My log is:
Logfile of HijackThis v1.99.1
Scan saved at 3:49:38 PM, on 3/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\spupdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spnpinst.exe
C:\WINDOWS\system32\Sysocmgr.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\system32\Services\{1ED17EFD-37EA-47CA-982B-0C5453452721}\SVCHOST.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\World of Warcraft\WoW-1.2.4-to-1.3.0-enUS-downloader.exe
C:\PROGRA~1\Netscape\Netscape\Netscp.exe
C:\PROGRA~1\QUICKT~1\QuickTimePlayer.exe
C:\Program Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com...=32994&said=261
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: AutoSearch Class - {1E432263-6841-4653-8F02-366A2F77E339} - C:\PROGRA~1\WINDOW~4\WinSB1.DLL
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_1/home.html"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\mqwwx0m3.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\mqwwx0m3.slt\prefs.js)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: EventHandler Class - {9FB534E3-67CB-4307-AE0A-9E8B5581BE2C} - C:\PROGRA~1\WINDOW~4\WinSB1.DLL
O2 - BHO: (no name) - {AF1EBDE3-E1EA-B30E-F48F-A4EB46CDFCFB} - C:\WINDOWS\system32\mhdusftl.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D1316} - C:\WINDOWS\system32\spm1316.dll (file missing)
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765721316} - C:\WINDOWS\system32\wer1316.dll (file missing)
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LimeShop] javaw -cp "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [} el] c:\WINDOWS\System32\} else {
O4 - HKLM\..\Run: [function setCookie(name, value) ] c:\WINDOWS\System32\function setCookie(name, value) {
O4 - HKLM\..\Run: [function getCookie(Name) ] c:\WINDOWS\System32\function getCookie(Name) {
O4 - HKLM\..\Run: [// set index of beginning of value ] c:\WINDOWS\System32\// set index of beginning of value
O4 - HKLM\..\Run: [// set index of end of cookie value ] c:\WINDOWS\System32\// set index of end of cookie value
O4 - HKLM\..\Run: [end = document.cookie.length ] c:\WINDOWS\System32\end = document.cookie.length
O4 - HKLM\..\Run: [}] c:\WINDOWS\System32\}
O4 - HKLM\..\Run: [function mhppo] c:\WINDOWS\System32\function mhppop(){
O4 - HKLM\..\Run: [function FormFocu] c:\WINDOWS\System32\function FormFocus(){
O4 - HKLM\..\Run: [flag] c:\WINDOWS\System32\flag = 1
O4 - HKLM\..\Run: [function exittraff] c:\WINDOWS\System32\function exittraffic()
O4 - HKLM\..\Run: [if ((flag ==] c:\WINDOWS\System32\if ((flag == 1))
O4 - HKLM\..\Run: [function redirec] c:\WINDOWS\System32\function redirect(){
O4 - HKLM\..\Run: [systray] C:\WINDOWS\System32\a.exe
O4 - HKLM\..\Run: [mxrzjezq] C:\WINDOWS\System32\mxrzjezq.exe
O4 - HKLM\..\Run: [P2P Networking2] C:\WINDOWS\System32\P2P Networking\P2P Networking2.exe /AUTOSTART
O4 - HKLM\..\Run: [<h] c:\WINDOWS\System32\html
O4 - HKLM\..\Run: [<title>advertisement</ti] c:\WINDOWS\System32\titleadvertisement/title
O4 - HKLM\..\Run: [</h] c:\WINDOWS\System32\/head
O4 - HKLM\..\Run: [<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" bgcolor="#ffff] c:\WINDOWS\System32\body leftmargin=0 topmargin=0 marginwidth=0 marginheight=0 bgcolor=#ffffff
O4 - HKLM\..\Run: [<META HTTP-EQUIV="Pragma" CONTENT="no-cac] c:\WINDOWS\System32\META HTTP-EQUIV=Pragma CONTENT=no-cache
O4 - HKLM\..\Run: [<script language="javascript" type="text/javascri] c:\WINDOWS\System32\script language=javascript type=text/javascript
O4 - HKLM\..\Run: [var d=docum] c:\WINDOWS\System32\var d=document;
O4 - HKLM\..\Run: [var NN4=d.layers?] c:\WINDOWS\System32\var NN4=d.layers1:0;
O4 - HKLM\..\Run: [if(!NN] c:\WINDOWS\System32\if(!NN4) {
O4 - HKLM\..\Run: [document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe] c:\WINDOWS\System32\document.write ('iframe width=720 height=300 frameborder=0 scrolling=NO marginwidth=0 marginheight=0 src=http://ads.partner2profit.com/abs_adserve.cfmcampaign_id=15780&noscript=1&rand=[RAND]/iframe');
O4 - HKLM\..\Run: [document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2p...oscript=1&rand=[RAND]"></ilayer] c:\WINDOWS\System32\document.write('ilayer width=720 height=300 left=0 top=0 visibility=SHOW src=http://ads.partner2profit.com/abs_adserve.cfmcampaign_id=15780&noscript=1&rand=[RAND]/ilayer');
