Hello and thanks for your efforts! Sincerely!

I am trying to get rid of the software that has taken over my wifes laptop.

I have followed the before your post steps with the following results.

1. I downloaded the current spybot and run it in both normal and safe modes countless times. However this does not seem to be getting rid of the malware. It seems that the programs keep coming back.

I tried to run Kaspersky and it goes through the long scan and then it seems my machine will not save the scan. Every time I click save report my screen just stays the same with no dialog appearing and so no save of the file. I have tried it numerous times.

So I ran hijack this and below is the report. Please help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:29 AM, on 10/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\printer.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\mgrs.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\Lorrie\LOCALS~1\Temp\sysserver.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hackerwatch.org/probe/?lips=c0a80503&hwid=7944f83d7043220f
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: system.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat
O22 - SharedTaskScheduler: biisk - {f39d0dee-b2f0-4591-9187-1cc39c1df98a} - C:\WINDOWS\system32\kzpkwj.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: RegSrvc RegSrvcWmdmPmSN (RegSrvcWmdmPmSN) - Unknown owner - C:\WINDOWS\system32\ansif.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9147 bytes

Hello kevponce,

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum.


Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thanks for the response

Ran sdfix txt file is below. Couple of things.

I am running McAfee. Sorry should have mentioned this. After my machine rebooted McAfee told me that there were registry changes that wanted to be changed. Three popups came up asking to change registry values. such as system guard: winlogon shell ---winavxx.exe.

Trouble is teatimer came up with popups as well. I don't know what hte hjec to allow or disallow and now there is this constant pop up in tea timer that just keeps coming up for the winlogon every second it pops up then goes away just to pop up again. Seems like my machine got worse.

Here is the txt


SDFix: Version 1.107

Run by Lorrie on Sun 10/07/2007 at 09:50 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
runtime

ImagePath:
\??\C:\WINDOWS\System32\drivers\runtime.sys

runtime - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe - Deleted
C:\WINDOWS\mgrs.exe - Deleted
C:\WINDOWS\system32\8_exception.nls - Deleted
C:\WINDOWS\system32\printer.exe - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Common Files\\AOL\\1131330116\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1131330116\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\Common Files\\AOL\\1135701034\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1135701034\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1135701034\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1135701034\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Common Files\\AOL\\1146148073\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1146148073\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1146148073\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1146148073\\ee\\aim6.exe:*:Enabled:AIM"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\1131330116\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1131330116\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 26 Sep 2007 28,672 ..SHR --- "C:\WINDOWS\system32\ansif.exe"
Tue 18 Oct 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 5 Oct 2007 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Fri 5 Oct 2007 211 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Sun 17 Oct 2004 56,832 A..H. --- "C:\Documents and Settings\Lorrie\My Documents\lesson plans 2004-05\~WRL0310.tmp"
Sun 17 Oct 2004 57,344 A..H. --- "C:\Documents and Settings\Lorrie\My Documents\lesson plans 2004-05\~WRL0697.tmp"
Thu 7 Oct 2004 41,472 A..H. --- "C:\Documents and Settings\Lorrie\My Documents\lesson plans 2004-05\~WRL0744.tmp"
Sun 17 Oct 2004 53,760 A..H. --- "C:\Documents and Settings\Lorrie\My Documents\lesson plans 2004-05\~WRL1112.tmp"
Sun 17 Oct 2004 55,296 A..H. --- "C:\Documents and Settings\Lorrie\My Documents\lesson plans 2004-05\~WRL2187.tmp"
Sun 3 Oct 2004 48,128 A..H. --- "C:\Documents and Settings\Lorrie\My Documents\lesson plans 2004-05\~WRL2713.tmp"
Sun 17 Oct 2004 53,248 A..H. --- "C:\Documents and Settings\Lorrie\My Documents\lesson plans 2004-05\~WRL3028.tmp"
Sun 17 Oct 2004 57,344 A..H. --- "C:\Documents and Settings\Lorrie\My Documents\lesson plans 2004-05\~WRL3575.tmp"
Wed 23 Nov 2005 76,800 A..H. --- "C:\Documents and Settings\Lorrie\My Documents\lesson plans 2005-2006\~WRL0667.tmp"
Thu 26 Jan 2006 75,776 A..H. --- "C:\Documents and Settings\Lorrie\My Documents\lesson plans 2005-2006\~WRL0862.tmp"
Wed 14 Mar 2007 72,704 ...H. --- "C:\Documents and Settings\Lorrie\My Documents\lesson plans 2005-2006\~WRL1405.tmp"
Wed 25 Jan 2006 71,680 A..H. --- "C:\Documents and Settings\Lorrie\My Documents\lesson plans 2005-2006\~WRL1523.tmp"
Thu 26 Jan 2006 67,584 A..H. --- "C:\Documents and Settings\Lorrie\My Documents\lesson plans 2005-2006\~WRL1733.tmp"
Thu 15 Mar 2007 72,192 ...H. --- "C:\Documents and Settings\Lorrie\My Documents\lesson plans 2005-2006\~WRL1737.tmp"
Thu 26 Jan 2006 75,264 A..H. --- "C:\Documents and Settings\Lorrie\My Documents\lesson plans 2005-2006\~WRL2065.tmp"
Thu 26 Jan 2006 68,096 A..H. --- "C:\Documents and Settings\Lorrie\My Documents\lesson plans 2005-2006\~WRL2242.tmp"
Tue 22 Nov 2005 68,096 A..H. --- "C:\Documents and Settings\Lorrie\My Documents\lesson plans 2005-2006\~WRL2370.tmp"
Wed 23 Nov 2005 76,800 A..H. --- "C:\Documents and Settings\Lorrie\My Documents\lesson plans 2005-2006\~WRL3027.tmp"
Wed 24 Jan 2007 72,704 ...H. --- "C:\Documents and Settings\Lorrie\My Documents\lesson plans 2005-2006\~WRL3311.tmp"
Thu 15 Mar 2007 70,656 ...H. --- "C:\Documents and Settings\Lorrie\My Documents\lesson plans 2005-2006\~WRL3805.tmp"
Wed 3 May 2006 51,200 ...H. --- "C:\Documents and Settings\Lorrie\My Documents\lesson plans 2005-2006\~WRL3977.tmp"
Wed 2 May 2007 56,320 A..H. --- "C:\Documents and Settings\Lorrie\My Documents\Lesson plans 2006-2007\~WRL0022.tmp"
Thu 3 May 2007 62,464 A..H. --- "C:\Documents and Settings\Lorrie\My Documents\Lesson plans 2006-2007\~WRL0521.tmp"
Thu 3 May 2007 62,976 A..H. --- "C:\Documents and Settings\Lorrie\My Documents\Lesson plans 2006-2007\~WRL0918.tmp"
Mon 20 Nov 2006 71,168 A..H. --- "C:\Documents and Settings\Lorrie\My Documents\Lesson plans 2006-2007\~WRL0965.tmp"
Thu 3 May 2007 61,440 A..H. --- "C:\Documents and Settings\Lorrie\My Documents\Lesson plans 2006-2007\~WRL2971.tmp"
Mon 20 Nov 2006 67,072 A..H. --- "C:\Documents and Settings\Lorrie\My Documents\Lesson plans 2006-2007\~WRL3071.tmp"
Thu 3 May 2007 61,952 A..H. --- "C:\Documents and Settings\Lorrie\My Documents\Lesson plans 2006-2007\~WRL3300.tmp"
Thu 27 Sep 2007 70,656 ...H. --- "C:\Documents and Settings\Lorrie\My Documents\lesson plans 2007-08\~WRL0992.tmp"
Thu 27 Sep 2007 68,608 ...H. --- "C:\Documents and Settings\Lorrie\My Documents\lesson plans 2007-08\~WRL1932.tmp"
Wed 12 Sep 2007 62,464 ...H. --- "C:\Documents and Settings\Lorrie\My Documents\lesson plans 2007-08\~WRL2147.tmp"
Thu 27 Sep 2007 69,120 ...H. --- "C:\Documents and Settings\Lorrie\My Documents\lesson plans 2007-08\~WRL3232.tmp"
Thu 27 Sep 2007 68,096 ...H. --- "C:\Documents and Settings\Lorrie\My Documents\lesson plans 2007-08\~WRL3856.tmp"
Tue 2 Jan 2007 25,088 ...H. --- "C:\Documents and Settings\Lorrie\My Documents\Letters\~WRL0001.tmp"
Sun 27 Feb 2005 20,992 ...H. --- "C:\Documents and Settings\Lorrie\My Documents\Letters\~WRL0002.tmp"
Tue 22 Feb 2005 20,992 ...H. --- "C:\Documents and Settings\Lorrie\My Documents\Letters\~WRL0003.tmp"
Mon 24 Oct 2005 82 A..H. --- "C:\Documents and Settings\All Users\Documents\NetworkMoves\FinePix Driver\._WinXp.exe"
Mon 9 Apr 2007 8 A..H. --- "C:\Documents and Settings\Lorrie\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Mon 9 Apr 2007 8 A..H. --- "C:\Documents and Settings\Lorrie\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Sun 15 Apr 2007 8 A..H. --- "C:\Documents and Settings\Lorrie\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Sun 15 Apr 2007 8 A..H. --- "C:\Documents and Settings\Lorrie\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"

