StarDestroyer.Net BBS

The shit my parents do to the family computer fucking baffles me. I come home every few months from school and each time it's more fucked up than the last. I want to just wipe all this fucking shit out and start from scratch, but I'd like to burn some stuff onto CDs first. Problem is, windows won't load the drivers I need to burn CDs. The MS Support website does offer a guide on how to fix this problem, but I need to get into Regedit to do so and the computer WON'T FUCKING LET ME - every time I try and open the application, it opens briefly for like a second and then closes. I think there may be a virus on the machine, because there's tons of shit I can't do - system restore is out, because I've tried restoring it five times from five different restore points and each time I have gotten a failure message. I mean, this computer is a disaster in ways I haven't even discovered yet. So can anyone please help me?

Went ahead and ran HijackThis, to see if it would help (yes, I know it's horrible, but remember this is not my computer):


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SYSTEM32\wins32nt.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\AMD64.EXE
C:\WINDOWS\system32\SINSTANTM.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Media Pass\MediaPassK.exe
C:\WINDOWS\sixtypopsix.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\Media Pass\MediaPass.exe
C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
C:\WINDOWS\system32\vmss\vmss.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WhenUSearch\Search.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\system32\MMTASK9.EXE
C:\PROGRA~1\Save\Save.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\WhenUSearch\whse.exe
C:\windows\system32\rk.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/s/s.dll?spage ... only=y&ck=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe wins32.exe
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll
O2 - BHO: WhenUSearch Helper - {BA2325ED-F9EB-4830-8FCE-0BC35B16969B} - C:\Program Files\WhenUSearch\search.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kqyak] C:\Program Files\nvln.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Winsup32] win32msd.exe
O4 - HKLM\..\Run: [AMD 64 Bit Processor] AMD64.EXE
O4 - HKLM\..\Run: [Scuba Instant Messenger] SINSTANTM.EXE
O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe
O4 - HKLM\..\Run: [sixtysix] C:\WINDOWS\sixtypopsix.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Winnt32msd] wins32nt.exe
O4 - HKLM\..\Run: [Winsup] wins32.exe
O4 - HKLM\..\Run: [Winsock2 driver] MMTASK9.EXE
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [WhenUSearch] "C:\Program Files\WhenUSearch\Search.exe"
O4 - HKLM\..\Run: [WhenUSearchWHSE] "C:\Program Files\WhenUSearch\whse.exe"
O4 - HKLM\..\Run: [OSS] c:\windows\system32\rk.exe -boot
O4 - HKLM\..\Run: [etbrun] c:\windows\system32\eliterjh32.exe
O4 - HKCU\..\Run: [Tweak-XP Pro] "C:\Program Files\Tweak-XP Pro 4\autostart.exe"
O4 - HKCU\..\Run: [Systweak Ad and Popup Blocker] "C:\Program Files\Advanced System Optimizer\adblock.exe"
O4 - HKCU\..\RunOnce: [Winnt32msd] wins32nt.exe
O4 - HKCU\..\RunOnce: [Winsup] wins32.exe
O4 - HKCU\..\RunOnce: [AMD 64 Bit Processor] AMD64.EXE
O4 - HKCU\..\RunOnce: [Scuba Instant Messenger] SINSTANTM.EXE
O4 - HKCU\..\RunOnce: [Winsock2 driver] MMTASK9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwe ... .0.0.8.exe
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/defaul ... oader1.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mci ... insctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/193b85bf864 ... xIE601.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZI ... b34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcg ... cgdmgr.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/defaul ... uncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/defaul ... der_v6.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/alien.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B38E9264-6AA6-4CD1-8F62-1F4C73D18AB1}: NameServer = 205.152.37.23 205.152.144.23
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

Joe wrote:Went ahead and ran HijackThis, to see if it would help (yes, I know it's horrible, but remember this is not my computer):


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SYSTEM32\wins32nt.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\AMD64.EXE
C:\WINDOWS\system32\SINSTANTM.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Media Pass\MediaPassK.exe
C:\WINDOWS\sixtypopsix.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\Media Pass\MediaPass.exe
C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
C:\WINDOWS\system32\vmss\vmss.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WhenUSearch\Search.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\system32\MMTASK9.EXE
C:\PROGRA~1\Save\Save.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\WhenUSearch\whse.exe
C:\windows\system32\rk.exe
C:\HijackThis\HijackThis.exe

Okay, I'll tell you the stuff that I know aren't important. Kill them and see if it helps.

