I keep getting a black and yellow wallpaper on my desktop Warning You're In Danger which then takes you to to the site www.topantisypware.com. The warning triangle pops up at the bottom and a folder called "Hi" keeps appearing

I've done a scan with Ad-Aware and quarantined critical objects but the wallpaper is still there

Here's my Hijackthis log. Can you help me get rid of it?

Logfile of HijackThis v1.99.1
Scan saved at 14:31:22, on 23/03/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Panda Software\Panda Antivirus 6.0\Pavsrv50.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Panda Software\Panda Antivirus 6.0\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\CePMTray.exe
C:\PROGRA~1\EzButton\CP888M1.EXE
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Panda Software\Panda Antivirus 6.0\APVXDWIN.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Openmeet\warn way coal.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\qes84aid\qes84aid.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\kori\korim.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\COMMON~1\kori\koria.exe
C:\Program Files\qes84aid\qes84aid1\qes84aid1.exe
C:\Program Files\AOL 7.0b\waol.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\sprio600.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://amazingautossearch.com/passthrough/...p://www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/time/reg/anytime/choice2.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=408
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2CDBC996-2F40-4ED6-A023-7A7778055F52} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {38BB3730-DD86-499E-A9D2-CF8C33DEC80D} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {39DCFF43-17F7-4CF6-9381-D7B40342E5FE} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {4516DEB6-7354-4696-AC70-43833F1F52E9} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {46781293-A9E8-4596-9440-8809217757AA} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {55DA0FBE-851A-4C75-ABC6-78C8500E258C} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {59EADE3E-016B-4B88-B1A5-2E9544AFF4B5} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {5B111F59-6381-4DA6-83A2-4555CD0E21F6} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {66DC3D39-4E21-42B3-8BAE-BBF63E105F58} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {72EB18EA-1091-4D08-A97A-667D38A528F4} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {76C298D3-1BC9-44EF-98FB-5B1896FDE0E3} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {7B939532-F24E-4CBB-A364-BD5CD740A423} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {8FBAD8DA-AE15-4F6C-AFF7-08353034CA62} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {93F33602-A43C-45B3-81FA-5FF377BF585A} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {9AE90414-09A3-4137-8B2A-2DE176AE5B76} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)
O2 - BHO: (no name) - {9D764B6A-004D-45EF-AE4D-90E2B8DE2091} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {A4C3F6F9-2C63-4D38-9CFB-E70B6BBF924F} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {A6F9C95B-D75B-4E8A-B9F8-37B3A37A095D} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {B409465C-1CD0-4BC2-9AC2-2169F7D7932A} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {B6A6E46A-3D63-43C1-9241-92C1F316776C} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {C6226A6B-9487-4F80-BCFD-5F92E491A796} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {CB40E07C-CFB3-4DC2-B493-3DF10416D824} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D1316} - C:\WINDOWS\System32\spm1316.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765721316} - C:\WINDOWS\System32\wer1316.dll
O2 - BHO: (no name) - {CF2760A2-09BC-467B-8D68-01355AA99E0D} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {DB9D3580-741B-423F-8596-1AC6DA97817A} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {E0BAB1C7-7C0E-412C-AF20-654EF2936A2C} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {F06AE1E0-844D-4F4B-811F-246942B490F5} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {F8FF6667-DE96-416C-B0B1-5A143F9808E1} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {FFFFDA2C-A0D5-4D60-8EE1-1B7F8929E24D} - C:\Program Files\Lycos\sst.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MBKWBar - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - C:\Program Files\MBKWBar\IEToolBar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe
O4 - HKLM\..\Run: [CP888M1] C:\PROGRA~1\EzButton\CP888M1.EXE
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 6.0\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [ScanInicio] "C:\Program Files\Panda Software\Panda Antivirus 6.0\Inicio.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Cake Browse] C:\PROGRA~1\Openmeet\warn way coal.exe
O4 - HKLM\..\Run: [xnllvrayo] C:\WINDOWS\System32\ubzynqaj.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [qes84aid] C:\Program Files\qes84aid\qes84aid.exe
O4 - HKLM\..\RunServices: [PandaScheduler] "C:\Program Files\Panda Software\Panda Antivirus 6.0\Pavsched.exe"
O4 - HKLM\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [lffax11n] C:\WINDOWS\System32\lffax11n.exe
O4 - HKCU\..\Run: [sprio600] C:\WINDOWS\System32\sprio600.exe
O4 - HKCU\..\Run: [kdcom] C:\WINDOWS\System32\kdcom.exe
O4 - HKCU\..\Run: [loadperf] C:\WINDOWS\System32\loadperf.exe
O4 - HKCU\..\Run: [kori] C:\PROGRA~1\COMMON~1\kori\korim.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0b\aoltray.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Search and Remove Spyware - {CDB280E8-BE43-4128-8A5A-3FCD094E2D88} - C:\Program Files\RegFreeze\rfsearchhandler.dll
O9 - Extra 'Tools' menuitem: Search and Remove Spyware - {CDB280E8-BE43-4128-8A5A-3FCD094E2D88} - C:\Program Files\RegFreeze\rfsearchhandler.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: ChatSpace Java Client 2.1.0.76L - http://62.232.36.79:8000/Java/cs4msl076.cab
O16 - DPF: ConferenceRoom Java Client - http://irc4.bondage.com:8080/java/cr.cab
O16 - DPF: Yahoo! Chat - http://cs6.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.awmdabest.com/bltd/408.chm::/file.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{779DCDE1-62C0-409F-BB9C-FE30C7F4936C}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{779DCDE1-62C0-409F-BB9C-FE30C7F4936C}: NameServer = 205.188.146.145
O23 - Service: I-- The nicest hobby on Earth ;) --Eng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 6.0\Pavsrv50.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

