Hello. I am having trouble getting rid of a lot of viruses on my computer and would appreciate any help. Here is a log of hi jack this:

Logfile of HijackThis v1.99.1
Scan saved at 9:36:58 PM, on 7/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\webHancer\Programs\whAgent.exe
C:\Program Files\webHancer\Programs\whSurvey.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\nwnmef_7.exe
C:\dfndref_7.exe
C:\kybrdef_7.exe
C:\WINDOWS\pop06ap2.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Common Files\{ECE25D5D-0C78-1033-0211-040208050001}\Update.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\WINDOWS\DOBE~1\explorer.exe
C:\PROGRA~1\APPATC~1\WNSPOO~1.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MSWin.exe
C:\Program Files\TClock\TClock.exe
C:\WINDOWS\TWF0dA\command.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Network Monitor\netmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MSWin.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Matt\LOCALS~1\Temp\Rar$EX00.812\Hijack This.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\mquyb.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,wlcclpl. exe
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nsx8F.dll
O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINDOWS\system32\nodeipproc.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmiwou.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\system32\adrotate.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [newname] C:\\nwnmef_7.exe
O4 - HKLM\..\Run: [defender] C:\\dfndref_7.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdef_7.exe
O4 - HKLM\..\Run: [pop06ap] C:\WINDOWS\pop06ap2.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "-embedding http://iesettingsupdate"
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [Euci] "C:\WINDOWS\DOBE~1\explorer.exe" -vt yazr
O4 - HKCU\..\Run: [Ncgvbiam] C:\PROGRA~1\APPATC~1\WNSPOO~1.EXE
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MSWin.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - https://www-secure.symantec.com/tech...rl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - https://www-secure.symantec.com/tech...rl/tgctlsr.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {D3A7982E-915D-4589-8ECE-249F70D0C941} (Launch Control) - http://aaotracker.4players.de/LaunchGame.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\taskmgr.dll
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\causapi.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWF0dA\command.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Another thing that I have noticed is that a lot of new processes have popped up on my system task bar. I went from having 32 to almost 50.

A lot of the executables that have come up I can not delete and spybot and adware has only been able to get rid of a few of the viruses/spyware.

The popups that come up are rediculous. I can just be on my desktop and they will come up all the time and dont stop. I left my computer on last night and when I woke up there were almost 80 popups in the taskbar.

Also now when my computer restarts and loads up I get an error that says at the top RUNDLL, the message then says: Error loading w001bdcd.dll, The specified module could not be found.

Here is a new hi jack this log after i have tried using some different spyware removers:

ogfile of HijackThis v1.99.1
Scan saved at 6:28:56 PM, on 7/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\dljxcopA.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\WINDOWS\DOBE~1\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\TClock\TClock.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\mquyb.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,wlcclpl. exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "-embedding http://iesettingsupdate"
O4 - HKLM\..\Run: [dljxcopA] C:\WINDOWS\dljxcopA.exe
O4 - HKLM\..\Run: [qprff625] "RUNDLL32.EXE" w001abcb.dll,n 001ff62400000003001abcb
O4 - HKLM\..\Run: [w001bdcd.dll] "RUNDLL32.EXE" w001bdcd.dll,I2 001ff6240001bdcd
O4 - HKLM\..\Run: [{25-5D-D5-5D-ZN}] "C:\windows\system32\dwdsregt.exe" CORN003
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [Euci] "C:\WINDOWS\DOBE~1\explorer.exe" -vt yazr
O4 - HKCU\..\Run: [TClock.exe] "C:\Program Files\TClock\tclock_install.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - https://www-secure.symantec.com/tech...rl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - https://www-secure.symantec.com/tech...rl/tgctlsr.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {D3A7982E-915D-4589-8ECE-249F70D0C941} (Launch Control) - http://aaotracker.4players.de/LaunchGame.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346E99} - (no file)
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\cgcdll.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Popups, though annoying, are probably the least of your problems. You did have the following infection line which is extremely bad news:

O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"

http://www.processlibrary.com/directory/files/ibm00001/

Name: [Shell]
Status: X
File: ibm0000*.exe (* = digit)

Added by the Troj/Torpig-C http://www.sophos.com/virusinfo/anal...ojtorpigc.html and Troj/Torpig-J http://www.sophos.com/virusinfo/anal...ojtorpigj.html TROJANS! - Filenames spotted include ibm00001.exe ibm00002.exe ibm00005.exe and so on.
http://www.castlecops.com/startuplist-11220.html
---------------------------------------------------------------

I'm afraid I have unpleasant news for you. You had a very dangerous infection on this machine. With a serious infection like this, I would recommend that you seriously consider a reformat and reinstall.

