Nasty little critters on my computer!!

Okay post you HJT log as an attachment. But read the below link and follow directions on posting HJT logs. Make sure you have version 1.98.2 of HJT and put it in its own non-temp, non-desktop, non-Documents and Settings folder (see the link).

NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Please follow the directions for using HijackThis. We asked for it be place into its own directory.
You are running it directly from the ZIP file. You will not get any backups that way. This where you currently have it.
C:\Documents and Settings\Debs\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

You must fix this before continuing!

Also, we specifically tell you to shutdown browsers before scanning. You had IE running.
C:\Program Files\Internet Explorer\iexplore.exe

Having browsers running when using HijackThis to fix items can interfere with the ability to fix problems.

 

First, goto Add/Remove Programs and look for an uninstall for Spyware Begone. It is on a list of rogue/suspect spyware removers and is not doing anything useful for you. See this link: http://www.spywarewarrior.com/rogue_anti-spyware.htm
If it does uninstall, you will not see the line below in HJT that I will suggest to fix.

Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {A9ACA209-B852-40A2-86A7-C1F4DA445DAD} - C:\WINDOWS\System32\abf.dll (file missing)
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetm\services.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O16 - DPF: {A5C76BEB-C8A9-4F59-BB90-52A821EAB9C9} (Desktop Object) - http://sib1.od2.com/common/cman/cman.dll

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\inetm <---- the whole directory

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Questions:
Do you recognize the URLs listed below in the O17 lines? Is this your ISP?
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = nsw.bigpond.net.au,vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nsw.bigpond.net.au,vic.bigpond.net.au

Here is some more info on those URLs:
vic.bigpond.net.au = [ 139.134.5.153 ] & nsw.bigpond.net.au = [ 139.134.5.153 ]
Domain Name: bigpond.net.au
Last Modified: 02-Apr-2004 05: 20: 04 UTC
Registrar ID: R00012-AR
Registrar Name: TPP Internet
Status: OK
Registrant: Telstra Corporation Limited.
Registrant ID: ACN 051775556
Registrant ROID: C0981976-AR
Registrant Contact Name: Domain Administrator
Registrant Email: corpdomains@team.telstra.com

 

Back in message # 4, I said:
"You are running it directly from the ZIP file. You will not get any backups that way. This where you currently have it.
C:\Documents and Settings\Debs\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

You must fix this before continuing!"

You still did not fix this problem. You are still running HijackThis directly from the ZIP. You are not getting any backups when doing it this way. You must correct this. Extract the EXE file from the ZIP and put it into its own folder like C:\Program Files\HJT

 

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure


Now we need to reset your Web Settings:

Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com (or whatever your preference is. You had http://www.dell.com). Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


Does your Norton Anti Virus tell you where it is finding rundlg32.dll?

Is it in C:\Windows\downloaded program files\rundlg32.dll

We may need to edit the registry by hand if you are still getting messages about missing:
C:\WINDOWS\inetm\services.exe

 

Okay you HJT log looks clean. Most files in C:\WINDOWS\downloaded program files cannot be seen by normal methods. You have to either do this from the command prompt or by using another utility like ExplorerXP. Give ExplorerXP a run it will be a little simplier than command prompt and could be useful in the future anyway. Just navigate to the directory and right click on the file and select delete. Let me know how that works out.

Are you still getting messages about missing:
C:\WINDOWS\inetm\services.exe

 

The link for the SpyBot fix is here: Spybot - Search and Destroy DSO Exploit Fix 1.3.1 TX

 

Debs,

The hits from Spyware Doctor are not valid. It is detection the information that Spybot's Immunize feature has put into your registry to place these bad addresses in your restricted zones.

 

Thanks for the praise Brady and for the referrals. We strive to be the best. I did not notice this thread had new info in it until just now. It had slid out of view too quickly I guess.