C:\Program Files\WhenUSearch\whse.exe

WhenUSearch? Sounds like Adware.

C:\Program Files\BullsEye Network\bin\bargains.exe

BullsEye Network? Bargains? Sounds like Adware.

C:\windows\system32\rk.exe

I have no such file in my Windows folder. (Running XP)
Unless you have a version of Windows that has this file which I've never heard of, kill it. It's probably a virus.

Actually, just googled it. It's definitely spyware.

C:\PROGRA~1\Save\Save.exe

Sounds like Adware.


C:\Program Files\Media Access\MediaAccK.exe

Media Accelerator K? Sounds like spyware or adware, unless its something of yours.

C:\WINDOWS\system32\vmss\vmss.exe
http://www.liutilities.com/products/win ... rary/vmss/

Definite adware.

C:\WINDOWS\system32\MMTASK9.EXE
No clue what this is.

C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
http://www.liutilities.com/products/win ... ry/wsxsvc/
Adware.

C:\WINDOWS\system32\AMD64.EXE
Are they on an Athlon 64? If they aren't, kill this. If they are, I don't know if its spyware or not.

C:\WINDOWS\sixtypopsix.exe
Spyware.

Things I am not sure what they are and recommend you google for and kill:
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SYSTEM32\wins32nt.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\SINSTANTM.EXE

Unless these are things you use and you or they deliberately, I don't have any of them running in my XP task manager. wins32nt sounds like a good fake system name for a virus.



C:\Program Files\Internet Optimizer\actalert.exe

Are you deliberately running an 'internet optimizer'?


Dang, looks like a complete mess

No disrespect intended, but I wonder if your parents clicked on every flashing or shiny thing that popped up and opened every attachment. Worms, viruses, trojans, spyware, adware, you name it, it's here. Not the worst box I've worked on, but it's near the top. At least it doesn't have VX2.

In any case, your Winsock stack has been thoroughly infested -- if you clean it out with HijackThis!, you will likely break Internet connectivity entirely. Download LSPFix and keep it on hand for after you've run HJT!; use it to purge any mention of the programs that are in the kill list I'm about to give, and it should restore Internet access.

First, the running processes. Kill these either via Task Manager or via a program like Prcview if spyware is preventing you form opening the Task Manager.

Processes wrote:C:\WINDOWS\SYSTEM32\wins32nt.exe
C:\WINDOWS\system32\AMD64.EXE
C:\WINDOWS\system32\SINSTANTM.EXE
C:\Program Files\Media Pass\MediaPassK.exe
C:\WINDOWS\sixtypopsix.exe
C:\Program Files\Media Pass\MediaPass.exe
C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
C:\WINDOWS\system32\vmss\vmss.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\WhenUSearch\Search.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\system32\MMTASK9.EXE
C:\PROGRA~1\Save\Save.exe
C:\Program Files\WhenUSearch\whse.exe
C:\windows\system32\rk.exe

Now, killing the infested Registry entries via HJT!:

