Need help with infected computer

[Guest_xsolx_*]

My dad's computer seems to be infected with some sort of hijacker virus. The 'Desktop' section of Display Properties is locked. Also, the icons on the desktop seems to clone themselves (If I place one on there, a second, undeletable icon appears alongside it), and the right mouse button seems to be disabled. I have run Spybot and AdAware to no avail. Here is a HijackThis log for the comp.

Logfile of HijackThis v1.99.1
Scan saved at 2:19:35 PM, on 3/29/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\windows\saap.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\paytime.exe
C:\Program Files\Opera\opera.exe
C:\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [saap] c:\windows\saap.exe
O4 - HKLM\..\Run: [larsz] c:\windows\larsz.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

Any help would be much appriciated.

[xsolx]

Quick update: This XXX toobar thing keeps trying to run some sort of plugin update, but the update keeps failing. Could this be part of the problem?

[guestolo]

Can you open Hijackthis>>Open Misc Tools Section>>Open Uninstall Manager
Click the SAVE LIST button

Save the list and copy and paste it back here

[xsolx]

Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat and Reader 6.0.3 Update
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 6.0.1
ESoft
Finale NotePad 2004
FreeRIP v2.60
HijackThis 1.99.1
IEFeatSL Uninstall
Intel Application Accelerator
Intel® Extreme Graphics Driver Software
Intel® PRO Network Adapters and Drivers
Intel® PROSet
iTunes
Java 2 Runtime Environment, SE v1.4.2_04
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
MathPlayer
Microsoft Data Access Components KB870669
Microsoft Office XP Professional with FrontPage
Microsoft Picture It! Express 7.0
Microsoft Picture It! Express 9
Microsoft Picture It! Library 9
MSN
MSN Encarta Plus Support Files
MSN Messenger 6.2
MSN Music Assistant
MSN Toolbar
MSSearch
My Search Bar
Native Instruments Battery 2 Demo
Nero - Burning Rom
Norton AntiVirus 2002
OpenMG Limited Patch 4.1-05-13-31-01
OpenMG Secure Module 4.1.00
Opera
QuickTime
RealPlayer
Realtek AC'97 Audio
Secure Delivery
Shockwave
SonicStage 3.0
Sony Net MD Help
Spybot - Search & Destroy 1.3
Uninstall 180searchAssistant
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See Q828026 for more information]
Windows XP Application Compatibility Update[Q319580]
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB887811
Windows XP Hotfix - KB887822
Windows XP Hotfix (SP1) [See Q309521 for more information]
Windows XP Hotfix (SP1) [See Q311889 for more information]
Windows XP Hotfix (SP1) [See Q311967 for more information]
Windows XP Hotfix (SP1) [See Q313450 for more information]
Windows XP Hotfix (SP1) [See Q314862 for more information]
Windows XP Hotfix (SP1) [See Q315000 for more information]
Windows XP Hotfix (SP1) [See Q315403 for more information]
Windows XP Hotfix (SP1) [See Q317277 for more information]
Windows XP Hotfix (SP1) [See Q318138 for more information]
Windows XP Hotfix (SP1) [See Q323172 for more information]
Windows XP Hotfix (SP1) [See Q324096 for more information]
Windows XP Hotfix (SP1) [See Q324380 for more information]
Windows XP Hotfix (SP1) [See Q326830 for more information]
Windows XP Hotfix (SP1) [See Q328940 for more information]
Windows XP Hotfix (SP1) [See Q329048 for more information]
Windows XP Hotfix (SP1) [See Q329390 for more information]
Windows XP Hotfix (SP1) [See Q329441 for more information]
Windows XP Hotfix (SP1) [See Q329834 for more information]
Windows XP Hotfix (SP1) Q329170
Windows XP Hotfix (SP1) Q810577
Windows XP Hotfix (SP1) Q810833
Windows XP Hotfix (SP1) Q811493
Windows XP Hotfix (SP1) Q815021
Windows XP Hotfix (SP1) Q817606
Windows XP Hotfix (SP1) Q819696
Windows XP Hotfix (SP2) [See Q329115 for more information]
Winds 2.4

