http://go.microsoft.com/fwlink/?LinkId=69157 redirects to www.msn.com

Also, if regedit acts weird, you can also try Tuneup Utilities(http://tuneup.swmirror.com/TU2007TrialEN.exe). It has their own customized version of regedit. Also, use the registry cleaner once you've sorted everything out and your computer is clean of virus/spyware/adware.

Does he uses a firewall?

Also check your host file (C:\WINDOWS\system32\drivers\etc\hosts)

Either Norton or Spysweeper is blocking the change.  My money is on Spysweeper.  Disable Spysweeper and you will notice that the change takes.  Then go into Spysweeper and go through the options until you find home page protection and you will see where you can have it allow you to change the page when you need to.

Thank you for all your suggestions.  I am trying multiple solutions.  I will keep you posted.

1.  I do not have hijackthis yet; couldn't easily find--will though
2.  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main did have the http://go.microsoft.com/fwlink/?LinkId=69157 link; however, once changed and changed in Inet Opts, changed back (even w/firewalls stopped).   HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main did not.
3.  I have not tried (http://tuneup.swmirror.com/TU2007TrialEN.exe) yet;
4.  Yes, he does use a firewall; however, tried stopping -- no avail
5.  C:\WINDOWS\system32\drivers\etc\hosts was default -- no avail
6.  Neither Norton or Spysweeper was blocking the change -- no avail
7.  Will not use http://www.outerinfo.com/OiUninstaller.exe; contains Adware.MediaTicket
8.  Still have not gotten hijackthis; plan to upload the edited (protect user)  log for review.
9.  Running http://www.superantispyware.com/ now; 9 threats found so far, including Yassle.

I have approx 20 pages of writeup to do.  This was a very unusual box.  I will post the write up here.  Here is what I have so far:
February 9, 2007

User complaint:  Cannot view web.  Laptop connects, but unable to view.  Numerous errors pop up.
____________________
Checked SSL, TLS settings - good
_____________
Used Cingular Communications Manager – Showed full bars/full connection
____________________
ipconfig –all – showed no connection media, IP 0.0.0.0
____________________
Errors upon bootup:
NT On – Access Scanner Service
szAppName:  szAppVer: 0.0.0.0 szModName:Kernel32.dll
szModVer:5.1.2600.1106 offset 00013887
Symantec Email Proxy
TCP/IP is disabled.  Disable email scanning in your Symantec product options or install TCP/IP 1003,3
http://www.symantec.com/techsupport/servlet/ProductMessages?module=1003&error=3&lanuage=English&product=CC&version=104.0.1.17

_________________________

Microsoft Visual C++ Runtime Library
Runtime Error!
Program C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

.....more to follow :o)

Dell Inspirion 5100
Pentium 4
CPU 2.8 GHz
512MB RAM
_____________________________________________
Event Type:      Warning
Event Source:      Userenv
Event Category:      None
Event ID:      1524
Date:            2/9/2007
Time:            6:08:39 PM
User:            S-1-5-21-204266967-2096854778-2472988758-1005
Computer:      HOSTNAME
Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.  
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
_____________________________________________

Event Type:      Error
Event Source:      SENS
Event Category:      None
Event ID:      0
Date:            2/9/2007
Time:            7:36:53 PM
User:            N/A
Computer:      HOSTNAME
Description:
The description for Event ID ( 0 ) in Source ( SENS ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Event System Win32 Error: No service is operating at the destination network endpoint on the remote system.
, ServiceStart(): SensInitialize() failed.

_____________________________________________
Event Type:      Error
Event Source:      McLogEvent
Event Category:      None
Event ID:      5051
Date:            2/9/2007
Time:            7:43:56 PM
User:            NT AUTHORITY\SYSTEM
Computer:      DRTOM
Description:
The description for Event ID ( 5051 ) in Source ( McLogEvent ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: c:\PROGRA~1\mcafee.com\vso\mcshield.exe, 201608, 808 (0x328), 0x7ffe0304,
 Build Sep  8 2001 15:13:39 / 8.52
 Object being scanned = \Device\HarddiskVolume2\Documents and Settings\UserName\Local Settings\desktop.ini   ( @ 7025 (7024,7019,7011,93))