Finished!

Here is combo fix report

but first I am still getting alot of tea timer hits. How do I know which to allow.

Also should I turn McAfee off. How do I know what to allow here as well. It seems that some of the registry changes are for the good, but how would i know?

also when I rebooted i rec'd an alert that auto updates was turned off. Is this OK.

I downloaded How did I get infected I'll read that and hope it answers some questions.

Report...


ComboFix 07-10-07.2 - Lorrie 2007-10-07 22:23:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.220 [GMT -5:00]
Running from: C:\Documents and Settings\Lorrie\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Documents and Settings\Lorrie\Desktop\Find Spyware Remover.lnk
C:\Documents and Settings\Lorrie\Desktop\Free Online Dating.lnk
C:\Documents and Settings\Lorrie\Desktop\Go to Casino.lnk
C:\Documents and Settings\Lorrie\Desktop\internet.lnk
C:\Program Files\ucleaner_setup.exe
C:\Program Files\Ultimate Cleaner
C:\WINDOWS\Casino.ico
C:\WINDOWS\Free Online Dating.ico
C:\WINDOWS\Spyware Remover.ico
C:\WINDOWS\svhjdsah.exe
C:\WINDOWS\svhjdsah.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\drivers\ip6fw.sys
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\WinAvXX.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-08 to 2007-10-08 )))))))))))))))))))))))))))))))
.

2007-10-07 22:22 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-07 21:47 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-07 10:07 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-05 07:13 22,697 --a------ C:\WINDOWS\pdoakac.exe
2007-10-05 07:13 12,288 --a------ C:\WINDOWS\mraerea.exe
2007-09-26 19:20 28,672 -r-hs---- C:\WINDOWS\system32\ansif.exe
2007-09-26 19:20 109 --ahs---- C:\WINDOWS\system32\1613020561.dat
2007-09-26 14:43 9,728 --a------ C:\Program Files\hlpsrv.exe
2007-09-12 23:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-12 23:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-06 17:26 --------- d-------- C:\Program Files\McAfee
2007-09-25 20:46 --------- d-------- C:\Documents and Settings\Lorrie\Application Data\SiteAdvisor
2007-09-22 07:11 --------- d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-09-14 05:56 --------- d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-08-31 05:56 --------- d-------- C:\Program Files\SiteAdvisor
2007-08-31 00:17 --------- d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2006-08-01 21:17 13736064 --a------ C:\Program Files\GoogleEarthWin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 04:04]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 16:33]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-15 15:02]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-15 15:02]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 14:59]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-03-04 11:26]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 08:50]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33]
"smgr"="mgrs.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-10-10 11:33:07]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\sulimo.dat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HostManager"=C:\Program Files\Common Files\AOL\1146148073\ee\AOLSoftware.exe
"mmtask"=C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
"MMTray"=C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
"<NO NAME>"=
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"SiteAdvisor"=C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

S2 RegSrvcWmdmPmSN;RegSrvc RegSrvcWmdmPmSN;C:\WINDOWS\system32\ansif.exe srv
S3 FINEPIX_PCC;FinePix Digital Camera 020717;C:\WINDOWS\system32\Drivers\V4CB011D.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-10-04 23:43:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-09-11 13:00:06 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\Program Files\McAfee\MQC\QcConsol.exe
"2007-08-01 06:00:14 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-10-05 12:10:41 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-07 22:31:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-07 22:35:26 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-07 22:35
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46:38 PM, on 10/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Lorrie\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hackerwatch.org/probe/?lips=c0a80503&hwid=7944f83d7043220f
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: RegSrvc RegSrvcWmdmPmSN (RegSrvcWmdmPmSN) - Unknown owner - C:\WINDOWS\system32\ansif.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8685 bytes

Hello kevponce,


Also should I turn McAfee off.
For the remainder of this fix I would turn it off, yes.

Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.


A. Please RUN HijackThis
Click the SCAN button to produce a log.


Place a check mark beside each one of the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe


Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.


B. 1. Please open Notepad Click Start , then Run Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:



File::
C:\WINDOWS\pdoakac.exe
C:\WINDOWS\mraerea.exe
C:\WINDOWS\system32\ansif.exe
C:\WINDOWS\system32\1613020561.dat
C:\Program Files\hlpsrv.exe
C:\WINDOWS\system32\sulimo.dat
C:\WINDOWS\system32\printer.exe
C:\Windows\system32\mgrs.exe

Folder::
C:\Program Files\MyWaySA

Driver::
RegSrvcWmdmPmSN

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
Combofix.txt
A new HijackThis log.