[guestolo]

Access your Add/Remove Programs

Stay Online and Remove Uninstall 180searchAssistant
Read the prompts carefully for removal procedure

Restart your computer when prompted after removal or restart anyways

Back in Windows

Go back to Add/Remove Programs and try and first remove
My Search Bar
and then remove
IEFeatSL Uninstall

========
Secure Delivery is related to Kontiki>>You may also choose to remove it

Restart after removing the above
Come back here and post a fresh Hijackthis log

[xsolx]

[quote name=\'guestolo\']Stay Online and Remove Uninstall 180searchAssistant
Read the prompts carefully for removal procedure[/quote]

I hit Change/Remove, and it gives me the make sure your connected to the internet prompt. I hit yes but nothing comes up after I hit yes. Any suggestions?

[guestolo]

Can you carry on with the rest of the instructions>>You may also need to have a browser open
Post back a fresh hijackthis log afterwards
Let me know later what you could and couldn't do

[xsolx]

Attempt to uninstall My Search Bar resulted in:
C:\PROGRA~1\MyWay\MyBar\1.bin\mybar.dll - Module Not Found (No files found in any folders)

Attempt to uninstall IEFeatSL resulted in:
C:\WINDOWS\Image.dll - Module not Found (No image.dll, there is an image.new however)

Secure Delivery uninstalled without a problem. I'm going to go dig for these files and see what I come up with. Any other strategies?

EDIT: I just searched for saap (related to 180uninstall) and found these files

5 HTML files found in the folder tv.180solutions (tv.180soultions.com)
saap.exe
saap.txt
saapau.dat
saaphook.dll
saap_gdf.dat
saap_kyf.dat
SAAP.EXE-00300706.pf

Safe to delete these?

BTW, new log
----
Logfile of HijackThis v1.99.1
Scan saved at 3:58:35 PM, on 3/29/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\paytime.exe
C:\Program Files\WebSiteViewer\124842.dlr
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmplayer.exe
c:\windows\saap.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [saap] c:\windows\saap.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [lwfil] C:\WINDOWS\lwfil.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

[guestolo]

Don't worry about IEFeatsl right now, we should be able to remove it with CWShredder

Can you do me a favor please
Download and UNZIP to desktop
LSP fix>>>Open it and let me know what your see in the
KEEP side>>Also let me know what you see in the Remove side
Then we'll try some fixes on your computer

http://www.cexx.org/lspfix.htm

[xsolx]

I will do that as soon as a get home from work. Thanks for all the help so far.

[xsolx]

Here is what LSPFix said

Keep
mswsock.dll
winrnr.dll
rsvpsp.dll

Remove
(none)

Also, is it safe to delete the files that I listed above that are related to 180serachassistant?

[quote name=\'xsolx\']5 HTML files found in the folder tv.180solutions (tv.180soultions.com)
saap.exe
saap.txt
saapau.dat
saaphook.dll
saap_gdf.dat
saap_kyf.dat
SAAP.EXE-00300706.pf[/quote]

[guestolo]

Let's continue working on your log first

I need you too download a few tools
I assume the right click function of the mouse is still not working
Can you first download and save to a folder
NoRight.zip>>> UNZIP the contents so you now have NoRight.reg in the same folder
We'll need this in a bit

===Download from my Signature below CWShredder.exe and save it too a folder
Don't run it yet

===Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup
Install for now, don't run a scan yet

===Download and save to a folder
DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf
We'll need this later

===Download and UNZIP to a folder
HSFIX.zip
HSFix directory will be created
We'll need this later

Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
Disconnect from the Internet

I need you to disable Spybot's Tea Timer so it won't interfere with any fixes we try
Start Spybot>>Click Mode>>advanced Mode>>Ok it
Tools>>Resident>>Uncheck Resident Tea Timer>>Accept the change
Restart the computer to ensure it's disabled