Can anybody help me? Tell me what I should do. I'm so frustrated by it!

First:
I recommend that you uninstall P2P Networking through Add/Remove Programs.

If/when asked whether you also want to remove Altnet components, say 'Yes'.

P2P Networking is a totally useless Kazaa add-on, and it's been reported to be responsible for serious system slowdowns.

Subsequently remove the P2P Networking folder in C:\Windows\System32, if still there.


Second:
Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg and save it on your Desktop.

Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".


Third:
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'C:\Program Files\Hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT

Check the following items in HijackThis.
(note: If any R* items do not appear in Safe Mode, re-run HiJackThis in Normal Mode and remove them after you finish removing these items.)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://amazingautossearch.com/passthrough/...p://www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/time/reg/anytime/choice2.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=408
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve

O2 - BHO: (no name) - {2CDBC996-2F40-4ED6-A023-7A7778055F52} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {38BB3730-DD86-499E-A9D2-CF8C33DEC80D} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {39DCFF43-17F7-4CF6-9381-D7B40342E5FE} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {4516DEB6-7354-4696-AC70-43833F1F52E9} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {46781293-A9E8-4596-9440-8809217757AA} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {55DA0FBE-851A-4C75-ABC6-78C8500E258C} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {59EADE3E-016B-4B88-B1A5-2E9544AFF4B5} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {5B111F59-6381-4DA6-83A2-4555CD0E21F6} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {66DC3D39-4E21-42B3-8BAE-BBF63E105F58} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {72EB18EA-1091-4D08-A97A-667D38A528F4} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {76C298D3-1BC9-44EF-98FB-5B1896FDE0E3} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {7B939532-F24E-4CBB-A364-BD5CD740A423} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {8FBAD8DA-AE15-4F6C-AFF7-08353034CA62} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {93F33602-A43C-45B3-81FA-5FF377BF585A} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {9AE90414-09A3-4137-8B2A-2DE176AE5B76} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)
O2 - BHO: (no name) - {9D764B6A-004D-45EF-AE4D-90E2B8DE2091} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {A4C3F6F9-2C63-4D38-9CFB-E70B6BBF924F} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {A6F9C95B-D75B-4E8A-B9F8-37B3A37A095D} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {B409465C-1CD0-4BC2-9AC2-2169F7D7932A} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {B6A6E46A-3D63-43C1-9241-92C1F316776C} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {C6226A6B-9487-4F80-BCFD-5F92E491A796} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {CB40E07C-CFB3-4DC2-B493-3DF10416D824} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D1316} - C:\WINDOWS\System32\spm1316.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765721316} - C:\WINDOWS\System32\wer1316.dll
O2 - BHO: (no name) - {CF2760A2-09BC-467B-8D68-01355AA99E0D} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {DB9D3580-741B-423F-8596-1AC6DA97817A} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {E0BAB1C7-7C0E-412C-AF20-654EF2936A2C} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {F06AE1E0-844D-4F4B-811F-246942B490F5} - C:\Program Files\qes84aid\qes84aid.dll
O2 - BHO: (no name) - {F8FF6667-DE96-416C-B0B1-5A143F9808E1} - C:\Program Files\qes84aid\qes84aid.dll

O3 - Toolbar: MBKWBar - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - C:\Program Files\MBKWBar\IEToolBar.dll