ComboFix 07-10-07.2 - Lorrie 2007-10-08 0:05:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.231 [GMT -5:00]
Running from: C:\Documents and Settings\Lorrie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lorrie\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\Program Files\hlpsrv.exe
C:\WINDOWS\mraerea.exe
C:\WINDOWS\pdoakac.exe
C:\WINDOWS\system32\1613020561.dat
C:\WINDOWS\system32\ansif.exe
C:\Windows\system32\mgrs.exe
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\sulimo.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\hlpsrv.exe
C:\Program Files\MyWaySA
C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
C:\WINDOWS\mraerea.exe
C:\WINDOWS\pdoakac.exe
C:\WINDOWS\system32\1613020561.dat
C:\WINDOWS\system32\ansif.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_REGSRVCWMDMPMSN
-------\RegSrvcWmdmPmSN


((((((((((((((((((((((((( Files Created from 2007-09-08 to 2007-10-08 )))))))))))))))))))))))))))))))
.

2007-10-07 22:22 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-07 21:47 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-07 10:07 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-12 23:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-12 23:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-07 23:34 --------- d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-07 23:07 --------- d-------- C:\Program Files\PopCap Games
2007-10-06 17:26 --------- d-------- C:\Program Files\McAfee
2007-09-25 20:46 --------- d-------- C:\Documents and Settings\Lorrie\Application Data\SiteAdvisor
2007-09-22 07:11 --------- d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-08-31 05:56 --------- d-------- C:\Program Files\SiteAdvisor
2007-08-31 00:17 --------- d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2006-08-01 21:17 13736064 --a------ C:\Program Files\GoogleEarthWin.exe
.

((((((((((((((((((((((((((((( snapshot@2007-10-07_22.33.49.57 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 32,768 2007-10-08 03:36:08 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-10-08 03:36:08 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
----a-w 32,768 2007-10-07 22:03:33 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-10-07 22:03:33 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 04:04]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 16:33]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-15 15:02]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-15 15:02]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 14:59]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-03-04 11:26]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 08:50]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-10-10 11:33:07]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HostManager"=C:\Program Files\Common Files\AOL\1146148073\ee\AOLSoftware.exe
"mmtask"=C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
"MMTray"=C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
"<NO NAME>"=
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"SiteAdvisor"=C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

S3 FINEPIX_PCC;FinePix Digital Camera 020717;C:\WINDOWS\system32\Drivers\V4CB011D.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-10-04 23:43:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-09-11 13:00:06 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\Program Files\McAfee\MQC\QcConsol.exe
"2007-08-01 06:00:14 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-10-05 12:10:41 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-08 00:12:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-08 0:15:59 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-08 00:15
C:\ComboFix2.txt ... 2007-10-07 22:35
.
--- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:27 AM, on 10/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Lorrie\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hackerwatch.org/probe/?lips=c0a80503&hwid=7944f83d7043220f
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8312 bytes

Hello kevponce,

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 3 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.


Please go HERE (http://www.pandasoftware.com/products/activescan.htm) to run Panda's ActiveScan Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Dear Rip Chain

First thank you for your diligence. My wifes machine is already working much better.

Second. I need to understand the whole turn off the virus protection thing.

Last time you gave me instructions I turned off McAffe and Tea timer then went through the instructions. But after I was done rebooting and ComboFix finished I turned back on the protections and right away I was getting prompts to make decisions. Is there a chance I screwed things up. Although I don't think so. I guess my puzzlement is if I leave the virus protection off won't the virus/malware stuff just invade again. Because every bootup something called ctmon or ctfmon keeps trying to change the registry but teattimer says it is malware/spyware.

I know you mentioned that it would be OK to turn these back on once the I am clean but what about the interim.

One other strange thing. I saw that the printer.exe file was being diagnosed/looked at/fixed, whatever you would call it, and then my wifes machine wouldn't print and crashed the programs when I clicked print. i rebooted a couple of times thinking it would resolve, and now a day later it is back to printing. Any enlightened thoughts on that so I may understand?

Thanks again and I will await response before I go on

Kev

Hello kevponce,


Last time you gave me instructions I turned off McAffe and Tea timer then went through the instructions. But after I was done rebooting and ComboFix finished I turned back on the protections and right away I was getting prompts to make decisions.
That's because Teatimer is making up for lost time, asking about any changes that happened since it had been disabled. That's why I generally leave it off whenever I'm doing anything that makes lot's of system changes, like removing malware from a computer.


Is there a chance I screwed things up. Although I don't think so. I guess my puzzlement is if I leave the virus protection off won't the virus/malware stuff just invade again.
As long as you keep your web surfing to a minimum during the fix you should be alright, but I would keep the anti-virus running. You didn't screw anything up, everything is going according to plan.


One other strange thing. I saw that the printer.exe file was being diagnosed/looked at/fixed, whatever you would call it, and then my wifes machine wouldn't print and crashed the programs when I clicked print. i rebooted a couple of times thinking it would resolve, and now a day later it is back to printing. Any enlightened thoughts on that so I may understand?
That file was just a random named malware file, it didn't have anything to do with your actual printer. It's possible malware we removed recently was interrfering with the printer.

You can go ahead and disable teatimer again until we finish up here, this file it keeps detecting named ctfmon.exe is legitimate.

So should I allow ctfmon next time teatimer asks?

I would, yes.

Dear Rip Chain

Active Scan results are below.

1 question. When I boot up I am informed that auto updates is off. How should I set up auto updates?


Active scan results...


Incident Status Location

Adware:adware/spywarequake Not disinfected c:\windows\system32\1024\ldD16C.tmp
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\LocalService\Cookies\system@go[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Lorrie\Cookies\lorrie@2o7[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Lorrie\Cookies\lorrie@ads.pointroll[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Lorrie\Cookies\lorrie@adultfriendfinder[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Lorrie\Cookies\lorrie@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Lorrie\Cookies\lorrie@atwola[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Lorrie\Cookies\lorrie@bs.serving-sys[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Lorrie\Cookies\lorrie@com[2].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Lorrie\Cookies\lorrie@entrepreneur[1].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Lorrie\Cookies\lorrie@findwhat[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Lorrie\Cookies\lorrie@go[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Lorrie\Cookies\lorrie@overture[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Lorrie\Cookies\lorrie@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Lorrie\Cookies\lorrie@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Lorrie\Cookies\lorrie@realmedia[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Lorrie\Cookies\lorrie@server.iad.liveperson[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Lorrie\Cookies\lorrie@serving-sys[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Lorrie\Cookies\lorrie@target[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Lorrie\Cookies\lorrie@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Lorrie\Cookies\lorrie@tribalfusion[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Lorrie\Cookies\lorrie@www.burstbeacon[2].txt
Spyware:Cookie/VirusProtectPro Not disinfected C:\Documents and Settings\Lorrie\Cookies\lorrie@www.virusprotectpro[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Lorrie\Cookies\lorrie@www1.addfreestats[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Lorrie\Cookies\lorrie@yadro[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Lorrie\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Lorrie\Desktop\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Lorrie\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Adware:Adware/WinAntiVirus2007 Not disinfected C:\qoobox\Quarantine\C\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe.vir
Potentially unwanted tool:Application/MyWay Not disinfected C:\qoobox\Quarantine\C\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll.vir
Potentially unwanted tool:Application/UltimateDefender Not disinfected C:\qoobox\Quarantine\C\Program Files\ucleaner_setup.exe.vir
Virus:Generic Malware Disinfected C:\qoobox\Quarantine\C\WINDOWS\pdoakac.exe.vir
Virus:Trj/Agent.GQS Disinfected C:\qoobox\Quarantine\C\WINDOWS\svhjdsah.exe.vir
Adware:Adware/WinAntiVirus2007 Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\printer.exe.vir
Adware:Adware/WinAntiVirus2007 Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\WinAvXX.exe.vir
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
Adware:Adware/WinAntiVirus2007 Not disinfected C:\SDFix\backups\backups.zip[backups/autorun.exe]
Adware:Adware/DriveCleaner Not disinfected C:\SDFix\backups\backups.zip[backups/mgrs.exe]
Adware:Adware/WinAntiVirus2007 Not disinfected C:\SDFix\backups\backups.zip[backups/movedfile.ren]
Adware:Adware/WinAntiVirus2007 Not disinfected C:\SDFix\backups\backups.zip[backups/printer.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
Spyware:Cookie/adultfriendfinder Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\system@adultfriendfinder[2].txt