Double click on NoRight.reg and allow to merge to the registry

RESTART your Computer in SAFE MODE

Go to START>>>RUN>>>type in services.msc and hit Enter
In the next window, look on the right hand side for this service
name---- WebSeach Toolbar support NT service (TBPSSvc)

Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled
Do the same for this one
ZESOFT

Find and delete these files or folders if found
C:\WINDOWS\desktop.html <-file
C:\WINDOWS\Web\desktop.html <-file
c:\windows\saap.exe <-file
C:\WINDOWS\lwfil.exe <-file
C:\WINDOWS\zeta.exe <-file
C:\WINDOWS\System32\paytime.exe <-file
C:\WINDOWS\SYSTEM32\drct16.dll <-file

C:\Program Files\WebSiteViewer <-folder
C:\Program Files\Toolbar <-folder
Also, Delete the 180 Soutions folder

Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

O4 - HKLM\..\Run: [saap] c:\windows\saap.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [lwfil] C:\WINDOWS\lwfil.exe

O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll

O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

===Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

===Open Hijackthis>>Open Misc tools section>>Click the "Delete and NT service" button
Copy and paste or type the following in bold into the blank box and hit OK
TBPSSvc
Do the same for this one
ZESOFT

===Again, in safe mode
Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Don't log off or restart yet

===Navigate to the HSFix directory>>Open the folder, ensure you unzipped this
 and double-click on HSFix.bat.
* It will produce a log file, located here: C:\hslog.txt

===Open CWShredder.exe and Click the FIX button
Let it fix what it finds

Restart Back to Normal mode
Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab==Reset home page

Post back a fresh Hijackthis log afterwards
and the contents of the log C:\hslog.txt

Let me know if you have now regained your right click on your mouse
We will tackle your double icons and Locked Display properties next

[guestolo]

I forgot to add NoRight.zip file to the instructions
Here it is, sorry about that

If it's too late and you didn't see this at first
Can you download it now and unzip it  and follow the instructions to merge it

Restart your computer

[xsolx]

Well, finally got back around to trying to fix this comp. School can be a biznatch sometimes.

Anyway, the locked Display Props and Right Click problem seem to be fixed. Now the only remaining problem is the double icon problem.

New Log

Logfile of HijackThis v1.99.1
Scan saved at 6:08:26 PM, on 4/11/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Opera\opera.exe
C:\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {860CE847-8298-4114-B142-14043C2942B1} - C:\WINDOWS\drexinit.dll
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

[guestolo]

Since you haven't posted back for awhile, I've been trying a new registry fix

Can you first create a new Restore point, something to fall back on, just in case
Start>>All programs>>accessories>>System Tools>>system restore
Create a new restore point
Name it and click Create

After that is done

Download and UNZIP to a folder fixdesktop.zip
So you have fixdesktop.reg in the same folder
[attachment=136:attachment]

Download and save to a folder
DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf
I asked you to download this earlier, in case you don't have it, download it now

Just to be safe, any files or folders  that you saved to the desktop, can you copy and paste them to another folder, such as MyDocuments

After that is done
Do another scan with Hijackthis and put a check next to these entries:

O2 - BHO: (no name) - {860CE847-8298-4114-B142-14043C2942B1} - C:\WINDOWS\drexinit.dll

O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

===Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

Double click on Fixdesktop.reg and allow to merge to the registry

Restart your computer

Delete this file if found
C:\WINDOWS\drexinit.dll <-file

Do the following
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Try changing your Background
5. Click the Customize Desktop button.
6. Click the Web tab in the Desktop Items window.
7. Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything unchecked

Check for updates with Spybot >> download all updates and check for problems
Fix everything in RED
Restart your computer if anything fixed

You should also check for updates with Ad-Aware
Run a scan and restart the computer if anything removed
Make sure your using Spybot 1.3 and Ad-Aware SE 1.05

Post back a fresh Hijackthis log afterwards

Do you still have anything to do with IPOD installed, this entry shows it may of been removed
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

Also, you didn't post back the log from HSFix.bat
can you do that now
C:\hslog.txt <--this log