If you do not want to do this, do not ever use the computer for anything confidential. Let us know how you wish to proceed.


The infection installs itself primarily in machines that have not had all the Win XP updates installed. It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to anything else present...

My best recommendation is to Disconnect from internet, Re-Format the entire drive and re-install your Operating system and Applications.

We can likely clean the infected files off the computer but we cannot be sure that the files involved didn't do anything to your system to reduce overall system security. Even after removal of the infection, you could be vulnerable to another attack or takeover as soon as you connect to the net again.

You are strongly advised to do the following immediately:
1. Disconnect infected computer from the Internet and from any networked computers until the computer can be cleaned.

2. If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts and/or change all your account numbers.

3. From a clean computer, change *ALL* your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

Also take any other steps appropriate for an attempted identity theft.

I would much prefer to clean it as much as possible and not reformat.

Also is there no way to completely remove these viruses?

Please disable the ‘active protection’ components of the following application(s), as it/they may hinder the removal of some entries. Otherwise, certain cleaning attempts may be wrongly recognized and blocked as hijacking attempts or other potentially inappropriate behavior. You can re-enable such tools after your computer is clean.


Disable SpySweeper

1. Open it, Click Options over on the left, then Program options
2. Uncheck load at windows startup.
3. Over to the left, Click shields and Uncheck all there.
4. Uncheck home page shield.
5. Uncheck automatically restore default without notification.
6. Exit Spysweeper.

Download deldomains:
http://www.mvps.org/winhelp2002/DelDomains.inf
When you click on the link, select Save. Save it to your desktop. Once on the desktop: It appears as an icon that looks like a notebook tablet with a gear overlaid on it.


To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.


Note: Because this will remove all entries in both the Trusted Zone and the Restricted Zone, any program, tool, or settings that were previously used to set restrictions will need to be reset:
Examples: (if these are being used),

• Spybot's "Immunize" feature is affected, you will need to re-immunize
• SpywareBlaster's "Enable all protection" feature will have to be re-enabled
• IE-SPYADS will have to be reinstalled

Get hoster here:
http://www.funkytoad.com/download/hoster.zip

• Unzip it to a convenient place and run the program.
• If you see in the top BOX (Editing Tools) ‘Your Hosts file is editable’ then press the ‘Restore Microsoft’s Original Hosts File’ button (in the Backup and Restore Tools BOX) and OK.
• If you see red text (‘Hosts file is marked as read only’) then press the ‘Make Hosts Writeable’ button - then the Restore Original Hosts button and OK.
• Close the program.

Please download the latest version of Look2Me-Remover.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=7

* Close all windows before continuing.
* Double-click Look2Me-Remover.exe to run it.
* Put a check next to Run this program as a task.
* You will receive a message saying Look2Me-Remover will close and re-open in approximately 10 seconds. Click OK
* When Look2Me-Remover re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
* Once it's done scanning, click the Remove L2M button.
* You will receive a Done Scanning message, click OK.
* When completed, you will receive this message: Done removing infected files! Look2Me-Remover will now shutdown your computer, click OK.
* Your computer will then shutdown.
* Turn your computer back on.
* Please post the contents of C:\Look2Me-Remover.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the Internet please allow it.



If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new...b/MSWINSCK.OCX

Also is there no way to completely remove these viruses?

There can be great risks associated with the key infection matter that has been raised. Not reformatting could be an unwise decision depending on ones particular circumstances.

The issues are deemed to be so compromising that THERE IS NO WAY TO GUARANTEE an absence of potential problems from such a SERIOUS keylogger type infection. We can generally cleanup most/all VISIBLE traces of infection but there can be unknown issues that might still remain and be ongoing - such as a cleverly crafted backdoor, undetectable rogue emails, or potential phone home issues - hard to ever know for sure. You would want a strong firewall presence to control such potential unauthorized outgoing transmissions.

I just do the things you asked and here are the results. I still am getting the pop ups like crazy and I when i restart at the very beginning I get the same error message that actually comes up twice called RUNDLL: Error loading w001bdcd.dll. Another is the same except that it is called w001bdcd.dll. The specified module can not be found. Also on my desktop their are shortcuts popping up that I know are bogus

Here is the logs for both look2me and hijack.

look2me:


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 7/27/2006 1:05:33 AM

Infected! C:\WINDOWS\system32\cgcdll.dll

Attempting to delete infected files...

