can't get rid of captain morgan's casino hjt log included

Every time I start up my computer Captain Morgans Casino shows up on my desk top. I delete it, it comes back. When I have used Norton I don't know which file it is I need to delete, I try the ones that they tell me is bad, but When I go to the registry to delete them, it is unable to. If anyone can help I have the HJT log if someone can help I would love it!!


Logfile of HijackThis v1.99.0
Scan saved at 12:13:19 PM, on 12/28/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\spupdsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\spnpinst.exe
C:\WINDOWS\system32\Sysocmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\lftif11n179m.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Keep\hjt\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\SYSTEM32\v5tt.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe "
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ntmarta882s.exe] "C:\WINDOWS\System32\ntmarta882s.exe "
O4 - HKCU\..\Run: [clbcatq639r.exe] "C:\WINDOWS\System32\clbcatq639r.exe "
O4 - HKCU\..\Run: [IYUV_32348f.exe] "C:\WINDOWS\System32\IYUV_32348f.exe "
O4 - HKCU\..\Run: [lftif11n179m.exe] "C:\WINDOWS\System32\lftif11n179m.exe "
O4 - HKCU\..\Run: [TAPI475d.exe] "C:\WINDOWS\System32\TAPI475d.exe "
O4 - HKCU\..\Run: [UNIPLAT345g.exe] "C:\WINDOWS\System32\UNIPLAT345g.exe "
O4 - HKCU\..\Run: [CNETCFG1055t.exe] "C:\WINDOWS\system32\CNETCFG1055t.exe "
O4 - HKCU\..\Run: [jit450f.exe] "C:\WINDOWS\system32\jit450f.exe "
O4 - HKCU\..\Run: [KBDBLR587h.exe] "C:\WINDOWS\system32\KBDBLR587h.exe "
O4 - HKCU\..\Run: [seclogon928s.exe] "C:\WINDOWS\system32\seclogon928s.exe "
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6CCF0BED-7963-49ED-BD4E-B60C06B35780} - C:\WINDOWS\System32\dpvacm937d.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1439/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by18fd.bay18.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4361339-A745-4839-A77C-61F271A521B9}: NameServer = 216.220.30.1 216.220.0.1
O20 - AppInit_DLLs: C:\WINDOWS\system32\CDMODEM323h.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: IMAPI CD-Burning COM Service - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server - Unknown - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - (no file)

 

If you haven't already run Ad-Aware SE and Spybot Search and Destroy to remove spyware, look in Quicklinks in my signature and download, update, and run each of them. Let them remove what they find. Some of the listed items below may no longer exist after that which is good.

With all windows closed (including windows explorer and any browsers), run hijackthis again, scan, and remove these lines

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\SYSTEM32\v5tt.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ntmarta882s.exe] "C:\WINDOWS\System32\ntmarta882s.exe "
O4 - HKCU\..\Run: [clbcatq639r.exe] "C:\WINDOWS\System32\clbcatq639r.exe "
O4 - HKCU\..\Run: [IYUV_32348f.exe] "C:\WINDOWS\System32\IYUV_32348f.exe "
O4 - HKCU\..\Run: [lftif11n179m.exe] "C:\WINDOWS\System32\lftif11n179m.exe "
O4 - HKCU\..\Run: [TAPI475d.exe] "C:\WINDOWS\System32\TAPI475d.exe "
O4 - HKCU\..\Run: [UNIPLAT345g.exe] "C:\WINDOWS\System32\UNIPLAT345g.exe "
O4 - HKCU\..\Run: [CNETCFG1055t.exe] "C:\WINDOWS\system32\CNETCFG1055t.exe "
O4 - HKCU\..\Run: [jit450f.exe] "C:\WINDOWS\system32\jit450f.exe "
O4 - HKCU\..\Run: [KBDBLR587h.exe] "C:\WINDOWS\system32\KBDBLR587h.exe "
O4 - HKCU\..\Run: [seclogon928s.exe] "C:\WINDOWS\system32\seclogon928s.exe "
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
** note that this should be showing as a real.com item so it's legit but busted
O9 - Extra button: (no name) - {6CCF0BED-7963-49ED-BD4E-B60C06B35780} - C:\WINDOWS\System32\dpvacm937d.dll (HKCU)
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/act...l_v1-0-3-17.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1...23/cpbrkpie.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by18fd.bay18.hotmail.msn.com...ex/HMAtchmt.ocx
** note that the 016 items may all be legit but any that are needed will be automatically replaced at next visit to a site that needs them so safer to delete

O20 - AppInit_DLLs: C:\WINDOWS\system32\CDMODEM323h.dll
** note - not positive about this one. If you recognize the device name then keep it. Otherwise, delete.

Open windows explorer, set it to show hidden files, and delete any of these that you find

C:\WINDOWS\System32\ntmarta882s.exe "
C:\WINDOWS\System32\clbcatq639r.exe "
C:\WINDOWS\System32\IYUV_32348f.exe "
C:\WINDOWS\System32\lftif11n179m.exe "
C:\WINDOWS\System32\TAPI475d.exe "
C:\WINDOWS\System32\UNIPLAT345g.exe "
C:\WINDOWS\system32\CNETCFG1055t.exe "
C:\WINDOWS\system32\jit450f.exe "
C:\WINDOWS\system32\KBDBLR587h.exe "
C:\WINDOWS\system32\seclogon928s.exe "

C:\WINDOWS\system32\CDMODEM323h.dll
** note: if you removed the 020 entry then delete this file. Otherwise, leave it.

Turn off system restore, reboot, turn system restore back on.

Generate another HJT log and post it. Need to make sure none of the junk is being reloaded from somewhere.