here is the results after i ran adaware:

Logfile of HijackThis v1.97.7
Scan saved at 11:09:31 PM, on 6/3/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi6.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=ViewListedItems&userid=phxracing&include=0&since=2&sort=3&rows=25
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar2.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\image.dll,Install
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/148119a2571ca3/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs6b.instantservice.com/jars/customerxsigned35.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37630.6064351852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E255BFF3-ADB3-4D34-AE3C-E97CFD880D7C}: NameServer = 209.116.241.10,216.99.225.31

 

Here is the results of the dllfix program:

--==***@@@ FIND-ALL' VERSION MODIFIED -5/27 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST           @@@***==--
 
Thu 06/03/2004
11:07 PM
 
System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (64E2:218E) - FS:NTFS clusters:4k
Total: 41 159 266 304 [38G] - Free: 35 186 139 136 [33G]
 
 
 *IE version and Service packs:
                6.0.2600.0  C:\Program Files\Internet Explorer\Iexplore.exe
 *Notepad version :
                5.1.2600.0  C:\WINDOWS\system32\notepad.exe
                5.1.2600.0  C:\WINDOWS\notepad.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

 
 
Locked or 'Suspect' file(s) found...
 
 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

*Security settings for 'Windows' key:
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI)    ALLOW  Read         BUILTIN\Users
(IO)    ALLOW  Read         BUILTIN\Users
(NI)    ALLOW  Read         BUILTIN\Power Users
(IO)    ALLOW  Read         BUILTIN\Power Users
(NI)    ALLOW  Full access  BUILTIN\Administrators
(IO)    ALLOW  Full access  BUILTIN\Administrators
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access  BUILTIN\Administrators
(IO)    ALLOW  Full access  CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read           BUILTIN\Users
Read           BUILTIN\Power Users
Full access    BUILTIN\Administrators
Full access    NT AUTHORITY\SYSTEM

And i still have the error.

I just opened my registry, then went to find in the edit menu, then typed. Image.dll and deleted all items that had that in their name, or address to location, then I found the real image.dll file and deleted it, but you have to close all browser windows.

Thanks for your post and your patience. Very interesting infection...it's was indicated in your first log before you used Adaware. This partial entry from your first post is the main baddie clue:
(res://mshp.dll/index.html#10213).

The mshp.dll exploit is subject to a great deal of different cleanup suggestions. Here is a webpage that has an interesting double-side to this infection:

http://www.pchell.com/support/lookfor.shtml

The information that it is a combo Trojan and CWS infection sheds new light on why it has been such a pain.

Hopefully Adaware whacked it for good as indicated by your second post. Normally here we recommend for the mshp.dll exploit the use of CWS Shredder.

We all owe a big thanks to Merijn Bellekom, author of Hijackthis and CWS Shredder.  BTW...offtopic...
Congratulations to Merijn...our computer genius just got his sheepskin from the university he is attending in the Netherlands. Way to go Merijn!

His Shredder program whacks virtually all variants of CoolWebSearch and today is another watershed...the release of version 1.59.

Still I would keep an eye on the computer for a few days to see if the CWS resurfaces...it is very resourceful. If it does rear its ugly head again, the use of Merijn's Shredder is recommended.

OK...on to your final cleanup...I believe in a thorough scrubbing:

Reboot to SAFE MODE and Show HIDDEN FILES and folders

FAQ 8 and 9 on this page: http://www.russelltexas.com/malware/faqhijackthis.htm

Run Hijackthis in Safe Mode, scan and check:

O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\image.dll,Install

With no other windows open click on fix checked button in Hijackthis.

Exit Hijackthis.

Open Windows Explorer: type the word explorer at Start/Run box and click OK:

Drill on down and delete the following file if it is present:  (it is probably already gone)

C:\WINDOWS\image.dll

Reboot in normal mode Windows and run Disk Cleaner: type cleanmgr at Start/Run. Scan all hard drives and check all categories at the end and click OK.

If you have any problems with Disk Cleaner completing...XP users can fix it here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;812248

Download and run these two programs at the following link (Spybot S&D and Adaware). Use Spybot first. I know you already have Adaware, but follow the custom scanning instructions for best results. It will pay off.

Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.

Follow the directions in this detailed guide for Spybot and Adaware...print out the guide and go slow on the directions for the custom setup of Adaware:

http://www.cjwd.demon.co.uk/spybot-adaware.html

After cleaning with Spybot and Adaware, reboot a final time and go to Microsoft for your LiveUpdates...you are critically in danger with missing patches. You need  SP 1 and other critical security updates for Windows and critical security patches for Internet Explorer 6.. If you're not on broadband you may need to order the SP 1 CD from MS as it is a very large download. But without the patches your machine is a sitting duck for far worse disasters.

After getting as much done as possible for patches (all if possible) reboot, browse a bit and post a new Hijackthis log for more followup.  

Also...after we get you the all-clear..Please use Hijackthis daily for about a week to monitor your machine. Post whenever you have problems.

All the best,

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

I had that before, Norton couldn't detect it I used something like Anti-Trojan or something, Dell person told me to use it.