_____________________________________________

Event Type:      Error
Event Source:      Application Error
Event Category:      (100)
Event ID:      1000
Date:            2/9/2007
Time:            7:44:00 PM
User:            N/A
Computer:      HOSTNAME
Description:
Faulting application , version 0.0.0.0, faulting module KERNEL32.DLL, version 5.1.2600.1106, fault address 0x00013887.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74   Applicat
0008: 69 6f 6e 20 46 61 69 6c   ion Fail
0010: 75 72 65 20 20 20 30 2e   ure   0.
0018: 30 2e 30 2e 30 20 69 6e   0.0.0 in
0020: 20 4b 45 52 4e 45 4c 33    KERNEL3
0028: 32 2e 44 4c 4c 20 35 2e   2.DLL 5.
0030: 31 2e 32 36 30 30 2e 31   1.2600.1
0038: 31 30 36 20 61 74 20 6f   106 at o
0040: 66 66 73 65 74 20 30 30   ffset 00
0048: 30 31 33 38 38 37         013887  
_____________________________________________

rpggamergirl.   Now how can you possibly say that I don't trust your advice, I'm happy to have your advice and I've been using the tools you provided for the last 4 hours.  No doubt you know what you are talking about!  As for Purityscan -- its definately part of the promblem:  both Yazzle and Cowabanga.  Just had to pick what to use first.  You can look at the hijack log in that you provided me an excellent link.    And I certainly thank you for http://www.superantispyware.com; I was amazed to still see 19 items left.  What was even more amazing was when it started cleaning, and it kept trying to install itself into the Restore partitions  I ran two different Antispyware and Antivirus tools on two different computers for the http://www.outerinfo.com/OiUninstaller.exe and came up with the same results: MediaTicket; there are many false positives, I'm sure this must be one.  Thanks for everything, but I still need your help.

February 9, 2007

Ok, guys and gals.  This has become an obsession and I need to get rid of this box!  I have this one final thing to fix and the output of hijackthis is at the bottom of this post.  I have run the latest http://www.superantispyware.com.  I have changed HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main to reflect www.dogpile.com.  I have disabled:  Norton Antivirus, Spyweeper, Superantispy, engaged the wireless modem, brought up IE7, and it still throws the redirect up.  Maybe I'm just tired and not seeing something.

_______________________
Tools used:

WinsockxpFix.exe
Norton_Removal_Tool
20070215-033-x86 NAV defs forced
Norton SystemWorks 2006
avg75free_441a944.exe
avgas-setup-7.5.0.50
CheckIt
cports.zip from nirsoft.net
xp_exe_fix.zip
Helix fprot antivirus
IE7-WindowsXP-x86-enu.exe
Webroot SpySweeper
mrublastersetup.exe
regscanner from nirsoft.net
spywareblastersetup351.exe
myuninst.zip
Registry Mechanic
SuperAntiSpyware.exe
alternativ hijackthis

___________________________________-
Found throughout:
Trojan LuckBar888
Adware Softomate
Adware Click Spring
Adware Drive Clean
Trojan Dropper.Dollar
PurityScan
Webhancer
SaveNow
Not-A-Virus
Adware New Dot Net
Trojan Downloader
Trojan Dropper.Small
Adware Why PPC
Tracking Cookie Clickbank
Tracking Cookie TribalFusion
Tracking Cookie Findwhat
Adware Media Ticket
Adware Command
Adware Maxfiles

_________________________________

User liked viewing porn sites
User did not keep service packs and hot fixes up to date
User accepted that Norton Antivirus had stopped working
User had no firewall
User had no Anti Spyware

_________________________-
Best guess:  user viewed particular porn site
Picked up Webhancer
Opened vulnerabilities for Adwares
Opened port for MyDoom2
Opened vulnerabilities for Dropper.Dollar
Opened port for MyDoom3
Disabled / corrupted Anti-virus portion of Norton SystemWorks
Norton corrupted TCP/IP Stack
Made numerous copies of self in GoBack
Opened port for Dropper.Small
Lost connectivity December 14, 2006

_____________________________

Here's the history:

User complaint:  Cannot view web.  Laptop connects, but unable to view.  Numerous errors pop up.
____________________
Checked SSL, TLS settings - good
_____________
Used Cingular Communications Manager – Showed full bars/full connection
____________________
ipconfig –all – showed no connection media, IP 0.0.0.0
____________________