Hello kevponce,


How should I set up auto updates?
I would set them to automatically update.

1. Please open Notepad Click Start , then Run Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:



File::
c:\windows\system32\1024\ldD16C.tmp


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply: Combofix.txt A new HijackThis log.

HiJack this....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:55:50 PM, on 10/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Lorrie\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hackerwatch.org/probe/?lips=c0a80503&hwid=7944f83d7043220f
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8529 bytes



ComboFix...


ComboFix 07-10-07.2 - Lorrie 2007-10-09 15:42:01.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.220 [GMT -5:00]
Running from: C:\Documents and Settings\Lorrie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lorrie\Desktop\CFScript.txt
* Created a new restore point

FILE::
c:\windows\system32\1024\ldD16C.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\1024\ldD16C.tmp

.
((((((((((((((((((((((((( Files Created from 2007-09-09 to 2007-10-09 )))))))))))))))))))))))))))))))
.

2007-10-09 12:37 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-09 12:37 <DIR> d-------- C:\WINDOWS\LastGood
2007-10-07 22:22 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-07 21:47 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-07 10:07 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-12 23:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-12 23:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-09 13:43 --------- d-------- C:\Program Files\iTunes
2007-10-09 13:37 --------- d-------- C:\Program Files\Digital Line Detect
2007-10-09 13:37 --------- d-------- C:\Program Files\DellSupport
2007-10-09 13:32 --------- d-------- C:\Program Files\Apoint
2007-10-09 09:47 --------- d-------- C:\Program Files\McAfee
2007-10-07 23:34 --------- d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-07 23:07 --------- d-------- C:\Program Files\PopCap Games
2007-09-25 20:46 --------- d-------- C:\Documents and Settings\Lorrie\Application Data\SiteAdvisor
2007-09-22 07:11 --------- d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-08-31 05:56 --------- d-------- C:\Program Files\SiteAdvisor
2007-08-31 00:17 --------- d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2006-08-01 21:17 13736064 --a------ C:\Program Files\GoogleEarthWin.exe
.

((((((((((((((((((((((((((((( snapshot@2007-10-07_22.33.49.57 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 141,424 2006-08-24 13:28:54 C:\WINDOWS\Downloaded Program Files\asinst.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 04:04]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 16:33]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-15 15:02]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-15 15:02]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 14:59]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-03-04 11:26]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 08:50]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33]
"smgr"="mgrs.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-10-10 11:33:07]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HostManager"=C:\Program Files\Common Files\AOL\1146148073\ee\AOLSoftware.exe
"mmtask"=C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
"MMTray"=C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
"<NO NAME>"=
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"SiteAdvisor"=C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

S3 FINEPIX_PCC;FinePix Digital Camera 020717;C:\WINDOWS\system32\Drivers\V4CB011D.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-10-04 23:43:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-09-11 13:00:06 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\Program Files\McAfee\MQC\QcConsol.exe
"2007-08-01 06:00:14 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-10-05 12:10:41 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-09 15:45:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-09 15:47:59
C:\ComboFix-quarantined-files.txt ... 2007-10-09 15:47
C:\ComboFix2.txt ... 2007-10-08 00:16
C:\ComboFix3.txt ... 2007-10-07 22:35
.
--- E O F ---

Dear Rip Chain (Man, that is so weird calling you Rip Chain, can't even imagine what it means)
Anyway - I went to turn on my updates and that area is completely dimmed out. Is there a chance that Spybot is blocking that? If so do you know the setting location to fix it.

Thanks Kev

Hello kevponce,


Dear Rip Chain (Man, that is so weird calling you Rip Chain, can't even imagine what it means)
You probably don't want to imagine either..


Anyway - I went to turn on my updates and that area is completely dimmed out. Is there a chance that Spybot is blocking that? If so do you know the setting location to fix it.
I don't think Spybot locks you out of windows updates, I don't see anything in your logs to suggest that is has been restricted either. We'll come back to this issue later after the computer has been fully cleaned, it's possible malware is still interferring with this.

1. Please open Notepad Click Start , then Run Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:



Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"smgr"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply: Combofix.txt A new HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:18 AM, on 10/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Lorrie\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hackerwatch.org/probe/?lips=c0a80503&hwid=7944f83d7043220f
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8554 bytes

-----------------------------------------------


ComboFix 07-10-07.2 - Lorrie 2007-10-11 0:23:56.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.264 [GMT -5:00]
Running from: C:\Documents and Settings\Lorrie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lorrie\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-11 to 2007-10-11 )))))))))))))))))))))))))))))))
.

2007-10-09 12:37 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-07 22:22 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-07 21:47 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-07 10:07 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-12 23:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-12 23:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-10 06:31 --------- d-------- C:\Program Files\McAfee
2007-10-09 13:43 --------- d-------- C:\Program Files\iTunes
2007-10-09 13:37 --------- d-------- C:\Program Files\Digital Line Detect
2007-10-09 13:37 --------- d-------- C:\Program Files\DellSupport
2007-10-09 13:32 --------- d-------- C:\Program Files\Apoint
2007-10-07 23:34 --------- d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-07 23:07 --------- d-------- C:\Program Files\PopCap Games
2007-09-25 20:46 --------- d-------- C:\Documents and Settings\Lorrie\Application Data\SiteAdvisor
2007-09-22 07:11 --------- d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-08-31 05:56 --------- d-------- C:\Program Files\SiteAdvisor
2007-08-31 00:17 --------- d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2006-08-01 21:17 13736064 --a------ C:\Program Files\GoogleEarthWin.exe
.

