Please Help with Hijack Log

My Mum's computer has started to play up so I took a look at it. The desktop picture has changed and when I go to change it nothing happens. The picture is an html file and it is linked to internet explorer. I ran spybot got rid of lots of sypware. So can anyone help me with this Hijack log because problem is still there

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\program files\u-storage tools2.1\ustorage.exe
C:\WINDOWS\SOINTGR.EXE
C:\WINDOWS\System32\S3apphk.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Janette\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.freeserve.com/
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_30.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: Mini Jeeves - {4E7D0B40-F575-4A29-9710-4675EAF4686A} - C:\WINDOWS\System32\minijvAB.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [UStorage] c:\program files\u-storage tools2.1\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tools2.1
O4 - HKLM\..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Launcher] C:\Documents and Settings\Janette\Local Settings\Temp\~WKS99TEMP\LAUNCHER.EXE /P
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62 "
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\The Print Shop\PSRemind.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Money Viewer (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4C2C81B4-91DA-494D-8DBF-A7846BA07073} (Mini Jeeves Installer Control) - http://www.ask.co.uk/toolbar/download/MiniJv-inst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37522.2747106481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

While I'm working on a response, right click on desktop>arrange icons and see if lock web items is checked. If so, uncheck then try changing it.

EDIT
You also cut off the top portion of your log. It's important too. Please copy and post it. It should look like the text below.


Logfile of HijackThis v1.97.7
Scan saved at **:**:**, on **/**/**
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Logfile of HijackThis v1.97.7
Scan saved at 17:15:08, on 09/06/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Right click the desktop and choose new>folder. Name it HJT. Cut and paste HijackThis.exe to that folder. That will keep backup files from scattering all over the desktop.

Go to add/remove programs and uninstall New.net if there. If not there, use procedure #4 from here to remove it.

Reboot.

Scan again and place a check next to the following entries. Close ALL other windows and click fix.


R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Launcher] C:\Documents and Settings\Janette\Local Settings\Temp\~WKS99TEMP\LAUNCHER.EXE /P
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe


Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and OK. Yes to restart.

Now in safe mode, open C: and look for description.txt and license.txt. Open them. Delete if there's any mention of Delfin.
Open C:\WINDOWS\system32 and delete the folder pcs.
Open C:\Program Files and delete the folders Delfin and Incredifind if present.
Open C:\Program Files\Common Files and delete the folders updater and dpi.
Open C:\Windows\Temp, select all and delete.
Open C:\Documents and settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Open C:\Windows\Prefetch, select all and delete.
Open My Computer and right click Local Disk C:, then choose disk cleanup. Check all except compress old files and OK.
Uncheck the /safeboot box in msconfig and ok to reboot.

Back in Windows, you can re-enable system restore. Then visit Windows Update. Accept all critical updates.
Reboot and go back to Windows Update until there are no more criticals offered.
Run another HijackThis scan and post the log.

 

Did what you suggested but the HTML desktop picture is still there. It is an actual html it is an Ad talking about how people can track your files and you need to protect yourself. I can copy the text from it as well as selecting items on the desktop.

There is a file on the desktop which my Mum doesn't recognise it is called andy1. I right clicked it, find target this is what it says

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.casinopalazzo.com/index.php?sourceid=100873

The desktop picture can be found in windows/web/destop.html. I have tried deleting the file, but then all get is a flashing desktop.

I have yet to update windows.

 

Install Move-on-Boot. You will have a new right click option for files. Use it on the destop.html and andy1.

 

I deleted both, but now I still have a white square flashing where the Ad used to be.

 

Have you tried changing desktop yet? Doublecheck the lock web items selection. Log off and back on. What else is in that web folder?

 

yeah I have tried all that. I could post a screen shot if you like ?

 

Sure.

 

http://img78.photobucket.com/albums/v291/taipan1982/clip_image002.jpg

 

How about the contents of the web folder?

 

There are two folders one named wallpapers and the other printers. There is also the safe mode html template. However the rest of the folder is made up of Gifs. Looking at them they are from Ad that was displayed. I have tried deleting them but it doesn't make a difference.

 

Go ahead and do the cleanups for now. In addition to what I recommended, download, install and update Ad-aware from my sig. Configure it for a custom full scan. Run it in safe mode before the disk cleanup step. Delete all it finds.

 

deleted 49 things after Adware scan but the problem is still there.

 

Were you able to delete them? Look in the wallpaper folder for signs of it too. What happens if you right click on that area? Do you get a properties option? Use RegSeeker's find function to search for destop. Check for files too. Delete all. Make sure you have backup checked just in case. Search for the andy1 too, although I think it's unrelated to the ad. Do you remember any of the text, like a certain product being advertised, or company? Maybe do a search for that too.

 

It was a web page no doubt about it I can even view the source code. I can't remember the site name but it was for a firewall/internet security firm. The page is still linked to the web folder even though the file no longer exists. I'll do a system scan and try and find it.