Check Network Connections

Connected.  Cingular Accelerated Connected.  Full Bars.

ping google.com
Windows Sockets interface, error code 0 returned
_______________________
WINDOWS
IP Configuration
IP Routing Enabled:  No
WINS Proxy Enabled:  No
Ethernet Adapter Wireless Network Connection: 2
Sierra Wireless 3G Adapter
DHCP Enabled: Yes
Autoconfiguration Enabled: Yes
Subnet Mask 0.0.0.0
IP Address 0.0.0.0
Default Gateway
DHCP Server 0.0.0.0

ipconfig /all
no media connected

____________________________

Errors upon bootup:
NT On – Access Scanner Service
szAppName:  szAppVer: 0.0.0.0 szModName:Kernel32.dll
szModVer:5.1.2600.1106 offset 00013887
Symantec Email Proxy
TCP/IP is not disabled.  Disable email scanning in your Symantec product options or install TCP/IP 1003,3
http://www.symantec.com/techsupport/servlet/ProductMessages?module=1003&error=3&lanuage=English&product=CC&version=104.0.1.17
________________________
Microsoft Visual C++ Runtime Library
Runtime Error!
Program C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
______________________________

Program:C:\Program Files\Common Files\Symantec Shared\ccApp.exe
____________________________________
ConfigWiz
Another instance of the Wizard is running
_________________________________
Services running AIM at startup
__________________________________

Checked Logs --- Significant:

Dell Inspirion 5100
Pentium 4
CPU 2.8 GHz
512MB RAM

Event Type:      Warning
Event Source:      Userenv
Event Category:      None
Event ID:      1524Date:            2/9/2007
Time:            6:08:39 PM
User:            S-1-5-21-204266967-2096854778-2472988758-1005
Computer:      HOSTNAME
Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.  
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
_____________________________________________

Event Type:      Error
Event Source:      SENS
Event Category:      None
Event ID:      0
Date:            2/9/2007
Time:            7:36:53 PM
User:            N/A
Computer:      HOSTNAME
Description:
The description for Event ID ( 0 ) in Source ( SENS ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may

be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Event System Win32 Error: No service is operating at the destination

network endpoint on the remote system.
, ServiceStart(): SensInitialize() failed.

_____________________________________________
Event Type:      Error
Event Source:      McLogEvent
Event Category:      None
Event ID:      5051
Date:            2/9/2007
Time:            7:43:56 PM
User:            NT AUTHORITY\SYSTEM
Computer:      HOSTNAME
Description:
The description for Event ID ( 5051 ) in Source ( McLogEvent ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer.

You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: c:\PROGRA~1\mcafee.com\vso\mcshield.exe, 201608, 808

(0x328), 0x7ffe0304,
 Build Sep  8 2001 15:13:39 / 8.52
 Object being scanned = \Device\HarddiskVolume2\Documents and Settings\UserName\Local Settings\desktop.ini   ( @ 7025 (7024,7019,7011,93))

_____________________________________________

Event Type:      Error
Event Source:      Application Error
Event Category:      (100)
Event ID:      1000
Date:            2/9/2007
Time:            7:44:00 PM
User:            N/A
Computer:      HOSTNAME
Description:
Faulting application , version 0.0.0.0, faulting module KERNEL32.DLL, version 5.1.2600.1106, fault address 0x00013887.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74   Applicat
0008: 69 6f 6e 20 46 61 69 6c   ion Fail
0010: 75 72 65 20 20 20 30 2e   ure   0.
0018: 30 2e 30 2e 30 20 69 6e   0.0.0 in
0020: 20 4b 45 52 4e 45 4c 33    KERNEL3
0028: 32 2e 44 4c 4c 20 35 2e   2.DLL 5.
0030: 31 2e 32 36 30 30 2e 31   1.2600.1
0038: 31 30 36 20 61 74 20 6f   106 at o
0040: 66 66 73 65 74 20 30 30   ffset 00
0048: 30 31 33 38 38 37         013887  
_____________________________________________

Installed People PC ISP
ipconfig /all
no connection media

uninstalled People PC ISP

____________________________-

googled errors:
Followed SENS error
joined Experts Exchange
Found answer with -- Windows XP Home Can't Get an IP Address_WinsockxpFix.exe