((((((((((((((((((((((((((((( snapshot@2007-10-07_22.33.49.57 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 141,424 2006-08-24 13:28:54 C:\WINDOWS\Downloaded Program Files\asinst.dll
----a-w 73,728 2006-08-02 17:39:06 C:\WINDOWS\system32\asuninst.exe
----a-w 135,168 2007-09-25 03:30:28 C:\WINDOWS\system32\java.exe
----a-w 135,168 2007-09-25 03:30:30 C:\WINDOWS\system32\javaw.exe
----a-w 139,264 2007-09-25 04:31:42 C:\WINDOWS\system32\javaws.exe
----a-w 11,776 2003-03-25 23:53:50 C:\WINDOWS\system32\ZPORT4AS.dll
----a-w 110,592 2007-03-29 14:20:50 C:\WINDOWS\system32\ActiveScan\as.dll
----a-w 233,472 2006-10-05 21:15:26 C:\WINDOWS\system32\ActiveScan\ascontrol.dll
----a-w 96,256 2005-06-03 19:03:18 C:\WINDOWS\system32\ActiveScan\asmdat.dll
----a-w 36,864 2003-08-01 16:00:16 C:\WINDOWS\system32\ActiveScan\certdll.dll
----a-w 86,016 2005-05-20 18:42:44 C:\WINDOWS\system32\ActiveScan\instlsp.dll
----a-w 4,608 2006-02-16 23:20:20 C:\WINDOWS\system32\ActiveScan\memvfile.dll
----a-w 348,160 2005-10-25 23:08:32 C:\WINDOWS\system32\ActiveScan\msvcr71.dll
----a-w 139,264 2004-05-04 20:01:02 C:\WINDOWS\system32\ActiveScan\pavaleas.dll
----a-w 45,056 2006-07-14 18:04:10 C:\WINDOWS\system32\ActiveScan\pavdr.exe
----a-w 159,832 2006-04-10 15:50:02 C:\WINDOWS\system32\ActiveScan\pavexcom.dll
----a-w 94,208 2006-02-14 18:05:38 C:\WINDOWS\system32\ActiveScan\pavinas.dll
----a-w 180,224 2006-02-16 23:35:38 C:\WINDOWS\system32\ActiveScan\pavoe.dll
----a-w 122,880 2006-10-05 21:15:38 C:\WINDOWS\system32\ActiveScan\pavpz.dll
----a-w 8,704 2006-06-30 19:13:38 C:\WINDOWS\system32\ActiveScan\pfdnnt.exe
----a-w 49,152 2004-02-04 19:08:42 C:\WINDOWS\system32\ActiveScan\port32.dll
----a-w 69,632 2006-08-01 18:23:10 C:\WINDOWS\system32\ActiveScan\pscpu.dll
----a-w 1,388,544 2006-08-23 18:06:08 C:\WINDOWS\system32\ActiveScan\pskahk.dll
----a-w 10,752 2006-08-17 16:38:14 C:\WINDOWS\system32\ActiveScan\pskalloc.dll
----a-w 61,440 2006-09-04 16:49:54 C:\WINDOWS\system32\ActiveScan\pskas.dll
----a-w 779,264 2006-08-18 13:46:18 C:\WINDOWS\system32\ActiveScan\pskavs.dll
----a-w 417,792 2007-03-26 19:25:34 C:\WINDOWS\system32\ActiveScan\pskcmp.dll
----a-w 90,112 2006-08-09 15:42:24 C:\WINDOWS\system32\ActiveScan\pskfss.dll
----a-w 208,896 2006-07-19 15:55:58 C:\WINDOWS\system32\ActiveScan\pskhtml.dll
----a-w 9,728 2006-01-20 21:57:00 C:\WINDOWS\system32\ActiveScan\pskmas.dll
----a-w 14,336 2006-05-17 14:50:12 C:\WINDOWS\system32\ActiveScan\pskmdfs.dll
----a-w 33,280 2006-08-16 15:58:12 C:\WINDOWS\system32\ActiveScan\pskpack.dll
----a-w 266,240 2006-06-30 19:42:36 C:\WINDOWS\system32\ActiveScan\pskscs.dll
----a-w 62,976 2006-08-17 19:33:14 C:\WINDOWS\system32\ActiveScan\pskutil.dll
----a-w 13,312 2006-08-08 18:13:10 C:\WINDOWS\system32\ActiveScan\pskvfile.dll
----a-w 69,632 2006-08-18 13:53:08 C:\WINDOWS\system32\ActiveScan\pskvfs.dll
----a-w 167,936 2006-08-18 13:49:50 C:\WINDOWS\system32\ActiveScan\pskvm.dll
----a-w 353,840 2007-04-18 22:16:04 C:\WINDOWS\system32\ActiveScan\psscan.dll
----a-w 35,328 2007-01-22 19:42:48 C:\WINDOWS\system32\ActiveScan\rawvfile.dll
----a-w 9,488 1997-09-18 11:12:32 C:\WINDOWS\system32\ActiveScan\sporder.dll
----a-w 69,632 2006-02-28 22:23:40 C:\WINDOWS\system32\ActiveScan\tcpvfile.dll
----a-w 32,768 2007-10-11 03:04:01 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-10-11 03:04:01 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
--sha-w 32,768 2007-10-11 03:04:01 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
----a-w 24,681 2003-11-19 21:36:26 C:\WINDOWS\system32\java.exe
----a-w 28,779 2003-11-19 21:36:30 C:\WINDOWS\system32\javaw.exe
----a-w 32,768 2007-10-07 22:03:33 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-10-07 22:03:33 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 131,072 2007-10-07 22:03:33 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 04:04]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 16:33]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-15 15:02]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-15 15:02]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 14:59]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-03-04 11:26]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 08:50]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-10-10 11:33:07]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HostManager"=C:\Program Files\Common Files\AOL\1146148073\ee\AOLSoftware.exe
"mmtask"=C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
"MMTray"=C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
"<NO NAME>"=
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"SiteAdvisor"=C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

S3 FINEPIX_PCC;FinePix Digital Camera 020717;C:\WINDOWS\system32\Drivers\V4CB011D.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-10-04 23:43:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-09-11 13:00:06 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\Program Files\McAfee\MQC\QcConsol.exe
"2007-08-01 06:00:14 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-10-05 12:10:41 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-11 00:27:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-11 0:29:08
C:\ComboFix-quarantined-files.txt ... 2007-10-11 00:28
C:\ComboFix2.txt ... 2007-10-09 15:48
C:\ComboFix3.txt ... 2007-10-08 00:16
.
--- E O F ---

Hello kevponce,

Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Deckard's System Scanner v20070905.67
Run by Lorrie on 2007-10-11 18:43:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
68: 2007-10-11 23:44:11 UTC - RP363 - Deckard's System Scanner Restore Point
67: 2007-10-11 05:23:06 UTC - RP362 - ComboFix created restore point
66: 2007-10-11 03:53:49 UTC - RP361 - System Checkpoint
65: 2007-10-09 20:41:18 UTC - RP360 - ComboFix created restore point
64: 2007-10-09 17:29:41 UTC - RP359 - Installed Java(TM) 6 Update 3


-- First Restore Point --
1: 2007-07-22 19:11:23 UTC - RP296 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as Lorrie.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:45:29 PM, on 10/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Lorrie\Desktop\dss.exe
C:\DOCUME~1\Lorrie\Desktop\Lorrie.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hackerwatch.org/probe/?lips=c0a80503&hwid=7944f83d7043220f
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8741 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\Lorrie\Desktop\backups\) --------------

backup-20071008-000158-356 O4 - HKLM\..\Run: [smgr] mgrs.exe
backup-20071008-000158-385 F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
backup-20071008-000158-605 R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
backup-20071008-000158-688 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20071009-114511-706 R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.1.0.1) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.0.1>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>