Killable wrote:R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe wins32.exe
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll
O2 - BHO: WhenUSearch Helper - {BA2325ED-F9EB-4830-8FCE-0BC35B16969B} - C:\Program Files\WhenUSearch\search.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O4 - HKLM\..\Run: [Kqyak] C:\Program Files\nvln.exe
O4 - HKLM\..\Run: [Winsup32] win32msd.exe
O4 - HKLM\..\Run: [AMD 64 Bit Processor] AMD64.EXE
O4 - HKLM\..\Run: [Scuba Instant Messenger] SINSTANTM.EXE
O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe
O4 - HKLM\..\Run: [sixtysix] C:\WINDOWS\sixtypopsix.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Winnt32msd] wins32nt.exe
O4 - HKLM\..\Run: [Winsup] wins32.exe
O4 - HKLM\..\Run: [Winsock2 driver] MMTASK9.EXE
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [WhenUSearch] "C:\Program Files\WhenUSearch\Search.exe"
O4 - HKLM\..\Run: [WhenUSearchWHSE] "C:\Program Files\WhenUSearch\whse.exe"
O4 - HKLM\..\Run: [OSS] c:\windows\system32\rk.exe -boot
O4 - HKLM\..\Run: [etbrun] c:\windows\system32\eliterjh32.exe
O4 - HKCU\..\Run: [Tweak-XP Pro] "C:\Program Files\Tweak-XP Pro 4\autostart.exe"
O4 - HKCU\..\Run: [Systweak Ad and Popup Blocker] "C:\Program Files\Advanced System Optimizer\adblock.exe"
O4 - HKCU\..\RunOnce: [Winnt32msd] wins32nt.exe
O4 - HKCU\..\RunOnce: [Winsup] wins32.exe
O4 - HKCU\..\RunOnce: [AMD 64 Bit Processor] AMD64.EXE
O4 - HKCU\..\RunOnce: [Scuba Instant Messenger] SINSTANTM.EXE
O4 - HKCU\..\RunOnce: [Winsock2 driver] MMTASK9.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwe ... .0.0.8.exe
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/defaul ... oader1.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/193b85bf864 ... xIE601.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/alien.cab
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

After this, run LSPFix if you're getting DLL errors, and it should be workable. I'd say that you should figuratively kill it with fire after you've gotten what you need off the system, however, as there's rarely a full recovery from something this bad without a full format.

Suggestions on what you can do when you reinstall; I get the sense that you already know much of this, but just in case:
- Download and have SP2 (or whatever the latest service pack is for your parents' OS), an antivirus program, and a firewall on hand for when you reinstall; do not attach the network cable until all of these are in place.
- Set it up how you want it with the default Administrator account (along with autoinstallation of patches), then force Windows to log in using a user-level account on startup (which can be done with TweakUI). This will prevent much of the worst stuff from taking hold again (trojans will only be successful if run by an administrative account, as you well know).
- Switch the default browser over to Firefox (adding whatever extensions you want, like Adblock and a decent filter set, Optimoz, Tabbrowser Extensions, etc.), and delete links to iexplore.exe. Of course, I've seen people go hunting through Explorer to find IE again, so this might only be partially effective.
- Install Java, Flash, or whatever else is needed first, then tell your parents to explicitly deny everything that tries to install via the Internet after that.
- Install IESPYAD to reduce access to many spyware servers if IE is accessed anyway.
- CD writing software like Nero will require that a service be installed to grant burning rights to non-admins.

Doing this, I've managed to keep my parents' machines free of crud between visits, and saved myself a good deal of aggravation.

Yup, the system is heavily infected.
Remove:

Joe wrote:Went ahead and ran HijackThis, to see if it would help (yes, I know it's horrible, but remember this is not my computer):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe wins32.exe
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll
O2 - BHO: WhenUSearch Helper - {BA2325ED-F9EB-4830-8FCE-0BC35B16969B} - C:\Program Files\WhenUSearch\search.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Kqyak] C:\Program Files\nvln.exe
O4 - HKLM\..\Run: [Winsup32] win32msd.exe
O4 - HKLM\..\Run: [AMD 64 Bit Processor] AMD64.EXE
O4 - HKLM\..\Run: [Scuba Instant Messenger] SINSTANTM.EXE
O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe
O4 - HKLM\..\Run: [sixtysix] C:\WINDOWS\sixtypopsix.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\system32\vmss\vmss.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Winnt32msd] wins32nt.exe
O4 - HKLM\..\Run: [Winsup] wins32.exe
O4 - HKLM\..\Run: [Winsock2 driver] MMTASK9.EXE
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [WhenUSearch] "C:\Program Files\WhenUSearch\Search.exe"
O4 - HKLM\..\Run: [WhenUSearchWHSE] "C:\Program Files\WhenUSearch\whse.exe"
O4 - HKLM\..\Run: [OSS] c:\windows\system32\rk.exe -boot
O4 - HKLM\..\Run: [etbrun] c:\windows\system32\eliterjh32.exe
O4 - HKCU\..\Run: [Tweak-XP Pro] "C:\Program Files\Tweak-XP Pro 4\autostart.exe" (Frankly, if they're as computer-ignorant as they seem, I don't think they should even have this)
O4 - HKCU\..\Run: [Systweak Ad and Popup Blocker] "C:\Program Files\Advanced System Optimizer\adblock.exe" (Yeah, I'm sure it blocks popups. By covering them with its own)
O4 - HKCU\..\RunOnce: [Winnt32msd] wins32nt.exe
O4 - HKCU\..\RunOnce: [Winsup] wins32.exe
O4 - HKCU\..\RunOnce: [AMD 64 Bit Processor] AMD64.EXE
O4 - HKCU\..\RunOnce: [Scuba Instant Messenger] SINSTANTM.EXE
O4 - HKCU\..\RunOnce: [Winsock2 driver] MMTASK9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwe ... .0.0.8.exe
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/defaul ... oader1.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/193b85bf864 ... xIE601.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/defaul ... der_v6.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/alien.cab
[i.O17 - HKLM\System\CCS\Services\Tcpip\..\{B38E9264-6AA6-4CD1-8F62-1F4C73D18AB1}: NameServer = 205.152.37.23 205.152.144.23[/i] ONLY REMOVE THIS LINE IF THESE ARE NOT YOUR ISP's DNS SERVERS!
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