_______________________

GOT CONNECTION
__________________________

Multiple popups
Freezes
Stalls
Overheating

_____________________

Application Errors:

June 2006 System Volume Information \ eatalog.wci is corrupt

July 2006 Classes registry file corrupt

July 2006 msvcrt.dll - bpgame.exe - McAfee

Aug 2006 Outlook MOF

__________________________


Other logs:  Logs saved (Windows format):
______________________________________________

BootTime with hard connect 3 min


____________________________________




Specs of the system:
Display Adapter      Mobility Radeon 7500
Conexant D480 MDC V.92 Modem
Sierra Wireless AirCard 3G Modem
Standard Modem
Multifunction adapters


- Sierra Wireless AirCard 3G
   adapter parent
Network Adapters
- 1394 Net adapter
- Broadcom 440x 10/100 Integrated Controller
- Sierra Wireless Adapter

PCMCIA adapters
- Texas Instruments PCI -4510 cardbus controller

IRQ:
11 – Sierra Wireless 3G Adapter
11 – Sierra Wireless Air Card 3G Modem
10 – Conexant D480 MDC V.92 Modem


____________________________________
Add and Remove
Programs:

Tried to remove:
888Bar
error while uninstall:  New Starter Uninstall:  Completed
Could not load C:\Program Files\Common Files\ {3CA20FSF-OAE5-1033-0428-030211050001}\888Bar.dll
Completed

Adobe Downloader Manager 2.0 (Remove Only)
1/13/2005

Adobe Reader 7.05
1/13/2005

AIM 6.0
12/15/2006


AOL Instant Messenger
11/12/2006

AOL Toolbar 2.0


Cingular Communication Manager
Publisher: Cingular
Version:  5.2.19.0
Cust Supp 1-800-331-0500

Cowabanga by OIN
12/11/2006

Dataware
DAO

Dell Support
2/11/206

Direct X Media Runtime 5.1

HP Document Viewer

Live Update 2.7 / Symantec Corp
1/29/2007
Version 2.7.39.0

McAfee Security Center
6/1/2003

McAfee Virus Scanner Online
6/1/2003

Microsoft Encarta

Microsoft Money 2003
6/1/2003

Microsoft Money 2003 System Pack
6/1/2003

Microsoft PowerPoint Viewer 97
6/11/2003




Microsoft Streets and Trips 2002
6/1/2003

Microsoft Works Setup Launcher
6/1/2003

Microsoft Works 7.0
6/1/2003

Microsoft Works 7.0 Suite Addin
6/1/2003

___________________________________
exported Reg C:\Windows\System32\9FEB07.reg

___________________________________

created Windows Restore Point – appeared to be effective.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

***OIN Installations EULA, AVG Antispyware scan report and Hijackthis log removed by rpggamergirl PE***

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

3 hours trying to use Norton SystemWorks

continuous shutdowns

________________________________

Started Install XP SP2 from CD
2 failures -- over heat
_______________________________

cooled with upside down compressed air

______________________________

Installed XP SP2

______________________________

Posted this at Experts Exchange

I would like to install Symantec Norton SystemWorks 2006 (don't have original software).  I have partially removed a corrupt version of 2006.

I'm working on a Windows XP Pro Dell laptop.  I had the problem where I couldn't connect on all medias.  I used experts-exchange suggested http://www.snapfiles.com/get/winsockxpfix.html and it worked

FANTASTICALLY!  So I not longer had the 'TCP/IP is not disabled.  Disable email scanning in your Symantec product options or install TCP/IP 1003, 3  

http://www.symantec.com/techsupp/servlet/ProductMessages?module=1003&error=3&language=English&product=CC&version=104.0.1.17

I initially thought my problem was tied to a corrupt Symantec Norton SystemWorks 2006.  There were all kinds of problems and would not remove completely. I got desparate and tried to hack Symantec and Norton

out of the registry (backed up) and pick through the directory.  But I get the same problems.  I am trying to reistall the app.  I tried Symantecs' 'NortonRemoval Tool'.  The problem seems to be the Goback.  But even

though the GoBack.rxc is missing, I did get a success restore out of it after a bluescreen scare (use of Webroot Spysweeper (removing 77 instances; latest being 'webhancer' -- a proposed adware that changes reg

and runs in memory).  (may be the initial problem -- December 14, 2006)

Upon bootup, I get Norton 2006 Corrupt - A necessary file could not be loaded: NAVPro   1002, 1  --- which is the same problem as 18 hours ago.  

http://www.symantec.com/techsupp/servlet/ProductMessages?module=1002&error=1&language=English&product=CC&version=104.0.1.17 it puts me back to the removal tool.

