hijack log posted-please help

Please see below which needs to be deleted. My home page keeps changing to searchmall.com and I get countless pop-ups.
Thanks
JConlee

Logfile of HijackThis v1.97.7
Scan saved at 12:36:11 PM, on 6/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NAVNT\navapsvc.exe
C:\PROGRA~1\NAVNT\npssvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ZipToA.exe
C:\PROGRA~1\NAVNT\alertsvc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Philips\PSA2\skin\QveCplSk.EXE
C:\WINDOWS\services.exe
C:\WINDOWS\System32\ruxiwvtq.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BestBuy\HelpExpress\conlee\HXIUL.EXE
C:\Program Files\BestBuy\HelpExpress\conlee\Client\HelpExp.exe
C:\Program Files\NAVNT\navapw32.exe
C:\WINDOWS\emsw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\conlee\LOCALS~1\Temp\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thesearchmall.com/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thesearchmall.com/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://thesearchmall.com/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thesearchmall.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestbuy.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\ATPART~1.DLL (file missing)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {07464f9f-889c-45c0-bb0d-38f20ac4a9ce} - C:\DOCUME~1\conlee\APPLIC~1\grbraoadsscr.dll (file missing)
O2 - BHO: ohb - {0AEE4D0C-4B38-4196-AE32-70ACE5656647} - C:\WINDOWS\System32\winsrm32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\NAVNT\npscheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QveCtl2Tray] C:\Program Files\Philips\PSA2\skin\QveCplSk.EXE C:\Program Files\Philips\PSA2\skin
O4 - HKLM\..\Run: [uxhgvhwx] C:\WINDOWS\System32\uxhgvhwx.exe
O4 - HKLM\..\Run: [trdssbr] C:\DOCUME~1\conlee\APPLIC~1\pblllshg.exe -QuieT
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - HKLM\..\Run: [service] C:\WINDOWS\services.exe -serv
O4 - HKLM\..\Run: [bbpuqqoodln] C:\WINDOWS\System32\ruxiwvtq.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\BestBuy\HelpExpress\conlee\HXIUL.EXE
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\BestBuy\HelpExpress\conlee\Client\HelpExp.exe
O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - HKCU\..\Run: [SpywareKilla] "C:\PROGRA~1\SPYWAR~1\SpywareKilla.exe"
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\NAVNT\navapw32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .ipp: C:\Program Files\Internet Explorer\Plugins\npimth32.dll
O12 - Plugin for .ipt: C:\Program Files\Internet Explorer\Plugins\npimth32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: {01112B00-3E00-11D2-8470-0060089874ED} (Support.com RemoteControl Class) - http://usercenter.cox.net/rsuite/sdccommon/download/tgrc.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {3F0EECCE-E138-11D1-8712-0060083D83F5} (LPViewer Class) - http://www.museum.go.kr/kor/ivr/activex_test/LPControl.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {908F3C82-B57E-11D4-BF33-00A0CCE8754B} (TInterActXInstallObject) - http://www.mathxl.com/wizmodules/interact/installers/InterActXInstall.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37582.5256944444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = m28742.ecpm.com
O17 - HKLM\Software\..\Telephony: DomainName = m28742.ecpm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F617F08-9A5C-42F0-8657-D166EB040059}: Domain = m28742.ecpm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE7B3479-34B3-4A55-B4D9-CBDE5EC46154}: Domain = m28742.ecpm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = m28742.ecpm.com

 

I guess I should say that I am using windows xp home edition.
Also, I can see from the hijack log that there are numerous tags that include searchmall. Please view my log to see if there is anything else that seems sketchy.
Thanks

 

I need some major help here, and this is the only place that I can find anything even similar to what my computer keeps throwing at me. Last night, after my son trying to reboot the computer, AVG alerted him to a Trojan.... Downloader Agent BF. He got this alert just as Windows was trying to load and it was time for him to pick a User Account. Before he could click on the User Account, to get to AVG to get rid of it, the computer shut down and restarted. It does this everytime we try to get in there.

I restarted the computer in safe mode, and ran Norton... Adaware... and Spysweeper. And of course, nothing can be done about this virus. I can't even get AVG to load due to it being in safe mode. I'm just stuck... have no clue to go from here. I don't have hijack this or some of the other things I've been reading about.

Can't get on the internet due to being in safe mode to download anything. Is there anything at all I can do.... outside of pulling all my hair out??

Thanks in advance for any help or suggestions.

Calamity Jane

 

Sorry bout that everyone... I'm new to this, and wasn't sure where to go.