Better half's machine trying to install prog on boot. Did manual reg cleaning best I could. Spybot shows nothing yet several suspect processes running (startup location unknown at this time). HJ logs below.
Not to kiss butt beforehand but I have been doing the computer thing since '93 now, either A I am out of practice or B these bugs are changing faster than ..... I'll leave it there kids are present. I have been through the forums many many times and fixed several problems with just reading through, this one keeps popping up so am at a loss.

Last bit of info, have Malware bytes initially tagged a couple bugs will post those when I look back at logs, Combofix downloaded tonight, so ummm ready,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:55:37 PM, on 10/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
G:\Program Files\AdobeCS2\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\AOL\1198997495\ee\AOLSoftware.exe
C:\WINNT\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
L:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\msiexec.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
H:\Program Files\Datacolor\Spyder3Pro\Utility\Spyder3Utility.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Administrator\Desktop\procexp.exe
C:\Documents and Settings\Administrator\Desktop\procexp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mckeithinteractive.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3EBBD0F6-1F1F-48A0-89DC-C7505D56E92A} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - G:\Program Files\AdobeCS2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\AdobeCS2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "G:\Program Files\AdobeCS2\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "G:\Program Files\AdobeCS2\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1198997495\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] l:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = G:\Program Files\AdobeCS2\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Event Reminder.lnk = G:\Program Files\PrintMaster\PMremind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Spyder3Utility.lnk = H:\Program Files\Datacolor\Spyder3Pro\Utility\Spyder3Utility.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://G:\Program Files\AdobeCS2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://G:\Program Files\AdobeCS2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://G:\Program Files\AdobeCS2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://G:\Program Files\AdobeCS2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://G:\Program Files\AdobeCS2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://G:\Program Files\AdobeCS2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://G:\Program Files\AdobeCS2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://G:\Program Files\AdobeCS2\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - l:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - l:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.download.microsoft.com
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199239092125
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182963698156
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.18.39/ttinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup163.cab
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager/plugin/IENetOpPlugin.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{C9A47F45-4884-4E53-B140-0935E3C32427}: NameServer = 64.85.239.20,64.85.239.21
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - G:\Program Files\AdobeCS2\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINNT\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINNT\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe
--
End of file - 12525 bytes

Hope the html takes the wrap off for this. I swear its not on.

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

I am not seeing anything in the HJT log. Not unusual, hackers have learned to hide from it. I will help poke around to see what we can find if you wish.

several suspect processes running (startup location unknown at this time).
Exactly what are these "suspect" processes.

Last bit of info, have Malware bytes initially tagged a couple bugs will post those when I look back at logs,
Did you see this:
Do NOT run 'FIXES' before helpers have analyzed the HJT log
http://forums.spybot.info/showthread.php?t=16806

I would like to see that MBAM log, if you don't have it, follow these directions:
Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file in your next reply.

I would also like to look at a uninstall list:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

You should know this also:

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Thanks

The suspect processes I traced back to valid programs on her machine, so won't bother mentioning those. I'm a bit pissed that after the initial post and my initial looking around she decided to run combofix (had it waiting in case I needed to run). Will post those logs as well since its already been done (sigh).

Malware log (today)
Malwarebytes' Anti-Malware 1.28
Database version: 1244
Windows 5.1.2600 Service Pack 3

10/8/2008 2:04:18 PM
mbam-log-2008-10-08 (14-04-18).txt

Scan type: Full Scan (C:\|)
Objects scanned: 118027
Time elapsed: 28 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



---- Malware log from 10/06------ c:\ only

Malwarebytes' Anti-Malware 1.28
Database version: 1238
Windows 5.1.2600 Service Pack 3

10/6/2008 9:11:40 PM
mbam-log-2008-10-06 (22-32-40).txt

Scan type: Full Scan (C:\|)
Objects scanned: 119325
Time elapsed: 31 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Malwarebytes' Anti-Malware 1.28
Database version: 1244
Windows 5.1.2600 Service Pack 3



Combofix log:
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Cookies\administrator@aggregateknowledge[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@my.clearchannelradio[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@myspace[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@neopets[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@shop.naturalwellnessonline[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@vistaprint[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@web.nautilusinc[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@wss.worldmarket[1].txt
C:\WINNT\Downloaded Program Files\setup.inf
C:\WINNT\system32\bszip.dll
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_IAS


((((((((((((((((((((((((( Files Created from 2008-09-06 to 2008-10-06 )))))))))))))))))))))))))))))))
.