Note, this computer has a NEWDOTNET infection. This can fuck your internet access if it's not removed properly. Go download LSPFix to fix it. I belive later versions of Spybot can fix NEWDOTNET infections on its own, but it's not set by default to remove it!

There's a bunch of other shit I'd remove, too, but only because I'm intolerant of shit that integrates itself into your system, like all those fucking MSN Zone games.
I also remove all the shit the Yahoo companion installs, because, well, I don't like it.

No disrespect intended, but I wonder if your parents clicked on every flashing or shiny thing that popped up and opened every attachment. Worms, viruses, trojans, spyware, adware, you name it, it's here. Not the worst box I've worked on, but it's near the top. At least it doesn't have VX2.

I really don't get what happened. It was never the best system in the world, but somehow over the last few months it's just gone totally to hell. My dad has quite a bit of anti-Spyware/Adware stuff installed, but I guess it hasn't done its job very well.

C:\Program Files\Media Pass\MediaPass.exe

Having trouble with this. I kill it, it immediately opens back up.

Joe wrote: My dad has quite a bit of anti-Spyware/Adware stuff installed, but I guess it hasn't done its job very well.

Wearing a bulletproof vest doesn't too much good when you put a gun to your head

Just like anti-spyware doesn't do much good if you go around downloading everything that screams "Click me!".

Joe wrote:

C:\Program Files\Media Pass\MediaPass.exe

Having trouble with this. I kill it, it immediately opens back up.

Burn the file into the ground with command prompt.
From safe mode if necessary.

EDIT:
How another guy did it.
http://www.computing.net/windowsxp/wwwb ... 29160.html

Y'know what, fuck all this shit. I've somehow managed to trick the CD Burner into working, so there's really no need to go through all of this. I'm going to burn this system to the ground; any more recommendations on what I need to do, besides what Datana posted?

Oh, and how do I download a hard copy of SP2? They want to do an automatic install, I don't.

Joe wrote:Oh, and how do I download a hard copy of SP2? They want to do an automatic install, I don't.

You're looking for the Full Network Install of SP2.

Good to see that you have the CD burner working. If you still need to get rid of mediapass.exe, note that it's linked to mediapassk.exe, mediaacck.exe, and mediaaccess.exe -- try killing those first, as they're probably restoring it. If you can't get rid of them still, run HJT! anyway to clear away the other stuff, which should simplify your work a bit.

Joe wrote:Y'know what, fuck all this shit. I've somehow managed to trick the CD Burner into working, so there's really no need to go through all of this. I'm going to burn this system to the ground; any more recommendations on what I need to do, besides what Datana posted?

Burn yourself a copy of Knoppix for next time this happens. It can be useful for killing those stupid unkillable exe's, and for backing everything up onto, say, a USB device, if Windows gets so corrupted it can't boot.