Help, my work computer

[Melodi]

Some how I think that Wintools thing got on to my computer. It kept popping up for me to download it and I kept closing out of it and it keeps showing up. This is frustrating me because I haven't been surfing anything out of the ordinary. I downloaded the google toolbar and now I get full page popups advertising that stupid WinAntispyware stuff. Thanks

Logfile of HijackThis v1.99.1
Scan saved at 1:36:28 PM, on 9/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\Go ogleToolbarNotifier.exe
C:\aceutilities\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.dohmen.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.dohmen.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local.,
O2 - BHO: (no name) - {6F917E1F-E818-4646-96D0-61F87CF1F294} - C:\WINDOWS\system32\kerrcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\Go ogleToolbarNotifier.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O14 - IERESET.INF: START_PAGE_URL=http://intranet.dohmen.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freewar...eanerstart.cab
O16 - DPF: {331CCD4A-AA1C-4C0F-8960-DB8A135C9F9E} (PDT.ctlPDT) - https://www.dohmendirect.com/WebObje...ources/PDT.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1123773622140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1123773404562
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1_02) - http://10.10.10.90/WFC/plugins/j2re-1_3_1_02-win.exe
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Dohmen.com
O17 - HKLM\Software\..\Telephony: DomainName = Dohmen.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Dohmen.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Dohmen.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: c:\windows\system32\mljjhig.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: kerrcl - C:\WINDOWS\SYSTEM32\kerrcl.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Client Access Express Remote Command (Cwb**d) - IBM Corporation - C:\WINDOWS\CWB**D.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe

[Mobo]

Is this a business computer from your place of employment melodi ?

[Melodi]

Yes it is. It's the Winantivirus2006 thing and I ran a panda scan and it told me where to locate and erradicate the junk so i'm working on that....

Anything in that log?

[Mobo]

Suspected dll files yes but they may or atleast could be some software that I am unaware of. I would hate to delete them and they could be of some use.

[Melodi]

Too Late, I already got rid of the nasties that Panda told me about, then I couldn't open Firefox because it said it was running, no processes showed firefox running, so I uninstalled it, reinstalled it and got the same message. So I uninstalled it, edited the registry, reinstalled it and still got the message that firefox had a process running. So I downloaded Killbox! and had it find all firefox files and delete them, and I downloaded firefox again, reinstalled it and now it works

Gotta love that kill box. I'm not getting the winantivirus2006 anymore.........
Of course I have lost all my favorites in firefox, my default browswer.

Oh and I forgot to mention when firefox wouldn't work, I downloaded flock again to give it another try, I don't like that browser at all. It is definately for a 'myspace' user and I am not a blogger.................at least not about my personal life anyway

[Mobo]

Well good job them Melodi.

[Melodi]

HUH? I was expecting you to give me a small lecture?

Even though I feel very satisfied with what I did LOL

I wonder what happened with firefox why it crashed so hard like that.

[Mobo]

I would say a corrupted file of some sorts and it was likely in the documents and settings folder where they don't get deleted even onan uninstall.

[Melodi]

Mobo, not kidding, that Winantivirus is BACK and I have not even opened up IE. Most of the day without FF I didn't have it, it was gone.

What is going on? Is firefox bringing this in? I thought I got it from IE? OMG, what is causing this? It started happening again just now and it wasn't around all afternoon after I deleted it and wasn't using FF.

Leaving work, will check in later

[Mobo]

Its not a browser popup. Its popup files are on the pc like I said and obviously they didn"t get deleted by panda.