2008-10-03 08:52 . 2008-10-03 08:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nova Development
2008-10-02 11:28 . 2008-10-02 11:28 <DIR> d-------- C:\Program Files\Common Files\Nova Development
2008-09-27 10:29 . 2008-09-27 10:29 <DIR> d-------- C:\Program Files\Apex Fitness
2008-09-27 10:29 . 2008-09-12 17:34 202,048 --a------ C:\WINNT\system32\ftd2xx.dll
2008-09-27 10:29 . 2008-09-12 17:34 111,936 --a------ C:\WINNT\system32\ftbusui.dll
2008-09-19 09:26 . 2008-09-19 09:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\FileMaker
2008-09-18 18:24 . 2008-09-19 09:29 <DIR> d-------- C:\Get Physical! 6.5 Demo
2008-09-18 18:24 . 2008-09-18 18:23 682,288 --a------ C:\WINNT\unins001.exe
2008-09-18 18:24 . 2008-09-18 18:24 6,331 --a------ C:\WINNT\unins001.dat
2008-09-13 23:22 . 2008-09-13 23:22 <DIR> d-------- C:\Program Files\iPod
2008-09-13 23:22 . 2008-09-13 23:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-13 23:20 . 2008-09-13 23:21 <DIR> d-------- C:\Program Files\QuickTime
2008-09-12 18:16 . 2008-09-12 18:16 <DIR> d-------- C:\Program Files\Plan3D
2008-09-12 17:34 . 2008-09-12 17:34 2,671,296 --a------ C:\WINNT\bmusbapex4.dll
2008-09-12 17:34 . 2008-09-12 17:34 160,448 --a------ C:\WINNT\bmupgradeapex24.dll
2008-09-12 17:34 . 2008-09-12 17:34 156,352 --a------ C:\WINNT\bmupgradeapex25.dll
2008-09-12 17:34 . 2008-09-12 17:34 147,456 --a------ C:\WINNT\bmapex.dll
2008-09-12 17:34 . 2008-09-12 17:34 135,168 --a------ C:\WINNT\bmupgradeapex.dll
2008-09-12 17:34 . 2008-09-12 17:34 127,680 --a------ C:\WINNT\bmserialapex25.dll
2008-09-12 17:34 . 2008-09-12 17:34 123,584 --a------ C:\WINNT\bmserialapex24.dll
2008-09-12 17:34 . 2008-09-12 17:34 94,912 --a------ C:\WINNT\bmfirmwareapex4.dll
2008-09-12 17:34 . 2008-09-12 17:34 78,528 --a------ C:\WINNT\bmcommapex4.dll
2008-09-06 15:09 . 2008-09-06 15:09 90,112 --a------ C:\WINNT\system32\QuickTimeVR.qtx
2008-09-06 15:09 . 2008-09-06 15:09 57,344 --a------ C:\WINNT\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-14 16:54 --------- d-----w C:\Program Files\iTunes
2008-09-14 06:20 --------- d-----w C:\Program Files\Common Files\Apple
2008-09-13 00:34 71,488 ----a-w C:\WINNT\system32\drivers\ftser2k.sys
2008-09-13 00:34 53,184 ----a-w C:\WINNT\system32\drivers\ftdibus.sys
2008-09-11 16:33 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-10 07:04 38,528 ----a-w C:\WINNT\system32\drivers\mbamswissarmy.sys
2008-09-10 07:03 17,200 ----a-w C:\WINNT\system32\drivers\mbam.sys
2008-09-08 07:52 --------- d-----w C:\Program Files\Java
2008-09-08 07:52 --------- d-----w C:\Program Files\Google
2008-09-05 21:36 57,344 ----a-w C:\WINNT\bmversionapex.dll
2008-08-28 17:37 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-08-27 18:11 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-27 17:23 --------- d-----w C:\Program Files\Apple Software Update
2008-08-27 17:06 --------- d-----w C:\Program Files\Safari
2008-08-27 04:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-27 04:37 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-08-09 22:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2002-01-02 09:22 271 --sh--w C:\Program Files\desktop.ini
2002-01-02 09:22 21,952 ---ha-w C:\Program Files\folder.htt
2006-08-06 19:50 88 --sha-r C:\WINNT\system32\303800FA44.sys
2006-08-06 19:50 4,598 --sha-w C:\WINNT\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"SpybotSD TeaTimer"="l:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"AOL Fast Start"="C:\Program Files\AOL 9.0\AOL.EXE" [2007-01-23 50736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="C:\WINNT\system32\mobsync.exe" [2008-04-13 143360]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 77824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Version Cue CS2"="G:\Program Files\AdobeCS2\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 856064]
"Acrobat Assistant 7.0"="G:\Program Files\AdobeCS2\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 483328]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="C:\WINNT\system32\NvCpl.dll" [2006-08-11 7630848]
"HostManager"="C:\Program Files\Common Files\AOL\1198997495\ee\AOLSoftware.exe" [2006-09-25 50736]
"NvMediaCenter"="C:\WINNT\system32\NvMcTray.dll" [2006-08-11 86016]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"nwiz"="nwiz.exe" [2006-08-11 C:\WINNT\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-05-25 C:\WINNT\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2008-04-13 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2006-02-28 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Conference\\Conference.dll"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"E:\\ProgramFiles\\Stronghold Legends\\StrongholdLegends.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 Spyder3;Datacolor Spyder3;C:\WINNT\system32\DRIVERS\Spyder3.sys [2007-11-06 12288]
S3 lslip;lslip;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lslip.sys [ ]
S3 NAL;Nal Service ;C:\WINNT\system32\Drivers\iqvw32.sys [2005-06-14 20480]
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 49776]
S3 yukonw2k;NDIS5 Miniport Driver for Marvell Yukon Ethernet Controller;C:\WINNT\system32\DRIVERS\yk50x86.sys [2005-05-06 231936]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yie88v1h.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.aol.com
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.aol.com
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-05 21:50:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\winlogon.exe
-> C:\WINNT\system32\NavLogon.dll