O4 - HKLM\..\Run: [</scr] c:\WINDOWS\System32\/script
O4 - HKLM\..\Run: [<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe></noscr] c:\WINDOWS\System32\noscriptiframe width=720 height=300 frameborder=0 scrolling=NO marginwidth=0 marginheight=0 src=http://ads.partner2profit.com/abs_adserve.cfmcampaign_id=15780&noscript=1&rand=[RAND]/iframe/noscript
O4 - HKLM\..\Run: [</b] c:\WINDOWS\System32\/body
O4 - HKLM\..\Run: [var expire = new Dat] c:\WINDOWS\System32\var expire = new Date();
O4 - HKLM\..\Run: [var today = new Dat] c:\WINDOWS\System32\var today = new Date();
O4 - HKLM\..\Run: [expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 3] c:\WINDOWS\System32\expire.setTime(today.getTime() + 1000 60 60 24 365);
O4 - HKLM\..\Run: [offset = document.cookie.indexOf(search) ] c:\WINDOWS\System32\offset = document.cookie.indexOf(search)
O4 - HKLM\..\Run: [if (offset != -1) { // if cookie exists ] c:\WINDOWS\System32\if (offset != -1) { // if cookie exists
O4 - HKLM\..\Run: [offset += search.leng] c:\WINDOWS\System32\offset += search.length;
O4 - HKLM\..\Run: [if (end == -1) ] c:\WINDOWS\System32\if (end == -1)
O4 - HKLM\..\Run: [return unescape(document.cookie.substring(offset, end)) ] c:\WINDOWS\System32\return unescape(document.cookie.substring(offset, end))
O4 - HKLM\..\Run: [var cookieExist = getCookie(strCookieNa] c:\WINDOWS\System32\var cookieExist = getCookie(strCookieName);
O4 - HKLM\..\Run: [document.frmSearch.KeyWords.focu] c:\WINDOWS\System32\document.frmSearch.KeyWords.focus();
O4 - HKLM\..\Run: [mhppop(); //makeusyourhomepage] c:\WINDOWS\System32\mhppop(); //makeusyourhomepage pop
O4 - HKLM\..\Run: [var pos_left = (screen.width / 2) -125; // window horizontally centered, rou] c:\WINDOWS\System32\var pos_left = (screen.width / 2) -125; // window horizontally centered, roughly
O4 - HKLM\..\Run: [var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of sc] c:\WINDOWS\System32\var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of screen
O4 - HKLM\..\Run: [var strT] c:\WINDOWS\System32\var strTemp;
O4 - HKLM\..\Run: [var strP] c:\WINDOWS\System32\var strPort;
O4 - HKLM\..\Run: [ top.location.replace(strTe] c:\WINDOWS\System32\ top.location.replace(strTemp);
O4 - HKLM\..\Run: [window.open(URL3, 'ncaseWin','width=250,height=250,left=' + pos_left + ',top=' + pos_t] c:\WINDOWS\System32\window.open(URL3, 'ncaseWin','width=250,height=250,left=' + pos_left + ',top=' + pos_top);
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\}
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Disk Keeper] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\keep.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\system32\Services\{1ED17EFD-37EA-47CA-982B-0C5453452721}\SVCHOST.EXE
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Central"
O4 - HKLM\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\}
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [} el] c:\WINDOWS\System32\} else {
O4 - HKCU\..\Run: [function setCookie(name, value) ] c:\WINDOWS\System32\function setCookie(name, value) {
O4 - HKCU\..\Run: [function getCookie(Name) ] c:\WINDOWS\System32\function getCookie(Name) {
O4 - HKCU\..\Run: [// set index of beginning of value ] c:\WINDOWS\System32\// set index of beginning of value
O4 - HKCU\..\Run: [// set index of end of cookie value ] c:\WINDOWS\System32\// set index of end of cookie value
O4 - HKCU\..\Run: [end = document.cookie.length ] c:\WINDOWS\System32\end = document.cookie.length
O4 - HKCU\..\Run: [}] c:\WINDOWS\System32\}
O4 - HKCU\..\Run: [function mhppo] c:\WINDOWS\System32\function mhppop(){
O4 - HKCU\..\Run: [function FormFocu] c:\WINDOWS\System32\function FormFocus(){
O4 - HKCU\..\Run: [flag] c:\WINDOWS\System32\flag = 1
O4 - HKCU\..\Run: [function exittraff] c:\WINDOWS\System32\function exittraffic()
O4 - HKCU\..\Run: [if ((flag ==] c:\WINDOWS\System32\if ((flag == 1))
O4 - HKCU\..\Run: [function redirec] c:\WINDOWS\System32\function redirect(){
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
O4 - HKCU\..\Run: [SearchSetter] C:\WINDOWS\System32\searchsetter[1].exe
O4 - HKCU\..\Run: [<h] c:\WINDOWS\System32\html
O4 - HKCU\..\Run: [<title>advertisement</ti] c:\WINDOWS\System32\titleadvertisement/title