S3 catchme - c:\docume~1\lorrie\locals~1\temp\catchme.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 NICCONFIGSVC - c:\program files\dell\nicconfigsvc\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
R2 RegSrvc - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>
R2 WLANKEEPER - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSOFSet Service>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-10-11 18:43:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-10-05 07:10:41 332 --a------ C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
2007-09-11 08:00:06 352 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2007-08-01 01:00:14 354 --a------ C:\WINDOWS\Tasks\McQcTask.job


-- Files created between 2007-09-11 and 2007-10-11 -----------------------------

2007-10-09 12:37:07 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-10-09 12:29:48 0 d-------- C:\Program Files\Common Files\Java
2007-10-07 23:05:41 0 d-------- C:\WINDOWS\system32\appmgmt
2007-10-07 21:47:46 0 d-------- C:\WINDOWS\ERUNT
2007-10-07 10:07:05 0 d-------- C:\Program Files\Trend Micro
2007-09-12 23:13:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-09-12 23:13:14 0 d-------- C:\WINDOWS\system32\Kaspersky Lab


-- Find3M Report ---------------------------------------------------------------

2007-10-11 17:59:05 0 d-------- C:\Program Files\McAfee
2007-10-09 13:48:27 0 d-------- C:\Program Files\Messenger
2007-10-09 13:43:32 0 d-------- C:\Program Files\iTunes
2007-10-09 13:37:06 0 d-------- C:\Program Files\Digital Line Detect
2007-10-09 13:37:05 0 d-------- C:\Program Files\DellSupport
2007-10-09 13:32:12 0 d-------- C:\Program Files\Apoint
2007-10-09 12:30:51 0 d-------- C:\Program Files\Java
2007-10-09 12:29:48 0 d-------- C:\Program Files\Common Files
2007-10-07 23:07:33 0 d-------- C:\Program Files\PopCap Games
2007-09-25 20:46:40 0 d-------- C:\Documents and Settings\Lorrie\Application Data\SiteAdvisor
2007-08-31 05:56:08 0 d-------- C:\Program Files\SiteAdvisor
2007-08-18 22:14:33 664 --a------ C:\WINDOWS\system32\d3d9caps.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/10/2004 04:04 AM]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [09/13/2004 04:33 PM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [02/15/2005 03:02 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [02/15/2005 03:02 PM]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [10/30/2004 02:59 PM]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [03/04/2005 11:26 AM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [12/06/2004 01:05 AM]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [02/04/2002 10:32 PM]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [09/14/2004 08:50 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 06:24 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/10/2007 09:18 AM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [08/04/2007 02:33 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/09/2006 09:33 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 11:09 AM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 04:45 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 05:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [10/10/2005 11:33:07 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 09/07/2004 04:08 PM 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HostManager"=C:\Program Files\Common Files\AOL\1146148073\ee\AOLSoftware.exe
"mmtask"=C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
"MMTray"=C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
"<NO NAME>"=
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"SiteAdvisor"=C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup




-- End of Deckard's System Scanner: finished at 2007-10-11 18:46:38 ------------

Deckard's System Scanner v20070905.67
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) M processor 1.60GHz
Percentage of Memory in Use: 58%
Physical Memory (total/avail): 503.37 MiB / 211.03 MiB
Pagefile Memory (total/avail): 1228.4 MiB / 885.03 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1967.31 MiB

C: is Fixed (NTFS) - 51.18 GiB total, 35.97 GiB free.
D: is CDROM (UDF)

\\.\PHYSICALDRIVE0 - SAMSUNG MP0603H - 55.89 GiB - 3 partitions
\PARTITION0 - Unknown - 62.72 MiB
\PARTITION1 (bootable) - Installable File System - 51.18 GiB - C:
\PARTITION2 - Unknown - 4.64 GiB



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: McAfee Personal Firewall v (McAfee)
AV: McAfee VirusScan v (McAfee)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Lorrie\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LORRIEDELL
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Lorrie
LOGONSERVER=\\LORRIEDELL
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Lorrie\LOCALS~1\Temp
TMP=C:\DOCUME~1\Lorrie\LOCALS~1\Temp
USERDOMAIN=LORRIEDELL
USERNAME=Lorrie
USERPROFILE=C:\Documents and Settings\Lorrie
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Lorrie (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> MsiExec.exe /I{F543B12A-13F5-487E-9314-F7D25E1BBE3E}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
ALPS Touch Pad Driver --> C:\Program Files\Apoint\Uninstap.exe ADDREMOVE
AOLIcon --> MsiExec.exe /I{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}
Apple Mobile Device Support --> MsiExec.exe /I{A43B2A2F-1DB5-47F9-A608-F11A4835D7CB}
Apple Software Update --> MsiExec.exe /I{A260B422-70E1-41E2-957D-F76FA21266D5}
Broadcom Management Programs 2 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{64A77F14-0E08-4A97-A859-E93CFF428756} /l1033
Conexant D110 MDC V.9x Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1\HXFSETUP.EXE -U -Idel5422k.inf
Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Picture Studio v3.0 --> MsiExec.exe /I{AF06CAE4-C134-44B1-B699-14FBDB63BD37}
DellSupport --> MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
EducateU --> MsiExec.exe /I{A683A2C0-821C-486F-858C-FA634DB5E864}
FUJIFILM USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5490882C-6961-11D5-BAE5-00E0188E010B}\Setup.exe"
GemMaster Mystic --> "C:\Program Files\GemMaster\uninstallgemmaster.exe"
Get High Speed Internet! --> MsiExec.exe /I{7A3F0566-5E05-4919-9C98-456F6B5CF831}
Google Earth --> MsiExec.exe /I{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel(R) Graphics Media Accelerator Driver for Mobile --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
Intel(R) PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
Internal Network Card Power Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F528948-0E80-4C96-B455-DE4167CB1DF7}\setup.exe" -l0x9 UNINSTALL APPDRVNT4
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
iTunes --> MsiExec.exe /I{9357AE3A-B2ED-4138-BB9B-0564352C3F0A}
Jasc Paint Shop Photo Album 5 --> MsiExec.exe /I{4192EAC0-6B36-4723-B216-D0E86E7757AC}
Jasc Paint Shop Pro Studio, Dell Editon --> MsiExec.exe /I{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Macromedia Flash Player --> MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
mCore --> MsiExec.exe /I{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mHlpDell --> MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft Encarta Encyclopedia Deluxe 2005 --> MsiExec.exe /I{05410000-64A6-4248-A026-9745C1E9E159}
Microsoft Money 2005 --> C:\Program Files\Microsoft Money 2005\MNYCoreFiles\Setup\uninst.exe /s:120
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft Text-to-Speech Engine 4.0 (English) --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msTTSf22.inf, Uninstall
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mIWCA --> MsiExec.exe /I{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mSSO --> MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
mToolkit --> MsiExec.exe /I{CA9BAADB-C262-4E05-B2E2-CEE8CE9809EC}
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}\setup.exe" -l0x9 -uninst
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
MyWay Search Assistant --> MsiExec.exe /X{E7559288-223B-453C-9F06-340E3BE21E39}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
NetZeroInstallers --> MsiExec.exe /X{352310C3-E46B-42D3-8F32-54721FDD72D9}
Otto --> "C:\Program Files\EnglishOtto\uninstallotto.exe"
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PowerDVD 5.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Qualxserve Service Agreement --> MsiExec.exe /X{0F756CD9-4A1E-409B-B101-601DDC4C03AA}
QuickBooks Simple Start Special Edition --> msiexec.exe /I {F543B12A-13F5-487E-9314-F7D25E1BBE3E} UNIQUE_NAME="atomlimited" QBFULLNAME="QuickBooks Simple Start Special Edition" ADDREMOVE=1
QuickSet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 UNINSTALL APPDRVNT4 - ALL
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Sonic RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Typer Shark Deluxe 1.02 --> C:\Program Files\PopCap Games\Typer Shark Deluxe\PopUninstall.exe "C:\Program Files\PopCap Games\Typer Shark Deluxe\Install.log"
Update Rollup 1 for Windows XP Media Center Edition 2005 with HDTV Support (KB873369) -->
USB Driver Vers. 3.2 --> C:\Program Files\USB Driver Vers. 3.2\uninstall.exe
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
WebCyberCoach 3.2 Dell --> "C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exe" "WebCyberCoach ext\wtrb" /inf "engine.inf,RealUninstallSection,,4" /infcfg "enginecf.inf,RealUninstallSection,,4"
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe
Zuma Deluxe 1.0 --> C:\Program Files\PopCap Games\Zuma Deluxe\PopUninstall.exe "C:\Program Files\PopCap Games\Zuma Deluxe\Install.log"