PROCESS: C:\WINNT\explorer.exe
-> C:\WINNT\system32\nview.dll
-> ?:\WINNT\system32\ATL.DLL
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\aol\acs\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\AOL 9.0\waol.exe
C:\WINNT\system32\msiexec.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
H:\Program Files\Datacolor\Spyder3Pro\Utility\Spyder3Utility.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Common Files\aol\1198997495\ee\anotify.exe
C:\Program Files\AOL 9.0\shellmon.exe
.
**************************************************************************
.
Completion time: 2008-10-05 21:55:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-06 04:55:50

Pre-Run: 749,346,816 bytes free
Post-Run: 695,361,536 bytes free


Combofix quarantine log:
2000-10-28 00:23:18 50,688 C:\Qoobox\Quarantine\C\WINNT\system32\BSZIP.DLL.vir
2002-01-02 09:22:45 5,296 C:\Qoobox\Quarantine\C\WINNT\Web\default.htt.vir
2007-08-09 20:02:08 347 C:\Qoobox\Quarantine\C\WINNT\Downloaded Program Files\setup.inf.vir
2008-01-19 20:37:30 2,067 C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Cookies\administrator@web.nautilusinc[1].txt.vir
2008-02-04 17:59:42 2,084 C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Cookies\administrator@neopets[2].txt.vir
2008-04-07 06:33:49 2,180 C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Cookies\administrator@my.clearchannelradio[1].txt.vir
2008-07-21 21:21:55 2,587 C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Cookies\administrator@aggregateknowledge[2].txt.vir
2008-08-01 15:04:13 2,801 C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Cookies\administrator@wss.worldmarket[1].txt.vir
2008-10-01 02:26:30 2,051 C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Cookies\administrator@vistaprint[2].txt.vir
2008-10-01 03:58:31 2,087 C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Cookies\administrator@shop.naturalwellnessonline[2].txt.vir
2008-10-03 23:01:20 2,079 C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Cookies\administrator@myspace[2].txt.vir
2008-10-06 04:46:36 8,691 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-10-06 04:46:41 1,598 C:\Qoobox\Quarantine\Registry_backups\Service_IAS.reg.dat
2008-10-06 04:46:51 54 C:\Qoobox\Quarantine\catchme.log
2008-10-06 04:5dat5:26 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-10-06 04:55:26 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-10-06 04:55:26 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.

Not sure if anything stands out, appears it caught something. Will add a huge thanks to all of you. I did desktop/server work for a good 10 years, then server network for another 10 (bringing to now) and there is no freaking way I can keep on top of these things without you all. Virtumonde (my first experience) kicked my ass for 2 days before I started doing the research (which led me here), 20 mins later (which included 2 cigarettes and a cup of coffee) and it was cleared. I guess what I mean is "You F'in rock!"