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Cake Browse] C:\PROGRA~1\Openmeet\warn way coal.exe
O4 - HKLM\..\Run: [xnllvrayo] C:\WINDOWS\System32\ubzynqaj.exe
O4 - HKLM\..\Run: [qes84aid] C:\Program Files\qes84aid\qes84aid.exe
O4 - HKLM\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [lffax11n] C:\WINDOWS\System32\lffax11n.exe
O4 - HKCU\..\Run: [sprio600] C:\WINDOWS\System32\sprio600.exe
O4 - HKCU\..\Run: [kdcom] C:\WINDOWS\System32\kdcom.exe
O4 - HKCU\..\Run: [loadperf] C:\WINDOWS\System32\loadperf.exe
O4 - HKCU\..\Run: [kori] C:\PROGRA~1\COMMON~1\kori\korim.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe

O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.awmdabest.com/bltd/408.chm::/file.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

Close all windows except HijackThis and click Fix checked.

While still in Safe Mode*, delete the following: (you may need to show hidden files**)
(Files specified without a full path will be lcoated in C:\Windows\ or C:\Windows\System32\)
C:\Program Files\Openmeet\ <-- delete entire folder
C:\WINDOWS\System32\ubzynqaj.exe
C:\Program Files\qes84aid\qes84aid.exe
C:\WINDOWS\System32\srvc32.exe
C:\WINDOWS\System32\spoolsrv32.exe
C:\WINDOWS\System32\lffax11n.exe
C:\WINDOWS\System32\sprio600.exe
C:\WINDOWS\System32\kdcom.exe
C:\WINDOWS\System32\loadperf.exe
C:\Program Files\Common Files\kori\ <-- delete entire folder
C:\WINDOWS\zeta.exe

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode

Run HiJackThis again and post a new log in this thread.


Last:
From Control Panels, double click on the Display Control Panel
Select the 'Desktop' tab
Press the 'Customize Desktop' button
Select the 'Web' tab
Clear the check mark from Desktop.html and remove any items you did not install
Make sure that Active Desktop is not locked

Hello. I've done all that. The black advert on desktop still there and the warning balloon still pops up

Here's my log again
can saved at 00:41:44, on 24/03/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Panda Software\Panda Antivirus 6.0\Pavsrv50.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Panda Software\Panda Antivirus 6.0\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\EzButton\CP888M1.EXE
C:\WINDOWS\System32\CePMTray.exe
C:\Program Files\Panda Software\Panda Antivirus 6.0\APVXDWIN.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\AOL 7.0b\waol.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FFFFDA2C-A0D5-4D60-8EE1-1B7F8929E24D} - C:\Program Files\Lycos\sst.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ScanInicio] "C:\Program Files\Panda Software\Panda Antivirus 6.0\Inicio.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CP888M1] C:\PROGRA~1\EzButton\CP888M1.EXE
O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 6.0\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\RunServices: [PandaScheduler] "C:\Program Files\Panda Software\Panda Antivirus 6.0\Pavsched.exe"
O4 - HKLM\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0b\aoltray.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: ChatSpace Java Client 2.1.0.76L - http://62.232.36.79:8000/Java/cs4msl076.cab
O16 - DPF: ConferenceRoom Java Client - http://irc4.bondage.com:8080/java/cr.cab
O16 - DPF: Yahoo! Chat - http://cs6.chat.sc5.yahoo.com/c381/chat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{779DCDE1-62C0-409F-BB9C-FE30C7F4936C}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{779DCDE1-62C0-409F-BB9C-FE30C7F4936C}: NameServer = 205.188.146.145
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 6.0\Pavsrv50.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

What do I do now? :(

I've managed to get my desktop picture back - hooray. I just went on to customize desktop options.

The warning balloon is still popping up - what do I do about it?

The files for the balloon did not get deleted.

Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'C:\Program Files\Hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT

Check the following items in HijackThis.
(note: If any R* items do not appear in Safe Mode, re-run HiJackThis in Normal Mode and remove them after you finish removing these items.)
O2 - BHO: (no name) - {FFFFDA2C-A0D5-4D60-8EE1-1B7F8929E24D} - C:\Program Files\Lycos\sst.dll

O4 - HKLM\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe

Close all windows except HijackThis and click Fix checked.

While still in Safe Mode*, delete the following: (you may need to show hidden files**)
(Files specified without a full path will be lcoated in C:\Windows\ or C:\Windows\System32\)
C:\WINDOWS\System32\srvc32.exe
C:\WINDOWS\System32\spoolsrv32.exe

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode

Run HiJackThis again and post a new log in this thread.