-- Application Event Log -------------------------------------------------------

Event Record #/Type11884 / Error
Event Submitted/Written: 10/11/2007 00:17:33 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type11883 / Error
Event Submitted/Written: 10/11/2007 00:15:25 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type11842 / Error
Event Submitted/Written: 10/09/2007 07:31:37 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application WINWORD.EXE, version 11.0.6359.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type11767 / Error
Event Submitted/Written: 10/07/2007 10:33:52 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application sed.cfexe, version 0.0.0.0, faulting module sed.cfexe, version 0.0.0.0, fault address 0x000106ac.
Processing media-specific event for [sed.cfexe!ws!]

Event Record #/Type11748 / Warning
Event Submitted/Written: 10/07/2007 06:31:41 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1006 / Error
Event Submitted/Written: 10/11/2007 06:43:02 PM
Event ID/Source: 59 / SideBySide
Event Description:
Generate Activation Context failed for C:\Program Files\Apple Software Update\Plugins\MSIInstallPlugin.dll.Manifest.
Reference error message: The operation completed successfully.
.

Event Record #/Type1005 / Error
Event Submitted/Written: 10/11/2007 06:43:02 PM
Event ID/Source: 58 / SideBySide
Event Description:
Syntax error in manifest or policy file "The manifest file contains one or more syntax errors.
1" on line The manifest file contains one or more syntax errors.
2.

Event Record #/Type1004 / Error
Event Submitted/Written: 10/11/2007 06:43:02 PM
Event ID/Source: 61 / SideBySide
Event Description:
Syntax error in manifest or policy file "assemblyIdentity1" on line assemblyIdentity2.
The required attribute version is missing from element assemblyIdentity.

Event Record #/Type1003 / Error
Event Submitted/Written: 10/11/2007 06:43:02 PM
Event ID/Source: 59 / SideBySide
Event Description:
Generate Activation Context failed for C:\Program Files\Apple Software Update\Plugins\EXEInstallPlugin.dll.Manifest.
Reference error message: The operation completed successfully.
.

Event Record #/Type1002 / Error
Event Submitted/Written: 10/11/2007 06:43:02 PM
Event ID/Source: 58 / SideBySide
Event Description:
Syntax error in manifest or policy file "The manifest file contains one or more syntax errors.
1" on line The manifest file contains one or more syntax errors.
2.



-- End of Deckard's System Scanner: finished at 2007-10-11 18:46:38 ------------

Hello kevponce,

Using Add Or Remove Programs remove the following entries (if present): (To get into add Or Remove Programs press the START button > Control Panel > Add Or Remove Programs.)

MyWay Search Assistant
Viewpoint Media Player

A. Please RUN HijackThis
Click the SCAN button to produce a log.


Place a check mark beside each one of the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =


Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.


B. 1. Please open Notepad Click Start , then Run Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:


Driver::
catchme


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
Combofix.txt
A new HijackThis log.

ComboFix 07-10-07.2 - Lorrie 2007-10-13 21:20:56.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.231 [GMT -5:00]
Running from: C:\Documents and Settings\Lorrie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lorrie\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-14 to 2007-10-14 )))))))))))))))))))))))))))))))
.

2007-10-11 18:43 <DIR> d-------- C:\Deckard
2007-10-09 12:37 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-07 22:22 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-07 21:47 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-07 10:07 <DIR> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-11 17:59 --------- d-------- C:\Program Files\McAfee
2007-10-09 13:43 --------- d-------- C:\Program Files\iTunes
2007-10-09 13:37 --------- d-------- C:\Program Files\Digital Line Detect
2007-10-09 13:37 --------- d-------- C:\Program Files\DellSupport
2007-10-09 13:32 --------- d-------- C:\Program Files\Apoint
2007-10-07 23:34 --------- d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-07 23:07 --------- d-------- C:\Program Files\PopCap Games
2007-09-25 20:46 --------- d-------- C:\Documents and Settings\Lorrie\Application Data\SiteAdvisor
2007-09-22 07:11 --------- d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-09-12 23:13 --------- d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-08-31 05:56 --------- d-------- C:\Program Files\SiteAdvisor
2007-08-31 00:17 --------- d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2006-08-01 21:17 13736064 --a------ C:\Program Files\GoogleEarthWin.exe
.

