Hi WestLake,

Too bad Judy (jholland) is away. If she was here, girl-to-girl you guys would have cleaned this system up in a jiffy. Anyhow, though I don't usually deal with this section, I will try to help so you won't think IANAG people also ignores 14-yo girls!

I am assuming this is for a personal home computer? If not some of the instructions may not be proper to follow so let me know.

Here is the portion of the log (analyzed through our own Online Log Analyzer) that I wanted you to pay attention to:

R3 - URLSearchHook: (no name) - - (no file)
File Missing
When a file is missing, you should always have HijackThis fix the item.
tipIDs[tipIDs.length] = "38"
O2 - BHO: (no name) - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - (no file)
File Missing
When a file is missing, you should always have HijackThis fix the item.
tipIDs[tipIDs.length] = "42"tipIDs[tipIDs.length] = "43"
O3 - Toolbar: (no name) - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - (no file)
File Missing
When a file is missing, you should always have HijackThis fix the item.

O4 - HKCU\..\Run: [internat.exe] internat.exe
internat.exe
2 possibilities for the above entry!
a. internat.exe is installed with Windows and is a process to provide Microsoft's multi-lingual features in Microsoft Windows.
or
b. internat.exe could also be also a process which is registered as the Win32.Lydra.a information stealing Trojan. This Trojan allows attackers to access your computer, personal data and information.
*** If multi-lingual features are indeed installed and being used then it should be safe so ignore it.

tipIDs[tipIDs.length] = "60"tipIDs[tipIDs.length] = "61"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Internet Explorer Restrictions
Spybot or some other security program/plug-in could be doing this but this is a user selected option. If there was no such settings opt'ed by the user then have HJT fix this as well.
tipIDs[tipIDs.length] = "62"tipIDs[tipIDs.length] = "63"tipIDs[tipIDs.length] = "65"
tipIDs[tipIDs.length] = "66"O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
Related
Alexa_registry_entry Registry key that creates a menu item that points to a local web page that points to an MSN search page that uses the Alexa engine.
tipIDs[tipIDs.length] = "67"
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
Related
Alexa_registry_entry Registry key that creates a menu item that points to a local web page that points to an MSN search page that uses the Alexa engine.
tipIDs[tipIDs.length] = "80"
O23 - Service: SBHookSvc - Unknown owner - C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\SBHookSvc.exe (file missing)
File Missing
When a file is missing, you should always have HijackThis fix the item.
tipIDs[tipIDs.length] = "81"tipIDs[tipIDs.length] = "82"
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\winvnc4.exe" -service (file missing)
File Missing
When a file is missing, you should always have HijackThis fix the item.

*** Additionally the following entries are non-essential and I advise people to remove them but entirely up to user's preference:

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07. exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
This is all I could see with the exception of the Proxy override which could be a legit settings placed by the ISP:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
Do the above steps while Windows running in Safe Mode, also before booting in Safe Mode, download ATF-Cleaner and run it after using HJT.

Afterwards, if there are still any issue, please provide detailed info please.


~TL