Brian

Here is some information to give her so she can control those junk cookies:
http://www.mvps.org/winhelp2002/cookies.htm
http://www.microsoft.com/windows/ie/using/howto/privacy/config.mspx

Since combofix is on the computer:

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif

Since we do not need to scan with combofix, click NO

http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif

http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif

Thanks

ComboFix 08-10-08.05 - Administrator 2008-10-09 12:38:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1487 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-09-09 to 2008-10-09 )))))))))))))))))))))))))))))))
.

2008-10-06 20:55 . 2008-10-06 20:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-02 11:28 . 2008-10-02 11:28 <DIR> d-------- C:\Program Files\Common Files\Nova Development
2008-09-27 10:29 . 2008-09-27 10:29 <DIR> d-------- C:\Program Files\Apex Fitness
2008-09-27 10:29 . 2008-09-12 17:34 202,048 --a------ C:\WINNT\system32\ftd2xx.dll
2008-09-27 10:29 . 2008-09-12 17:34 111,936 --a------ C:\WINNT\system32\ftbusui.dll
2008-09-19 09:26 . 2008-09-19 09:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\FileMaker
2008-09-18 18:24 . 2008-09-19 09:29 <DIR> d-------- C:\Get Physical! 6.5 Demo
2008-09-18 18:24 . 2008-09-18 18:23 682,288 --a------ C:\WINNT\unins001.exe
2008-09-18 18:24 . 2008-09-18 18:24 6,331 --a------ C:\WINNT\unins001.dat
2008-09-13 23:22 . 2008-09-13 23:22 <DIR> d-------- C:\Program Files\iPod
2008-09-13 23:22 . 2008-09-13 23:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-13 23:20 . 2008-09-13 23:21 <DIR> d-------- C:\Program Files\QuickTime
2008-09-12 18:16 . 2008-09-12 18:16 <DIR> d-------- C:\Program Files\Plan3D
2008-09-12 17:34 . 2008-09-12 17:34 2,671,296 --a------ C:\WINNT\bmusbapex4.dll
2008-09-12 17:34 . 2008-09-12 17:34 160,448 --a------ C:\WINNT\bmupgradeapex24.dll
2008-09-12 17:34 . 2008-09-12 17:34 156,352 --a------ C:\WINNT\bmupgradeapex25.dll
2008-09-12 17:34 . 2008-09-12 17:34 147,456 --a------ C:\WINNT\bmapex.dll
2008-09-12 17:34 . 2008-09-12 17:34 135,168 --a------ C:\WINNT\bmupgradeapex.dll
2008-09-12 17:34 . 2008-09-12 17:34 127,680 --a------ C:\WINNT\bmserialapex25.dll
2008-09-12 17:34 . 2008-09-12 17:34 123,584 --a------ C:\WINNT\bmserialapex24.dll
2008-09-12 17:34 . 2008-09-12 17:34 94,912 --a------ C:\WINNT\bmfirmwareapex4.dll
2008-09-12 17:34 . 2008-09-12 17:34 78,528 --a------ C:\WINNT\bmcommapex4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-14 16:54 --------- d-----w C:\Program Files\iTunes
2008-09-14 06:20 --------- d-----w C:\Program Files\Common Files\Apple
2008-09-13 00:34 71,488 ----a-w C:\WINNT\system32\drivers\ftser2k.sys
2008-09-13 00:34 53,184 ----a-w C:\WINNT\system32\drivers\ftdibus.sys
2008-09-13 00:34 47,432 ----a-w C:\WINNT\system32\ftserui2.dll
2008-09-13 00:34 107,840 ----a-w C:\WINNT\system32\FTLang.dll
2008-09-11 16:33 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-10 07:04 38,528 ----a-w C:\WINNT\system32\drivers\mbamswissarmy.sys
2008-09-10 07:03 17,200 ----a-w C:\WINNT\system32\drivers\mbam.sys
2008-09-08 07:52 --------- d-----w C:\Program Files\Java
2008-09-08 07:52 --------- d-----w C:\Program Files\Google
2008-09-05 21:36 57,344 ----a-w C:\WINNT\bmversionapex.dll
2008-08-28 17:37 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-08-27 18:11 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-27 17:23 --------- d-----w C:\Program Files\Apple Software Update
2008-08-27 17:06 --------- d-----w C:\Program Files\Safari
2008-08-27 04:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-27 04:37 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-08-09 22:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-19 05:10 94,920 ----a-w C:\WINNT\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINNT\system32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINNT\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINNT\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINNT\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINNT\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINNT\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINNT\system32\wuaueng.dll
2008-07-19 05:07 270,880 ----a-w C:\WINNT\system32\mucltui.dll
2008-07-19 05:07 210,976 ----a-w C:\WINNT\system32\muweb.dll
2002-01-02 09:22 271 --sh--w C:\Program Files\desktop.ini
2002-01-02 09:22 21,952 ---ha-w C:\Program Files\folder.htt
2006-08-06 19:50 88 --sha-r C:\WINNT\system32\303800FA44.sys
2006-08-06 19:50 4,598 --sha-w C:\WINNT\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-10-05_21.55.26.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 00:11:51 792,064 -c--a-w C:\WINNT\system32\dllcache\comres.dll
+ 2008-04-14 00:11:59 4,608 -c--a-w C:\WINNT\system32\dllcache\msimg32.dll
+ 2008-04-14 00:12:05 56,320 -c--a-w C:\WINNT\system32\dllcache\secur32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"SpybotSD TeaTimer"="l:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="C:\WINNT\system32\mobsync.exe" [2008-04-13 143360]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 77824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Version Cue CS2"="G:\Program Files\AdobeCS2\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 856064]
"Acrobat Assistant 7.0"="G:\Program Files\AdobeCS2\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 483328]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="C:\WINNT\system32\NvCpl.dll" [2006-08-11 7630848]
"HostManager"="C:\Program Files\Common Files\AOL\1198997495\ee\AOLSoftware.exe" [2006-09-25 50736]
"NvMediaCenter"="C:\WINNT\system32\NvMcTray.dll" [2006-08-11 86016]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"nwiz"="nwiz.exe" [2006-08-11 C:\WINNT\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-05-25 C:\WINNT\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2008-04-13 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2006-02-28 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Conference\\Conference.dll"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"E:\\ProgramFiles\\Stronghold Legends\\StrongholdLegends.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 Spyder3;Datacolor Spyder3;C:\WINNT\system32\DRIVERS\Spyder3.sys [2007-11-06 12288]
S3 lslip;lslip;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lslip.sys [ ]
S3 NAL;Nal Service ;C:\WINNT\system32\Drivers\iqvw32.sys [2005-06-14 20480]
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 49776]
S3 yukonw2k;NDIS5 Miniport Driver for Marvell Yukon Ethernet Controller;C:\WINNT\system32\DRIVERS\yk50x86.sys [2005-05-06 231936]
.
Contents of the 'Scheduled Tasks' folder

2008-09-25 C:\WINNT\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-02-01 C:\WINNT\Tasks\WebReg Photosmart C7100 series.job
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe [2006-06-07 17:45]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yie88v1h.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.aol.com
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.aol.com
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-09 12:40:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\winlogon.exe
-> C:\WINNT\system32\NavLogon.dll

PROCESS: C:\WINNT\explorer.exe
-> C:\WINNT\system32\nview.dll
.
Completion time: 2008-10-09 12:42:13
ComboFix-quarantined-files.txt 2008-10-09 19:41:35
ComboFix2.txt 2008-10-06 04:55:56

Pre-Run: 786,419,712 bytes free
Post-Run: 763,994,112 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

183 --- E O F --- 2008-09-16 20:19:22

most recent quarantine

2008-10-09 19:40:27 8,518 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-10-09 19:40:42 108 C:\Qoobox\Quarantine\catchme.log

Thanks but I would appreciate it if you would take the time to read and follow the directions carefully.

Since we do not need to scan with combofix, click NO

http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif

Moving on, Recovery Concole was installed correctly, here is a little information for you.
http://support.microsoft.com/kb/314058
http://support.microsoft.com/kb/307654
Recovery Console is a tool that will allow you to recover from a catastrophic system failure, so let's hope you never need it. Many experts believe Microsoft should have installed it by default.

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

Clean System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to make sure we missed none of the junk. I do not need to see the scan results unless they are not clean.

Update Symantec and scan the system to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.
http://www.symantec.com/enterprise/support/index.jsp

If all is well at this point, let me know and I will close this topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html

I was not in front of the machine running it (but point taken). Thanks for the help close it on out, and again you all rock.

Brian