__________________________


Deleted Temporary Inet files  
Deleted Trash
Disk Defrag
Removed McAfee -- long process
Removed Symantec Utilities - again

__________________

Posted again:
This is my first time using this.  I guess I need to ask now what?  I have a concern.  The kernel is in my best guess still unstable.  I do not wish to remove the GoBack since it really was able to recover the box nicely.  

I would just like to be able to install the Utilities and the Antivirus, if possible.  Since webhancer, I suspect the laptop as being a bot.  Let's discuss further....I think may be dealing with ADS (alternate data streams)

http://www.microsoft.com/technet/sysinternals/utilities/Streams.mspx in that the HD has 17GB available, yet when trying to choose additional features of Norton SystemWorks, it shows that it will take approx 300MB

to install but to install on 0 (zero) K.  I need to return this box to the user as soon as possible.

_________________

I'm going to try to boot to a linux antivirus and removal tool -- Helix and clean in this fashion.  I will keep you updated.  However, I'd like to hear your direction.

_______________

This didn't work.  Mounted drives but saw 0 files.  Received WARNING:  Hard link count is wrong for /:  This may be a bug in your filesystem driver.  I have downloaded the free version of AVG Anti-Spyware.  So far

Adwares/Malwares found quarantined and/or deleted.  Next I'll run there AV.  Still waiting on hearing your approach.

____________________

SAFE MODE

________________

msconfig

repeats

___________

pic through files -- Program Files\Common Files and registry
LiveUpdate
CheckIt
Norton
Symantec

___________

Finally Norton Removal Tool and remove Norton

________________

Installed / ran CheckIt

_______________

System Passes All

_______________

4 attempts to install Norton SystemWorks
CPU maxed ---- overheat
________________________-

ALL USER DATA BACKED UP TO REMOVABLE MEDIA

_________________________

Installed on its side with fan blowing behind
block of ice to cool to push into intake of laptop

Norton Installed

___________________

There's another 10 pages, but you get the idea:
willing to answer any questions.

________________

webhancer
purityscan
savenow
targetsaver
go.com
zango
findwhat
2o7net

Thank you.

There comes a point when it makes more sense to rebuild the system than to keep troubleshooting.  I think you are well past that point.
There may be so many corrupted files by now that the system may never run right.
Backup your data and scrub it well using many scanners and rebuild the system.

Yes SudburyComputer,

I agree, but I can't stop now--I'm learning far too much.  I'm not getting any money for this box; it was just a really good way to get back into a sideline business -- and back into geeking after 10 years.  The user doesn't seem to have any of the original software either, so it would kind of be a hassel to use mine, activate, download, etc, etc, etc, this is much more fun.

rpggamergirl,

You know your stuff!!!!  LOTTA ROOT KIT!!!  Wish I could give you 5,000 points!!  I believe this to be a kernel-mode rootkit; hence the former found KERNEL32.DLL corruption; and the unavailability with HELIX to view

drive partions.  Mounted drives but saw 0 files.  Received WARNING:  Hard link count is wrong for /:  This may be a bug in your filesystem driver.

HERE IS THE ANSWER FOR THE REDIRECT:  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG  -- Rootkit Revealer told me.
Data Mismatch between Windows AP and raw hive data  .....It appears to be the last piece (and the most cryptic...no pun intended--well maybe).

Now if I could just get the binary key; or learn how to import one from another computer.....with it being a crypto key, could I just copy it? I wonder.....

If not:  It's OK  the msn is a ligitimate site.  I loaded Opera:  Version 9.10 Build 8679  Platform Win32 System Windows XP Java Sun Java Runtime Environment version 1.5
XHTML+Voice Plug-in not loaded for the main browser to ensure that http://go.microsoft.com/fwlink/?LinkId=69157  does infact redirect to www.msn.com; and it does.