((((((((((((((((((((((((((((( snapshot@2007-10-07_22.33.49.57 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 73,728 2006-08-02 17:39:06 C:\WINDOWS\system32\asuninst.exe
----a-w 135,168 2007-09-25 03:30:28 C:\WINDOWS\system32\java.exe
----a-w 135,168 2007-09-25 03:30:30 C:\WINDOWS\system32\javaw.exe
----a-w 139,264 2007-09-25 04:31:42 C:\WINDOWS\system32\javaws.exe
----a-w 11,776 2003-03-25 23:53:50 C:\WINDOWS\system32\ZPORT4AS.dll
----a-w 110,592 2007-03-29 14:20:50 C:\WINDOWS\system32\ActiveScan\as.dll
----a-w 233,472 2006-10-05 21:15:26 C:\WINDOWS\system32\ActiveScan\ascontrol.dll
----a-w 96,256 2005-06-03 19:03:18 C:\WINDOWS\system32\ActiveScan\asmdat.dll
----a-w 36,864 2003-08-01 16:00:16 C:\WINDOWS\system32\ActiveScan\certdll.dll
----a-w 86,016 2005-05-20 18:42:44 C:\WINDOWS\system32\ActiveScan\instlsp.dll
----a-w 4,608 2006-02-16 23:20:20 C:\WINDOWS\system32\ActiveScan\memvfile.dll
----a-w 348,160 2005-10-25 23:08:32 C:\WINDOWS\system32\ActiveScan\msvcr71.dll
----a-w 139,264 2004-05-04 20:01:02 C:\WINDOWS\system32\ActiveScan\pavaleas.dll
----a-w 45,056 2006-07-14 18:04:10 C:\WINDOWS\system32\ActiveScan\pavdr.exe
----a-w 159,832 2006-04-10 15:50:02 C:\WINDOWS\system32\ActiveScan\pavexcom.dll
----a-w 94,208 2006-02-14 18:05:38 C:\WINDOWS\system32\ActiveScan\pavinas.dll
----a-w 180,224 2006-02-16 23:35:38 C:\WINDOWS\system32\ActiveScan\pavoe.dll
----a-w 122,880 2006-10-05 21:15:38 C:\WINDOWS\system32\ActiveScan\pavpz.dll
----a-w 8,704 2006-06-30 19:13:38 C:\WINDOWS\system32\ActiveScan\pfdnnt.exe
----a-w 49,152 2004-02-04 19:08:42 C:\WINDOWS\system32\ActiveScan\port32.dll
----a-w 69,632 2006-08-01 18:23:10 C:\WINDOWS\system32\ActiveScan\pscpu.dll
----a-w 1,388,544 2006-08-23 18:06:08 C:\WINDOWS\system32\ActiveScan\pskahk.dll
----a-w 10,752 2006-08-17 16:38:14 C:\WINDOWS\system32\ActiveScan\pskalloc.dll
----a-w 61,440 2006-09-04 16:49:54 C:\WINDOWS\system32\ActiveScan\pskas.dll
----a-w 779,264 2006-08-18 13:46:18 C:\WINDOWS\system32\ActiveScan\pskavs.dll
----a-w 417,792 2007-03-26 19:25:34 C:\WINDOWS\system32\ActiveScan\pskcmp.dll
----a-w 90,112 2006-08-09 15:42:24 C:\WINDOWS\system32\ActiveScan\pskfss.dll
----a-w 208,896 2006-07-19 15:55:58 C:\WINDOWS\system32\ActiveScan\pskhtml.dll
----a-w 9,728 2006-01-20 21:57:00 C:\WINDOWS\system32\ActiveScan\pskmas.dll
----a-w 14,336 2006-05-17 14:50:12 C:\WINDOWS\system32\ActiveScan\pskmdfs.dll
----a-w 33,280 2006-08-16 15:58:12 C:\WINDOWS\system32\ActiveScan\pskpack.dll
----a-w 266,240 2006-06-30 19:42:36 C:\WINDOWS\system32\ActiveScan\pskscs.dll
----a-w 62,976 2006-08-17 19:33:14 C:\WINDOWS\system32\ActiveScan\pskutil.dll
----a-w 13,312 2006-08-08 18:13:10 C:\WINDOWS\system32\ActiveScan\pskvfile.dll
----a-w 69,632 2006-08-18 13:53:08 C:\WINDOWS\system32\ActiveScan\pskvfs.dll
----a-w 167,936 2006-08-18 13:49:50 C:\WINDOWS\system32\ActiveScan\pskvm.dll
----a-w 353,840 2007-04-18 22:16:04 C:\WINDOWS\system32\ActiveScan\psscan.dll
----a-w 35,328 2007-01-22 19:42:48 C:\WINDOWS\system32\ActiveScan\rawvfile.dll
----a-w 9,488 1997-09-18 11:12:32 C:\WINDOWS\system32\ActiveScan\sporder.dll
----a-w 69,632 2006-02-28 22:23:40 C:\WINDOWS\system32\ActiveScan\tcpvfile.dll
----a-w 32,768 2007-10-14 02:11:15 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-10-14 02:11:15 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
--sha-w 32,768 2007-10-14 02:11:15 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
----a-w 24,681 2003-11-19 21:36:26 C:\WINDOWS\system32\java.exe
----a-w 28,779 2003-11-19 21:36:30 C:\WINDOWS\system32\javaw.exe
----a-w 32,768 2007-10-07 22:03:33 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-10-07 22:03:33 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 131,072 2007-10-07 22:03:33 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 04:04]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 16:33]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-15 15:02]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-15 15:02]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 14:59]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-03-04 11:26]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 08:50]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-10-09 21:33]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-10-10 11:33:07]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HostManager"=C:\Program Files\Common Files\AOL\1146148073\ee\AOLSoftware.exe
"mmtask"=C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
"MMTray"=C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
"<NO NAME>"=
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"SiteAdvisor"=C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

S3 FINEPIX_PCC;FinePix Digital Camera 020717;C:\WINDOWS\system32\Drivers\V4CB011D.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-10-11 23:43:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-09-11 13:00:06 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\Program Files\McAfee\MQC\QcConsol.exe
"2007-08-01 06:00:14 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-10-12 04:24:48 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-13 21:27:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-13 21:29:20 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-13 21:29
C:\ComboFix2.txt ... 2007-10-11 00:29
C:\ComboFix3.txt ... 2007-10-09 15:48
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:52 PM, on 10/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Lorrie\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hackerwatch.org/probe/?lips=c0a80503&hwid=7944f83d7043220f
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8729 bytes

Hello kevponce,

Your logs are looking good, how is your computer running?

Dear Rip Chain

You know your stuff. Computer is quite happy again.

Except auto updates is still dimmed.

Still There? Haven't heard from you. Hope you are well. Any advice on auto updates? I've tried checking as much as I could guess.

Hello kevponce,

I'm sorry for the delay in replying to you, my personal life has taken a turn for the busier side lately, let's try this option real quick:

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis.

Boot into Safe Mode:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Try messing with the settings here, it could be a protection program was interferring with your abillity to mess with those settings in normal mode.

Then just reboot your computer into normal mode and let me know if that helped any.

Dear RIP Chain

Ran the HiJack This fix. Then rebboted into safe modde, but I gotta admit I have no idea what to mess with. Anyway. The laptop is running nice and I suupose I can always trigger the auto updates myself.

Thanks for all of your hjelp and if there is anything further you think of that resolves issue let me know.

Kev

Hello kevponce,

I apologize, I should have been more specific on what you should do once in safe mode. Let's try the following:

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Boot into Safe Mode:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
5) Select your normal user account, not the one that says "administrator".

When your computer has finished loading into safe mode, please click on your start button and then select "Control Panel" then select the "Performance and Maintenance" option, then at the bottom click on the "System" icon. Then a "System properties" tab should come up, click on the "Automatic Updates" tab and make sure the "Automatic (recommended)" option is marked, then click "Ok."

Then reboot into normal mode and let me know if that worked for you :)