptobject.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://thomsonelite.webex.com/client/lates...bex/ieatgpc.cab
O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (FormFlow Soft Font Installer) - http://workflow2/intempo/formflow/codebase/fontinstaller.cab
O16 - DPF: {F02C6B3B-AB1A-48D3-914D-169954A11142} (WebForm Launch Control) - http://files.stf.com/ActiveX/WebformControl2.cab
O16 - DPF: {F4F6546F-FBA9-11D1-8AFB-080009ECFDC5} (FormFlow ListBox Control) - http://workflow2/intempo/formflow/codebase/listbox.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = reedsmith.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = reedsmith.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = reedsmith.com
Here's my updated log:
Logfile of HijackThis v1.97.7
Scan saved at 10:08:46 AM, on 03/22/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\eCopy\MailRoom\PCLprint\mrmlnc32.exe
C:\Program Files\ViewMail\LFprinttomail\lfsndmng.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Pcdocs\DocsOpen\Progs\docsopen.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\MAPISP32.EXE
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office\msaccess.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet/home.asp
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Unidoc NT Tray Service] C:\PROGRA~1\eCopy\MailRoom\PCLprint\mrmlnc32.exe
O4 - HKLM\..\Run: [lfsndmngav] C:\Program Files\ViewMail\LFprinttomail\lfsndmng.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Docs Open.lnk = C:\Pcdocs\DocsOpen\Progs\docsopen.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\PTPNDFLS\PTPNDFLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .lio: c:\PROGRA~1\INTERN~1\plugins\Npmad32l.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .WebForm: C:\Program Files\Internet Explorer\PLUGINS\NPRun32.DLL
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (FormFlow Form Control) - http://workflow2/intempo/FormFlow/codebase/FormCtl.cab
O16 - DPF: {1469FF24-47F6-11D2-8805-006008C537E3} (FormFlow Mail Control) - http://workflow/intempo/formflow/codebase/ffmail.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {292CBB36-AC91-11D1-B911-080009EF1192} (jfEnvelope Class) - http://workflow2/intempo/CabFiles/jfITEnvelopeCtrl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} (FormFlowScriptObject Class) - http://workflow2/intempo/formflow/codebase/scriptobject.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://thomsonelite.webex.com/client/lates...bex/ieatgpc.cab
O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (FormFlow Soft Font Installer) - http://workflow2/intempo/formflow/codebase/fontinstaller.cab
O16 - DPF: {F02C6B3B-AB1A-48D3-914D-169954A11142} (WebForm Launch Control) - http://files.stf.com/ActiveX/WebformControl2.cab
O16 - DPF: {F4F6546F-FBA9-11D1-8AFB-080009ECFDC5} (FormFlow ListBox Control) - http://workflow2/intempo/formflow/codebase/listbox.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = reedsmith.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = reedsmith.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = reedsmith.com
You're welcome - glad we could help 
We highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).
How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857
We highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).
How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.