Thank you, thank you....this is one of the cleanest-fastest-boxes that I have ever used.



I used the OIN uninstaller http://www.outerinfo.com/OiUninstaller.exe

I uninstalled Viewpoints Manager Add/Remove

I used https://europe.f-secure.com/blacklight/try.shtml  ---- AWESOME!

I applied all the reg fixes you stated.
Again manually edited HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main; where it shows the redirect; made sure no tools running; made sure no firewall running; changed Inet Options and it

changed back

I removed C:\Program Files\Common Files\ {3CA20FSF-OAE5-1033-0428-030211050001}\888Bar.dll

Sad news:  combofix has been desupported by the author
>>The tool, ComboFix has been temporarily withdrawn. The author discovered a rootkit infection that will intefere with ComboFix's running. This will cause Combofix to be UNSAFE FOR USE on your machine.
Even if you manage to find a mirror for the tool, PLEASE DO NOT RUN THIS TOOL  Apologies for any inconvenience caused <<

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
***Rootkit Revealer's and Hijackthis' logs removed by rpggamergirl, PE***
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

DONE.  THANK YOU.

Sorry about the combofix, yeah it is now withdrawn because if this rootkit -->qwertybot.exe
IF present in the system ,it will caused combofix to malfunction,(deletes all the files in the systemdrive, terrible outcome)

According to sUBs(author), the rootkit involved is relatively easy to disinfect. Reboot to safe mode & HJT fix the O4 entry below:

HKLM\..\Run - [qwertybot.exe] - C:\Windows\system32\qwertybot.exe

Delete files:
C:\Windows\system32\qwertybot.exe
C:\Windows\system32\comdlg77.dll

But, even if the "qwertybot.exe" is not present, some other rootkits that comes along might do the same thing, so the author withdrawn the tool. The file in the link now is just a dummy file.


RKR log, well those in the System volume information is easy to remove by turning off System Restore and rebooting.
Those in Norton's protected bin, if I were you I would turn it off or empty it to recover the lost space. Norton's bin do take up a lot of space, everything goes in there, even the files from the windows recycle bin goes in there, it's the destination of all deleted files.


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG <-- this usually a false positive, it shows up sometimes in RKR, part of the internal encryption used by Microsoft Windows, and the "Seed" variable under that key is heavily protected.


Hijackthis log looks good, you can fix these entries below, these are just registry clutters:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =  
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

Now that this question is closed, we can delete the logs so people don't have to scroll much.
Is the pc okay now?

Thanks for the points!

rpggamergirl,

Yes, please delete the logs.  I tried to sanitize but I missed.  I was loosing sleep over that last night/this morning.  I would request you keep the first part of my stuff only:
i.e., Tools used:

WinsockxpFix.exe
Norton_Removal_Tool
20070215-033-x86 NAV defs forced
Norton SystemWorks 2006
avg75free_441a944.exe
avgas-setup-7.5.0.50
CheckIt
cports.zip from nirsoft.net
xp_exe_fix.zip
Helix fprot antivirus
IE7-WindowsXP-x86-enu.exe
Webroot SpySweeper
mrublastersetup.exe
regscanner from nirsoft.net
spywareblastersetup351.exe
myuninst.zip
Registry Mechanic
SuperAntiSpyware.exe
alternativ hijackthis

___________________________________-
Found throughout:
Trojan LuckBar888
Adware Softomate
Adware Click Spring
Adware Drive Clean
Trojan Dropper.Dollar
PurityScan
Webhancer
SaveNow
Not-A-Virus
Adware New Dot Net
Trojan Downloader
Trojan Dropper.Small
Adware Why PPC
Tracking Cookie Clickbank
Tracking Cookie TribalFusion
Tracking Cookie Findwhat
Adware Media Ticket
Adware Command
Adware Maxfiles

_________________________________

User liked viewing porn sites
User did not keep service packs and hot fixes up to date
User accepted that Norton Antivirus had stopped working
User had no firewall
User had no Anti Spyware

___________________________________

and the last comment prior to this, if I can pick and choose what stays and goes.

__________________________


I don't know the site policy, I'm new to this.  Again thanks, and I will put the last pieces provided in place.