Shifty-Please take a look at this and see if anything catches your attention.
Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 9:14:58 PM, on 6/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\TGl2aW5nIHJvb20\command.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\dfndra.exe
C:\windows\system32\ppdsregq.exe
C:\WINDOWS\system32\mptft.exe
C:\WINDOWS\win3208732-2007521.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\ssec.exe
C:\WINDOWS\system32\tfthot.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\AOL\1118265035\ee\AOLServiceHost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\common files\aol\1118265035\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1118265035\ee\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoFXM08.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\sys012007521732-.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Living room\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [w607aad5.dll] RUNDLL32.EXE w607aad5.dll,I2 0009fd2c0607aad5
O4 - HKLM\..\Run: [sv1_0m] C:\WINDOWS\System32\sv1_0m.exe
O4 - HKLM\..\Run: [m8Ux] C:\windows\temp\m8Ux.exe
O4 - HKLM\..\Run: [6ahV7k] C:\WINDOWS\Kbfpsb.exe
O4 - HKLM\..\Run: [newname] C:\\nwnm.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrd.exe
O4 - HKLM\..\Run: [defender] C:\\dfndra.exe
O4 - HKLM\..\Run: [{7A-A6-63-3C-ZN}] C:\windows\system32\ppdsregq.exe GID003
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ms0621732-20075] C:\WINDOWS\ms0621732-20075.exe
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\system32\mptft.exe
O4 - HKLM\..\Run: [win3208732-2007521] C:\WINDOWS\win3208732-2007521.exe
O4 - HKLM\..\Run: [sys012007521732-] C:\WINDOWS\sys012007521732-.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - Global Startup: hp officejet 4100 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134791429921
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\p06slaj71do.dll
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\o4660ejseho60.dll
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\o4660ejseho60.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TGl2aW5nIHJvb20\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Yes, there is a lot that gets my attention. This computer is severely hijacked and, this is one of those times when I would typically insist on a format and reinstall because it's so bad, I would be scared to touch the computer again.

First off, I see these mysterious (bad) processes running in the background:

C:\WINDOWS\TGl2aW5nIHJvb20\command.exe
C:\dfndra.exe
C:\WINDOWS\system32\mptft.exe
C:\windows\system32\ppdsregq.exe
C:\WINDOWS\win3208732-2007521.exe
C:\WINDOWS\system32\ssec.exe
C:\WINDOWS\system32\tfthot.exe
C:\WINDOWS\sys012007521732-.exe

I don't recognize any of them and most likely every single one is very, very bad - like trojan/backdoor access and "OMG I just had my identity stolen by hackers" or "The FBI just raided my house because I hacked NASA" type of bad. :)


To work on this, you can start by closing all of your open programs (including your browser you're reading this post with), then opening Hijackthis, putting a checkmark next to all of these lines (doublecheck you got all of them), then clicking the "FIX" button:


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=

O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [w607aad5.dll] RUNDLL32.EXE w607aad5.dll,I2 0009fd2c0607aad5
O4 - HKLM\..\Run: [sv1_0m] C:\WINDOWS\System32\sv1_0m.exe
O4 - HKLM\..\Run: [m8Ux] C:\windows\temp\m8Ux.exe
O4 - HKLM\..\Run: [6ahV7k] C:\WINDOWS\Kbfpsb.exe
O4 - HKLM\..\Run: [newname] C:\\nwnm.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrd.exe
O4 - HKLM\..\Run: [defender] C:\\dfndra.exe
O4 - HKLM\..\Run: [{7A-A6-63-3C-ZN}] C:\windows\system32\ppdsregq.exe GID003
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ms0621732-20075] C:\WINDOWS\ms0621732-20075.exe
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\system32\mptft.exe
O4 - HKLM\..\Run: [win3208732-2007521] C:\WINDOWS\win3208732-2007521.exe
O4 - HKLM\..\Run: [sys012007521732-] C:\WINDOWS\sys012007521732-.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe

O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\p06slaj71do.dll
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\o4660ejseho60.dll
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\o4660ejseho60.dll

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TGl2aW5nIHJvb20\command.exe



Even after you fix a lot of this stuff, it's going to come back again.

I highly suggest you go download and install Ewido Security Suite, Update it DO NOT SCAN yet, reboot in Safe Mode, then scan using Safe Mode. This will wipe some of this crap off.

PS - if the person using this computer was doing online banking, Paypal, eBay or other such items, once you get it cleaned up it is VERY important they change all of their passwords to any site that is secure they've logged into. (Yes, this is THAT bad of an infection!)