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnceEx

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{AA1B63A8-6123-4C80-902D-3950111B3416}"
HKCR\Clsid\{AA1B63A8-6123-4C80-902D-3950111B3416}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{A99EF6C1-3B8B-41D1-856D-39F04AA5E942}"
HKCR\Clsid\{A99EF6C1-3B8B-41D1-856D-39F04AA5E942}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{E4E61C5F-211F-41BF-9807-762150B3E733}"
HKCR\Clsid\{E4E61C5F-211F-41BF-9807-762150B3E733}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded


hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 1:15:24 AM, on 7/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\dljxcopA.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\DOBE~1\explorer.exe
C:\PROGRA~1\COMMON~1\CURITY~1\POOL32~1.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\sessmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\mquyb.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,wlcclpl. exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "-embedding http://iesettingsupdate"
O4 - HKLM\..\Run: [dljxcopA] C:\WINDOWS\dljxcopA.exe
O4 - HKLM\..\Run: [qprff625] "RUNDLL32.EXE" w001abcb.dll,n 001ff62400000003001abcb
O4 - HKLM\..\Run: [w001bdcd.dll] "RUNDLL32.EXE" w001bdcd.dll,I2 001ff6240001bdcd
O4 - HKLM\..\Run: [{25-5D-D5-5D-ZN}] "C:\windows\system32\dwdsregt.exe" CORN003
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [Euci] "C:\WINDOWS\DOBE~1\explorer.exe" -vt yazr
O4 - HKCU\..\Run: [Qobdz] C:\PROGRA~1\COMMON~1\CURITY~1\POOL32~1.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - https://www-secure.symantec.com/tech...rl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - https://www-secure.symantec.com/tech...rl/tgctlsr.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {D3A7982E-915D-4589-8ECE-249F70D0C941} (Launch Control) - http://aaotracker.4players.de/LaunchGame.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346E99} - (no file)
O20 - AppInit_DLLs: repairs303169590.dll C:\WINDOWS\system32\taskmgr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MpService - Canon Inc. - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Read over the following directions. Ask if anything appears unclear to you.


Download Clean.bat to your desktop: for later use to clean out your TEMPORARY and PREFETCH files.
http://www.thatcomputerguy.us/downloads/clean.bat



We will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Accordingly, it is probably a good idea to print out the following directions or copy them to a text file on your desktop using NOTEPAD. Read these instructions carefully and feel free to ask if you're unsure about anything.

SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\mquyb.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,wlcclpl. exe

O4 - HKLM\..\Run: [ADSTART] "iexplore.exe" "-embedding http://iesettingsupdate"
O4 - HKLM\..\Run: [DLJXCOPA] C:\WINDOWS\dljxcopA.exe
O4 - HKLM\..\Run: [QPRFF625] "RUNDLL32.EXE" w001abcb.dll,n 001ff62400000003001abcb
O4 - HKLM\..\Run: [W001BDCD.DLL] "RUNDLL32.EXE" w001bdcd.dll,I2 001ff6240001bdcd
O4 - HKLM\..\Run: [{25-5D-D5-5D-ZN}] "C:\windows\system32\dwdsregt.exe" CORN003
O4 - HKCU\..\Run: [EUCI] "C:\WINDOWS\DOBE~1\explorer.exe" -vt yazr
O4 - HKCU\..\Run: [QOBDZ] C:\PROGRA~1\COMMON~1\CURITY~1\POOL32~1.EXE

O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346E99} - (no file)

Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.



HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here

SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).



Delete TEMPORARY FILES: Now, hunt down the most common temporary file locations and the temporary file clutter contained therein (and of possible malware hiding places):

Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for:

• Temporary Internet Files
• Downloaded Program Files
• Recycle Bin
• Temporary Files

Click OK or Enter

For additional, more thorough cleaning and for multi-profile user configurations:
(*) Run Clean.bat to clean up your TEMPorary files.

***** Clean out the Recycle Bin for items removed below, ONLY once you have regained the full functional use of your PC.




Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):


DELETE FILES:

C:\WINDOWS\system32\mquyb.exe
wlcclpl.exe
C:\WINDOWS\dljxcopA.exe
w001abcb.dll
w001bdcd.dll
C:\windows\system32\dwdsregt.exe
C:\WINDOWS\DOBE~1\explorer.exe
C:\PROGRA~1\COMMON~1\CURITY~1\POOL32~1.EXE






POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.