O4 - HKCU\..\Run: [</h] c:\WINDOWS\System32\/head
O4 - HKCU\..\Run: [<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" bgcolor="#ffff] c:\WINDOWS\System32\body leftmargin=0 topmargin=0 marginwidth=0 marginheight=0 bgcolor=#ffffff
O4 - HKCU\..\Run: [<META HTTP-EQUIV="Pragma" CONTENT="no-cac] c:\WINDOWS\System32\META HTTP-EQUIV=Pragma CONTENT=no-cache
O4 - HKCU\..\Run: [<script language="javascript" type="text/javascri] c:\WINDOWS\System32\script language=javascript type=text/javascript
O4 - HKCU\..\Run: [var d=docum] c:\WINDOWS\System32\var d=document;
O4 - HKCU\..\Run: [var NN4=d.layers?] c:\WINDOWS\System32\var NN4=d.layers1:0;
O4 - HKCU\..\Run: [if(!NN] c:\WINDOWS\System32\if(!NN4) {
O4 - HKCU\..\Run: [document.write ('<iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe] c:\WINDOWS\System32\document.write ('iframe width=720 height=300 frameborder=0 scrolling=NO marginwidth=0 marginheight=0 src=http://ads.partner2profit.com/abs_adserve.cfmcampaign_id=15780&noscript=1&rand=[RAND]/iframe');
O4 - HKCU\..\Run: [document.write('<ilayer width="720" height="300" left="0" top="0" visibility="SHOW" src="http://ads.partner2p...oscript=1&rand=[RAND]"></ilayer] c:\WINDOWS\System32\document.write('ilayer width=720 height=300 left=0 top=0 visibility=SHOW src=http://ads.partner2profit.com/abs_adserve.cfmcampaign_id=15780&noscript=1&rand=[RAND]/ilayer');
O4 - HKCU\..\Run: [</scr] c:\WINDOWS\System32\/script
O4 - HKCU\..\Run: [<noscript><iframe width="720" height="300" frameborder="0" scrolling="NO" marginwidth="0" marginheight="0" src="http://ads.partner2p...oscript=1&rand=[RAND]"></iframe></noscr] c:\WINDOWS\System32\noscriptiframe width=720 height=300 frameborder=0 scrolling=NO marginwidth=0 marginheight=0 src=http://ads.partner2profit.com/abs_adserve.cfmcampaign_id=15780&noscript=1&rand=[RAND]/iframe/noscript
O4 - HKCU\..\Run: [</b] c:\WINDOWS\System32\/body
O4 - HKCU\..\Run: [var expire = new Dat] c:\WINDOWS\System32\var expire = new Date();
O4 - HKCU\..\Run: [var today = new Dat] c:\WINDOWS\System32\var today = new Date();
O4 - HKCU\..\Run: [expire.setTime(today.getTime() + 1000 * 60 * 60 * 24 * 3] c:\WINDOWS\System32\expire.setTime(today.getTime() + 1000 60 60 24 365);
O4 - HKCU\..\Run: [offset = document.cookie.indexOf(search) ] c:\WINDOWS\System32\offset = document.cookie.indexOf(search)
O4 - HKCU\..\Run: [if (offset != -1) { // if cookie exists ] c:\WINDOWS\System32\if (offset != -1) { // if cookie exists
O4 - HKCU\..\Run: [offset += search.leng] c:\WINDOWS\System32\offset += search.length;
O4 - HKCU\..\Run: [if (end == -1) ] c:\WINDOWS\System32\if (end == -1)
O4 - HKCU\..\Run: [return unescape(document.cookie.substring(offset, end)) ] c:\WINDOWS\System32\return unescape(document.cookie.substring(offset, end))
O4 - HKCU\..\Run: [var cookieExist = getCookie(strCookieNa] c:\WINDOWS\System32\var cookieExist = getCookie(strCookieName);
O4 - HKCU\..\Run: [document.frmSearch.KeyWords.focu] c:\WINDOWS\System32\document.frmSearch.KeyWords.focus();
O4 - HKCU\..\Run: [mhppop(); //makeusyourhomepage] c:\WINDOWS\System32\mhppop(); //makeusyourhomepage pop
O4 - HKCU\..\Run: [var pos_left = (screen.width / 2) -125; // window horizontally centered, rou] c:\WINDOWS\System32\var pos_left = (screen.width / 2) -125; // window horizontally centered, roughly
O4 - HKCU\..\Run: [var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of sc] c:\WINDOWS\System32\var pos_top = (screen.height) + 1; // window is 1 pixel below the bottom of screen
O4 - HKCU\..\Run: [var strT] c:\WINDOWS\System32\var strTemp;
O4 - HKCU\..\Run: [var strP] c:\WINDOWS\System32\var strPort;
O4 - HKCU\..\Run: [ top.location.replace(strTe] c:\WINDOWS\System32\ top.location.replace(strTemp);
O4 - HKCU\..\Run: [window.open(URL3, 'ncaseWin','width=250,height=250,left=' + pos_left + ',top=' + pos_t] c:\WINDOWS\System32\window.open(URL3, 'ncaseWin','width=250,height=250,left=' + pos_left + ',top=' + pos_top);
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\cwfcwuzp.exe
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://download-ak.s...stemsoappro.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzill...ller/dwnldr.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe