I'm totally new at this. Please advise what I should do. I've run Spybot and it finds this stuff, removes it BUT then it comes right back.

Here's my ComboFix report, would someone please advise me on my next step?

ComboFix 08-11-05.02 - lwilson 2008-11-06 17:00:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1169 [GMT -6:00]
Running from: c:\documents and settings\lwilson.INTERNAL\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\lwilson.INTERNAL\Application Data\gadcom
c:\documents and settings\lwilson.INTERNAL\Application Data\Microsoft\Windows\lsass.exe
c:\documents and settings\lwilson.INTERNAL\Favorites\Videos.url
c:\documents and settings\lwilson.INTERNAL\Local Settings\Temporary Internet Files\AlxRes_dll_IMAGE_bg_popup.gif
c:\documents and settings\lwilson.INTERNAL\Local Settings\Temporary Internet Files\AlxRes_dll_IMAGE_window_sliver.gif
c:\documents and settings\lwilson.INTERNAL\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\lwilson.INTERNAL\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\lwilson.INTERNAL\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\alexa toolbar
c:\windows\Downloaded Program Files\setup.inf
c:\windows\IE4 Error Log.txt
c:\windows\system32\bszip.dll
c:\windows\system32\djsfxudb.dll
c:\windows\system32\efcBTlMe.dll
c:\windows\system32\efcBtUom.dll
c:\windows\system32\iifcDvuS.dll
c:\windows\system32\jqrugf.dll
c:\windows\system32\kahkcvyl.dll
c:\windows\system32\kr_done1
c:\windows\system32\lkjloUtv.ini
c:\windows\system32\lkjloUtv.ini2
c:\windows\system32\mcggwt.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\MSINET.oca
c:\windows\system32\skinboxer43.dll
c:\windows\system32\tfrxupqn.dll
c:\windows\system32\trcack.dll
c:\windows\system32\urqOHWNH.dll
c:\windows\system32\vtUoljkl.dll
c:\windows\Tasks\guwcvfwr.job
c:\windows\Tasks\vwcevndk.job

----- BITS: Possible infected sites -----

hxxp://kakoitodomen.com
.
((((((((((((((((((((((((( Files Created from 2008-10-06 to 2008-11-06 )))))))))))))))))))))))))))))))
.

2008-11-06 09:23 . 2008-11-06 09:23 20,992 --ahs---- c:\windows\system32\c007E93E.mat
2008-11-05 10:47 . 2008-11-05 10:47 20,992 --ahs---- c:\windows\system32\c00D94B4.mat
2008-11-04 17:35 . 2008-11-04 17:35 20,992 --ahs---- c:\windows\system32\c00FD544.mat
2008-11-04 16:40 . 2008-11-04 16:40 60,928 --ahs---- c:\windows\system32\efcBqNGy.dll
2008-11-04 16:08 . 2008-11-06 09:19 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-04 16:08 . 2008-11-04 16:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-04 15:21 . 2008-11-04 15:22 <DIR> d-------- c:\program files\NoAdware
2008-11-03 10:21 . 2008-11-03 10:21 20,992 --ahs---- c:\windows\system32\c00F9D63.mat
2008-11-02 23:11 . 2008-11-02 23:11 20,992 --ahs---- c:\windows\system32\c0015819.mat
2008-11-02 23:00 . 2008-11-02 23:00 20,992 --ahs---- c:\windows\system32\c008195E.mat
2008-11-02 11:25 . 2008-11-02 11:25 20,992 --ahs---- c:\windows\system32\c00E8919.mat
2008-11-01 09:45 . 2008-11-01 09:45 20,992 --ahs---- c:\windows\system32\c00F682D.mat
2008-10-31 17:49 . 2008-10-31 17:49 20,992 --ahs---- c:\windows\system32\c002FAE.mat
2008-10-31 17:46 . 2008-11-01 13:59 <DIR> d-------- c:\windows\system32\QI19
2008-10-31 17:46 . 2008-10-31 17:46 <DIR> d-------- c:\temp\NT32
2008-10-31 17:46 . 2008-10-31 17:46 60,928 --ahs---- c:\windows\system32\jkkHXPHy.dll
2008-10-31 17:46 . 2008-10-31 17:46 34,816 --a------ c:\windows\system32\prun.exe
2008-10-27 07:10 . 2008-10-27 07:10 <DIR> d-------- c:\program files\DVDx
2008-10-26 17:18 . 2008-11-04 21:50 54,156 --ah----- c:\windows\QTFont.qfn
2008-10-26 17:18 . 2008-10-26 17:18 1,409 --a------ c:\windows\QTFont.for
2008-10-25 10:09 . 2008-11-03 10:32 <DIR> d-------- C:\Temp
2008-10-25 10:09 . 2008-10-25 10:09 <DIR> d-------- c:\documents and settings\lwilson.INTERNAL\Application Data\Sierra Wireless
2008-10-25 10:08 . 2004-07-21 10:40 17,920 --a------ c:\windows\system32\apintfnt.dll
2008-10-25 10:06 . 2008-10-25 10:06 <DIR> d-------- c:\windows\SierraWireless3.5.4.1
2008-10-24 12:46 . 2008-10-15 10:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-10-16 15:25 . 2008-10-16 15:25 <DIR> d-------- c:\documents and settings\lwilson.INTERNAL\Application Data\HP
2008-10-16 15:25 . 2007-10-25 09:38 49,920 -ra------ c:\windows\system32\drivers\HPZid412.sys
2008-10-16 15:25 . 2007-10-25 09:38 16,496 -ra------ c:\windows\system32\drivers\HPZipr12.sys
2008-10-16 15:24 . 2008-10-16 15:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2008-10-16 15:24 . 2007-10-25 09:38 675,840 -ra------ c:\windows\system32\hpowiax4.dll
2008-10-16 15:24 . 2007-10-25 09:38 569,344 -ra------ c:\windows\system32\hpotscl4.dll
2008-10-16 15:24 . 2007-10-25 09:38 364,544 -ra------ c:\windows\system32\hppldcoi.dll
2008-10-16 15:24 . 2007-10-25 09:38 309,760 -ra------ c:\windows\system32\difxapi.dll
2008-10-16 15:24 . 2007-10-25 09:38 294,912 -ra------ c:\windows\system32\hpovst11.dll
2008-10-16 15:24 . 2007-10-25 09:35 258,048 -ra------ c:\windows\system32\hpzids01.dll
2008-10-16 15:24 . 2007-10-29 16:14 117,760 --a------ c:\windows\system32\hpzll4xl.dll
2008-10-16 15:24 . 2007-10-25 09:38 21,568 -ra------ c:\windows\system32\drivers\HPZius12.sys
2008-10-15 09:04 . 2008-10-15 09:04 <DIR> d-------- c:\program files\Common Files\HP
2008-10-15 09:04 . 2008-10-15 09:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP
2008-10-15 09:03 . 2008-10-15 09:03 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2008-10-15 08:55 . 2008-10-15 08:55 <DIR> d-------- c:\windows\zhenghe2
2008-10-15 08:55 . 2008-10-15 08:55 <DIR> d-------- c:\program files\HP
2008-10-15 08:53 . 2008-10-16 15:27 144,681 --a------ c:\windows\hpwins16.dat
2008-10-15 08:36 . 2008-09-15 06:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-10-15 08:36 . 2008-09-08 04:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-10-15 08:35 . 2008-08-14 04:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-15 08:35 . 2008-08-14 04:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-15 08:35 . 2008-08-14 03:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-15 08:35 . 2008-08-14 03:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-06 17:08 --------- d-----w c:\program files\Windows Live Safety Center
2008-10-25 16:08 --------- d-----w c:\program files\Sierra Wireless
2008-10-21 19:10 --------- d-----w c:\program files\Celtx
2008-10-20 00:10 --------- d-----w c:\program files\Norton Security Scan
2008-10-20 00:10 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-16 06:13 --------- d-----w c:\documents and settings\lwilson.INTERNAL\Application Data\Skype
2008-09-23 20:05 --------- d-----w c:\documents and settings\lwilson.INTERNAL\Application Data\Greyfirst
2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys
2007-12-07 18:02 36,640 ----a-w c:\documents and settings\lwilson.INTERNAL\Application Data\GDIPFONTCACHEV1.DAT
2007-08-15 22:08 56,912 ----a-w c:\documents and settings\lwilson.INTERNAL\g2mdlhlpx.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-12 68856]
"Google Update"="c:\documents and settings\lwilson.INTERNAL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-30 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-13 143360]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-24 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-09-25 229952]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-12 185896]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-08 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-06-16 49152]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-04-14 24576]
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2007-12-01 303104]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"Intellimenus"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\c002FAE]
2008-10-31 17:49 20992 c:\windows\system32\c002FAE.mat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=mcggwt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=PushPrinterConnections.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2000478354-630328440-725345543-1120\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2000478354-630328440-725345543-1145\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2000478354-630328440-725345543-1251\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 swmsflt;swmsflt;c:\windows\system32\drivers\swmsflt.sys [2007-08-10 24456]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\Drivers\usbbc.sys [2001-01-07 15576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-07-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 16:13]

2008-11-06 c:\windows\Tasks\Disk Defragmenter.job
- c:\windows\system32\defrag.exe [2008-04-13 18:12]

2008-11-06 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\lwilson.INTERNAL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-30 16:01]
.
- - - - ORPHANS REMOVED - - - -

BHO-{C951EC90-1AAB-4368-B54F-B4EB9D8D8AD4} - c:\windows\system32\vtUoljkl.dll
BHO-{ef55576c-d264-4939-ad2f-19cf10724df6} - c:\windows\system32\mcggwt.dll
HKLM-Explorer_Run-Lsass Service - c:\documents and settings\lwilson.INTERNAL\Application Data\Microsoft\Windows\lsass.exe
Notify-sys32 - sys32.dll
MSConfigStartUp-admincfg - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\lwilson.INTERNAL\Application Data\Mozilla\Firefox\Profiles\wqxc4s75.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.linkpopularity.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-06 17:20:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Lsass Service = c:\documents and settings\lwilson.INTERNAL\Application Data\Microsoft\Windows\lsass.exe????????????????????????????????????????

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\c002FAE.mat
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe
c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe
c:\windows\system32\ati2evxx.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-11-06 17:28:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-06 23:27:25

Pre-Run: 54,862,344,192 bytes free
Post-Run: 56,031,035,392 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut

253 --- E O F --- 2008-10-25 06:19:00

_____________________________
Edit.

Links were given to "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
http://forums.spybot.info/showthread.php?t=36064
http://forums.spybot.info/showthread.php?t=36057


From the sticky topic:
ComboFix is not a general purpose cleaning tool, please do not use this tool without supervision.
:eek:

Do NOT run 'fixes' before helpers have analyzed the HJT log (http://forums.spybot.info/showthread.php?t=16806)

And when I used Combo fix it messed up the time on my computer and I can't get it to stop using military time. Like earlier it was showing it was 13:06.

Please help. I need to get this junk off my computer so I can work as fast as normal.

Ok, I read that. I just want/need help and was trying to do what assisters had told others to do in a similar situation.

Would someone please help me out at this point? As I said, I'm running Spybot and it finds stuff and "fixes" it but then it's right back within a little bit.

Please help.

Thanks.

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

If you have read the directions, then you understand these now:

Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. Also, helpers may think you are already being assisted because of the post count.

Do NOT run 'FIXES' before helpers have analyzed the HJT log
http://forums.spybot.info/showthread.php?t=16806

ComboFix is not a general purpose cleaning tool, please do not use this tool without supervision.

If you want me to pick up in this mess already made, read and follow the directions and post the required HijackThis log described clearly in those directions. Take a moment to describe any malware symptoms and post any error messages word for word.

Thanks

Ok, I'm doing my best and appreciate the help. Symptoms include websites popping up, computer slow down, longer load time on upstart. When I run spybot it says that it fixes the problems but they come right back, it finds them again and fixes them again. Here's the Hijackthis thread. Again, if I do something wrong, it is unintentional. Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:21, on 2008-11-09
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\lwilson.INTERNAL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gracecentered.com/christian_forums
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB004" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\lwilson.INTERNAL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: Epson printer Registration.lnk = D:\E_reg\EPSONREG.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.moove.com
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farmersinsurance.com/PLA/eAgent/icms/commonActiveX/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159806604051
O16 - DPF: {84B7AC1D-9AD1-474F-B6B0-FE1641DBFDFA} (ScanFile.FileScan) - http://www.contentpurity.net/xp/ScanFile.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.familydynamics.net
O17 - HKLM\Software\..\Telephony: DomainName = internal.familydynamics.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.familydynamics.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.familydynamics.net
O20 - AppInit_DLLs: mcggwt.dll
O20 - Winlogon Notify: c002FAE - C:\WINDOWS\SYSTEM32\c002FAE.mat
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12085 bytes

An additional problem is that my computer's clock now shows military time and I can't get it to go back to normal time.

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.familydynamics.net
O17 - HKLM\Software\..\Telephony: DomainName = internal.familydynamics.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.familydynamics.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.familydynamics.net

This is not a company or corporate computer?
http://forums.spybot.info/showthread.php?t=288

Note:
When the infected computer in question is a company machine in the workplace, and you are an employee.

The intention of this forum is not to replace a company's IT department, nor can we anticipate alterations or configurations that may have been made to a business machine, or how it will interact with the tools commonly used in the removal of malware.

More than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable.

To prevent any possible loss or corruption of company information, please inform your IT department or Supervisor when a workplace computer has been infected, immediately.

Thanks for your understanding.

--------------------------------------------
Malware removal forum volunteers are unable to assist users with infected Corporate, Government or Institutional machines. Please contact our office support so they may provide direct assistance for your needs. Thank you.

Spybot S&D Corporate-Small Business Editions
For more information, please send an email to licenses(at)spybot.info

Regards.
Thanks

It used to be, but I own it now. It was part of a severence package.

Thanks for providing that feedback, and it appears you are still infected.
I want to run combofix again, but we need to run the most recent version. Please delete any version of combofix you have on the computer and follow the directions carefully and exactly. Please be aware, if combofix adjusts the time, it will be returned to your settingss when we remove the tool as we finish with it. If it does not, this information will fix the issue.

http://www.ehow.com/how_4483170_time-regular-time-windows-xp.html


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

Combofix says:

ComboFix 08-11-10.01 - lwilson 2008-11-11 14:25:33.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1411 [GMT -6:00]
Running from: c:\documents and settings\lwilson.INTERNAL\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))
.

2008-11-06 09:23 . 2008-11-06 09:23 20,992 --ahs---- c:\windows\system32\c007E93E.mat
2008-11-05 10:47 . 2008-11-05 10:47 20,992 --ahs---- c:\windows\system32\c00D94B4.mat
2008-11-04 17:35 . 2008-11-04 17:35 20,992 --ahs---- c:\windows\system32\c00FD544.mat
2008-11-04 16:40 . 2008-11-04 16:40 60,928 --ahs---- c:\windows\system32\efcBqNGy.dll
2008-11-04 16:08 . 2008-11-06 09:19 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-04 16:08 . 2008-11-04 16:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-04 15:21 . 2008-11-04 15:22 <DIR> d-------- c:\program files\NoAdware
2008-11-03 10:21 . 2008-11-03 10:21 20,992 --ahs---- c:\windows\system32\c00F9D63.mat
2008-11-02 23:11 . 2008-11-02 23:11 20,992 --ahs---- c:\windows\system32\c0015819.mat
2008-11-02 23:00 . 2008-11-02 23:00 20,992 --ahs---- c:\windows\system32\c008195E.mat
2008-11-02 11:25 . 2008-11-02 11:25 20,992 --ahs---- c:\windows\system32\c00E8919.mat
2008-11-01 09:45 . 2008-11-01 09:45 20,992 --ahs---- c:\windows\system32\c00F682D.mat
2008-10-31 17:49 . 2008-10-31 17:49 20,992 --ahs---- c:\windows\system32\c002FAE.mat
2008-10-31 17:46 . 2008-11-01 13:59 <DIR> d-------- c:\windows\system32\QI19
2008-10-31 17:46 . 2008-10-31 17:46 <DIR> d-------- c:\temp\NT32
2008-10-31 17:46 . 2008-10-31 17:46 60,928 --ahs---- c:\windows\system32\jkkHXPHy.dll
2008-10-31 17:46 . 2008-10-31 17:46 34,816 --a------ c:\windows\system32\prun.exe
2008-10-27 07:10 . 2008-10-27 07:10 <DIR> d-------- c:\program files\DVDx
2008-10-26 17:18 . 2008-11-10 13:57 54,156 --ah----- c:\windows\QTFont.qfn
2008-10-26 17:18 . 2008-10-26 17:18 1,409 --a------ c:\windows\QTFont.for
2008-10-25 10:09 . 2008-11-03 10:32 <DIR> d-------- C:\Temp
2008-10-25 10:09 . 2008-10-25 10:09 <DIR> d-------- c:\documents and settings\lwilson.INTERNAL\Application Data\Sierra Wireless
2008-10-25 10:08 . 2004-07-21 10:40 17,920 --a------ c:\windows\system32\apintfnt.dll
2008-10-25 10:06 . 2008-10-25 10:06 <DIR> d-------- c:\windows\SierraWireless3.5.4.1
2008-10-24 12:46 . 2008-10-15 10:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-10-16 15:25 . 2008-10-16 15:25 <DIR> d-------- c:\documents and settings\lwilson.INTERNAL\Application Data\HP
2008-10-16 15:25 . 2007-10-25 09:38 49,920 -ra------ c:\windows\system32\drivers\HPZid412.sys
2008-10-16 15:25 . 2007-10-25 09:38 16,496 -ra------ c:\windows\system32\drivers\HPZipr12.sys
2008-10-16 15:24 . 2008-10-16 15:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2008-10-16 15:24 . 2007-10-25 09:38 675,840 -ra------ c:\windows\system32\hpowiax4.dll
2008-10-16 15:24 . 2007-10-25 09:38 569,344 -ra------ c:\windows\system32\hpotscl4.dll
2008-10-16 15:24 . 2007-10-25 09:38 364,544 -ra------ c:\windows\system32\hppldcoi.dll
2008-10-16 15:24 . 2007-10-25 09:38 309,760 -ra------ c:\windows\system32\difxapi.dll
2008-10-16 15:24 . 2007-10-25 09:38 294,912 -ra------ c:\windows\system32\hpovst11.dll
2008-10-16 15:24 . 2007-10-25 09:35 258,048 -ra------ c:\windows\system32\hpzids01.dll
2008-10-16 15:24 . 2007-10-29 16:14 117,760 --a------ c:\windows\system32\hpzll4xl.dll
2008-10-16 15:24 . 2007-10-25 09:38 21,568 -ra------ c:\windows\system32\drivers\HPZius12.sys
2008-10-15 09:04 . 2008-10-15 09:04 <DIR> d-------- c:\program files\Common Files\HP
2008-10-15 09:04 . 2008-10-15 09:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP
2008-10-15 09:03 . 2008-10-15 09:03 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2008-10-15 08:55 . 2008-10-15 08:55 <DIR> d-------- c:\windows\zhenghe2
2008-10-15 08:55 . 2008-10-15 08:55 <DIR> d-------- c:\program files\HP
2008-10-15 08:53 . 2008-10-16 15:27 144,681 --a------ c:\windows\hpwins16.dat
2008-10-15 08:36 . 2008-09-15 06:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-10-15 08:36 . 2008-09-08 04:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-10-15 08:35 . 2008-08-14 04:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-15 08:35 . 2008-08-14 04:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-15 08:35 . 2008-08-14 03:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-15 08:35 . 2008-08-14 03:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-10 15:50 60,744 ----a-w c:\documents and settings\lwilson.INTERNAL\g2mdlhlpx.exe
2008-11-09 18:19 --------- d-----w c:\program files\Trend Micro
2008-11-09 17:43 --------- d-----w c:\program files\Windows Live Safety Center
2008-11-09 00:43 --------- d-----w c:\program files\Celtx
2008-10-25 16:08 --------- d-----w c:\program files\Sierra Wireless
2008-10-20 00:10 --------- d-----w c:\program files\Norton Security Scan
2008-10-20 00:10 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-16 06:13 --------- d-----w c:\documents and settings\lwilson.INTERNAL\Application Data\Skype
2008-09-23 20:05 --------- d-----w c:\documents and settings\lwilson.INTERNAL\Application Data\Greyfirst
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-06 04:30 241,704 ------w c:\windows\system32\dllcache\wgaLogon.dll
2008-09-06 04:29 917,032 ------w c:\windows\system32\dllcache\WgaTray.exe
2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll
2008-08-20 05:30 666,112 ------w c:\windows\system32\dllcache\wininet.dll
2008-08-20 05:30 619,520 ------w c:\windows\system32\dllcache\urlmon.dll
2008-08-20 05:30 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-08-20 05:30 1,499,136 ------w c:\windows\system32\dllcache\shdocvw.dll
2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 10:04 138,496 ------w c:\windows\system32\dllcache\afd.sys
2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe
2007-12-07 18:02 36,640 ----a-w c:\documents and settings\lwilson.INTERNAL\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-11-06_17.26.58.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-15 15:06:53 12,288 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-11-06 15:34:32 12,288 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-10-15 15:06:53 135,168 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-11-06 15:34:32 135,168 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-10-15 15:06:53 11,264 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-11-06 15:34:32 11,264 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-10-15 15:06:53 27,136 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-11-06 15:34:33 27,136 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-10-15 15:06:53 4,096 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-11-06 15:34:33 4,096 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-10-15 15:06:53 794,624 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-11-06 15:34:33 794,624 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-10-15 15:06:53 23,040 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-11-06 15:34:33 23,040 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-10-15 15:06:53 286,720 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-11-06 15:34:32 286,720 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-10-15 15:06:53 409,600 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-11-06 15:34:32 409,600 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-11-11 16:27:54 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_3bc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-12 68856]
"Google Update"="c:\documents and settings\lwilson.INTERNAL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-30 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-13 143360]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-24 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-09-25 229952]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-12 185896]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-08 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-06-16 49152]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-04-14 24576]
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2007-12-01 303104]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\c002FAE]
2008-10-31 17:49 20992 c:\windows\system32\c002FAE.mat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=mcggwt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=PushPrinterConnections.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2000478354-630328440-725345543-1120\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2000478354-630328440-725345543-1145\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2000478354-630328440-725345543-1251\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 swmsflt;swmsflt;c:\windows\system32\drivers\swmsflt.sys [2007-08-10 24456]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\Drivers\usbbc.sys [2001-01-07 15576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-07-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 16:13]

2008-11-06 c:\windows\Tasks\Disk Defragmenter.job
- c:\windows\system32\defrag.exe [2008-04-13 18:12]

2008-11-11 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\lwilson.INTERNAL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-30 16:01]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\lwilson.INTERNAL\Application Data\Mozilla\Firefox\Profiles\wqxc4s75.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.linkpopularity.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-11 14:28:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\c002FAE.mat
.
Completion time: 2008-11-11 14:30:22
ComboFix-quarantined-files.txt 2008-11-11 20:29:39

Pre-Run: 55,619,895,296 bytes free
Post-Run: 55,766,368,256 bytes free

213 --- E O F --- 2008-10-25 06:19:00

Hjck says:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:37, on 2008-11-11
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\lwilson.INTERNAL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gracecentered.com/christian_forums
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB004" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\lwilson.INTERNAL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: Epson printer Registration.lnk = D:\E_reg\EPSONREG.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.moove.com
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farmersinsurance.com/PLA/eAgent/icms/commonActiveX/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159806604051
O16 - DPF: {84B7AC1D-9AD1-474F-B6B0-FE1641DBFDFA} (ScanFile.FileScan) - http://www.contentpurity.net/xp/ScanFile.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.familydynamics.net
O17 - HKLM\Software\..\Telephony: DomainName = internal.familydynamics.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.familydynamics.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.familydynamics.net
O20 - AppInit_DLLs: mcggwt.dll
O20 - Winlogon Notify: c002FAE - C:\WINDOWS\SYSTEM32\c002FAE.mat
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11646 bytes

I need your help now, accodring to Google, these...and there are more:
C:\windows\system32\c007E93E.mat
c:\windows\system32\c00D94B4.mat
c:\windows\system32\c00FD544.mat
are these: http://www.fileinfo.net/extension/mat

but I am suspicious of them. There is other malware in the combofix log to removed, but before we use CFScript, please do this.

1) Make sure you can view all files and folder:

Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

2) Use one or more of these free online scanners to scan several of those and post the results, here are more, do it at random.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

c:\windows\system32\c00F9D63.mat
c:\windows\system32\c0015819.mat
c:\windows\system32\c008195E.mat
c:\windows\system32\c00E8919.mat
c:\windows\system32\c00F682D.mat
c:\windows\system32\c002FAE.mat

This stuff is running from here:
O20 - Winlogon Notify: c002FAE - C:\WINDOWS\SYSTEM32\c002FAE.mat
and I have not seen these files before let alone running from winlogon. Do you know any reason for it?

3) NoAdware >>> see these links:

http://www.castlecops.com/r117-NoAdware.html
http://www.adwarereport.com/mt/archives/noadware_review.php
any particular reason you are running this junk?

Provide that information and we will be able to proceed.

Thanks

I need your help now, accodring to Google, these...and there are more:
C:\windows\system32\c007E93E.mat
c:\windows\system32\c00D94B4.mat
c:\windows\system32\c00FD544.mat
are these: http://www.fileinfo.net/extension/mat

but I am suspicious of them. There is other malware in the combofix log to removed, but before we use CFScript, please do this.

1) Make sure you can view all files and folder:

Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

2) Use one or more of these free online scanners to scan several of those and post the results, here are more, do it at random.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

c:\windows\system32\c00F9D63.mat
c:\windows\system32\c0015819.mat
c:\windows\system32\c008195E.mat
c:\windows\system32\c00E8919.mat
c:\windows\system32\c00F682D.mat
c:\windows\system32\c002FAE.mat

This stuff is running from here:
O20 - Winlogon Notify: c002FAE - C:\WINDOWS\SYSTEM32\c002FAE.mat
and I have not seen these files before let alone running from winlogon. Do you know any reason for it?

3) NoAdware >>> see these links:

http://www.castlecops.com/r117-NoAdware.html
http://www.adwarereport.com/mt/archives/noadware_review.php
any particular reason you are running this junk?

Provide that information and we will be able to proceed.

Thanks

1. Done.

2. I just finished the scan of Stopzilla. It found a lot of stuff. I'll post it all below.

Vundo.F - several instances
MalPak.E
Ni.gscns
CatchMe - several instances
Deviant.D
lpv4mons
Punya.B
System Policies
IeReDir
AdXGate
SystemDoctor

3. I don't know why I have junk on here. I don't want it if it's junk.

Now what?

1) Please do not quote all of my instructions, it's a waste of space. We can both scroll back to see what I said.

2) Please follow my instructions and do not run any programs I do not request. If you wanted to try to fix these issues with Stopzilla
(which I don't completely trust anyway) there was no reason to post here.

3) In my last instruction #2, I asked you to use free online scanners to find out what those files are if you do not know. You have not done this as far as I can see? Please follow the instructions I post and provide the infomation I request or at least let me know why you can not do this.

pskelley,

I appreciate your help and was trying to follow your instructions. When I clicked on one of the links in your 2nd instruction point it opened up Stopzilla. So I thought that's what you were telling me to run.

The viruses or whatever does that sometimes. It opens up a site that is similar in topic to the link I click on and the transition is so smooth that I don't know it's happened.

I clicked on those same links today and different sites opened so for whatever reason the virus didn't react this morning. I tried to scan the files you told me to scan, but they are not on my computer today (though my computer is still acting up and I haven't done anything to remove those files). When I ran Stopzilla it was because I thought you wanted me to do that for information. I didn't run the "fix and repair" part. It would have cost something anyway.

Again, thanks for your help. What do I need to do next?

I will take the time to post the instructions again, please take the time to read and do as instructed.

I need your help now, according to Google, these:
C:\windows\system32\c007E93E.mat
c:\windows\system32\c00D94B4.mat
c:\windows\system32\c00FD544.mat
c:\windows\system32\c00F9D63.mat
c:\windows\system32\c0015819.mat
c:\windows\system32\c008195E.mat
c:\windows\system32\c00E8919.mat
c:\windows\system32\c00F682D.mat
c:\windows\system32\c002FAE.mat
are these: http://www.fileinfo.net/extension/mat

but I am suspicious of them. There is other malware in the combofix log to removed, but before we use CFScript, please do this.

Make sure you can view all files and folders:

Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Use one or more of these free online scanners to scan several of those and post the results, here are more, do it at random.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

This stuff is running from here:
O20 - Winlogon Notify: c002FAE - C:\WINDOWS\SYSTEM32\c002FAE.mat
and I have not seen these files before let alone running from winlogon. Do you know any reason for it? <<< I need this information
and the results of the online scans for those files, or for you to tell me you know what they are and that they are safe.

I did the "Click Start > Open My Computer, Select the Tools menu, etc." yesterday.

I did that yesterday when you told me and checked it again today and the settings are still the same. Exactly as you said to have them.

I tried to do the scans on those files, but it's acting like they do not exist on my computer. I went into windows into the system32 folder and those files (example: c007E93E.mat) aren't there. I did a search on my computer and it couldn't find them. I even pasted the file path into the scanner and it said it wasn't there.

I don't know what Winlogon Notify is and don't know why it would be running certain things. I haven't done anything purposefully to cause that.

Thanks.

Instructions must be followed exactly as posted and in the numbered order.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open notepad and copy/paste the text in the codebox below into it:


File::
c:\windows\system32\c007E93E.mat
c:\windows\system32\c00D94B4.mat
c:\windows\system32\c00FD544.mat
c:\windows\system32\efcBqNGy.dll
c:\windows\system32\c00F9D63.mat
c:\windows\system32\c0015819.mat
c:\windows\system32\c008195E.mat
c:\windows\system32\c00E8919.mat
c:\windows\system32\c00F682D.mat
c:\windows\system32\c002FAE.mat
c:\windows\system32\jkkHXPHy.dll
c:\windows\system32\prun.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\c002FAE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

Folder::
c:\program files\NoAdware

Save this as CFScript

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(leave this if you set it that way)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

O15 - Trusted Zone: *.moove.com
O15 - Trusted Zone: *.stumbleupon.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.familydynamics.net
O17 - HKLM\Software\..\Telephony: DomainName = internal.familydynamics.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.familydynamics.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.familydynamics.net
O20 - AppInit_DLLs: mcggwt.dll <<< may be gone
O20 - Winlogon Notify: c002FAE - C:\WINDOWS\SYSTEM32\c002FAE.mat <<< may be gone

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log run after all other tools.

How is the computer running now?

6) Post an uninstall list also:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

Thanks

Ok, thanks! I'm happy to say that this appears to have it working good again. Here's the HijackThis log and I'll post the ComboFix log in the next post.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:39, on 2008-11-13
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\lwilson.INTERNAL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gracecentered.com/christian_forums
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB004" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\lwilson.INTERNAL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: Epson printer Registration.lnk = D:\E_reg\EPSONREG.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farmersinsurance.com/PLA/eAgent/icms/commonActiveX/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159806604051
O16 - DPF: {84B7AC1D-9AD1-474F-B6B0-FE1641DBFDFA} (ScanFile.FileScan) - http://www.contentpurity.net/xp/ScanFile.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.familydynamics.net
O17 - HKLM\Software\..\Telephony: DomainName = internal.familydynamics.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.familydynamics.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.familydynamics.net
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12108 bytes

Here's the Combofix log:

ComboFix 08-11-12.01 - lwilson 2008-11-13 15:49:08.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1400 [GMT -6:00]
Running from: c:\documents and settings\lwilson.INTERNAL\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-10-13 to 2008-11-13 )))))))))))))))))))))))))))))))
.

2008-11-13 10:49 . 2008-11-13 10:49 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-13 10:49 . 2008-11-13 10:49 <DIR> d-------- c:\documents and settings\lwilson.INTERNAL\Application Data\Malwarebytes
2008-11-13 10:49 . 2008-11-13 10:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-13 10:49 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-13 10:49 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-12 09:43 . 2008-09-04 11:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 09:43 . 2008-10-24 05:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 18:08 . 2008-11-11 18:08 <DIR> d-------- C:\Downloads
2008-11-11 17:06 . 2008-11-11 18:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard
2008-11-11 17:05 . 2008-11-11 17:05 <DIR> d-------- c:\program files\Common Files\iS3
2008-11-11 17:05 . 2008-11-12 00:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla!
2008-11-04 16:08 . 2008-11-06 09:19 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-04 16:08 . 2008-11-04 16:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-31 17:46 . 2008-11-13 11:58 <DIR> d-------- c:\windows\system32\QI19
2008-10-31 17:46 . 2008-10-31 17:46 <DIR> d-------- c:\temp\NT32
2008-10-27 07:10 . 2008-10-27 07:10 <DIR> d-------- c:\program files\DVDx
2008-10-25 10:09 . 2008-11-03 10:32 <DIR> d-------- C:\Temp
2008-10-25 10:09 . 2008-10-25 10:09 <DIR> d-------- c:\documents and settings\lwilson.INTERNAL\Application Data\Sierra Wireless
2008-10-25 10:08 . 2004-07-21 10:40 17,920 --a------ c:\windows\system32\apintfnt.dll
2008-10-25 10:06 . 2008-10-25 10:06 <DIR> d-------- c:\windows\SierraWireless3.5.4.1
2008-10-24 12:46 . 2008-10-15 10:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-10-16 15:25 . 2008-10-16 15:25 <DIR> d-------- c:\documents and settings\lwilson.INTERNAL\Application Data\HP
2008-10-16 15:25 . 2007-10-25 09:38 49,920 -ra------ c:\windows\system32\drivers\HPZid412.sys
2008-10-16 15:25 . 2007-10-25 09:38 16,496 -ra------ c:\windows\system32\drivers\HPZipr12.sys
2008-10-16 15:24 . 2008-10-16 15:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2008-10-16 15:24 . 2007-10-25 09:38 675,840 -ra------ c:\windows\system32\hpowiax4.dll
2008-10-16 15:24 . 2007-10-25 09:38 569,344 -ra------ c:\windows\system32\hpotscl4.dll
2008-10-16 15:24 . 2007-10-25 09:38 364,544 -ra------ c:\windows\system32\hppldcoi.dll
2008-10-16 15:24 . 2007-10-25 09:38 309,760 -ra------ c:\windows\system32\difxapi.dll
2008-10-16 15:24 . 2007-10-25 09:38 294,912 -ra------ c:\windows\system32\hpovst11.dll
2008-10-16 15:24 . 2007-10-25 09:35 258,048 -ra------ c:\windows\system32\hpzids01.dll
2008-10-16 15:24 . 2007-10-29 16:14 117,760 --a------ c:\windows\system32\hpzll4xl.dll
2008-10-16 15:24 . 2007-10-25 09:38 21,568 -ra------ c:\windows\system32\drivers\HPZius12.sys
2008-10-15 09:04 . 2008-10-15 09:04 <DIR> d-------- c:\program files\Common Files\HP
2008-10-15 09:04 . 2008-10-15 09:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP
2008-10-15 09:03 . 2008-10-15 09:03 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2008-10-15 08:55 . 2008-10-15 08:55 <DIR> d-------- c:\windows\zhenghe2
2008-10-15 08:55 . 2008-10-15 08:55 <DIR> d-------- c:\program files\HP
2008-10-15 08:53 . 2008-10-16 15:27 144,681 --a------ c:\windows\hpwins16.dat
2008-10-15 08:36 . 2008-09-15 06:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-10-15 08:36 . 2008-09-08 04:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-10-15 08:35 . 2008-08-14 04:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-15 08:35 . 2008-08-14 04:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-15 08:35 . 2008-08-14 03:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-15 08:35 . 2008-08-14 03:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-12 20:46 --------- d-----w c:\documents and settings\lwilson.INTERNAL\Application Data\Skype
2008-11-12 16:54 --------- d-----w c:\program files\Google
2008-11-12 00:38 --------- d-----w c:\program files\Windows Live Safety Center
2008-11-11 23:14 --------- d-----w c:\program files\MSN Messenger
2008-11-10 15:50 60,744 ----a-w c:\documents and settings\lwilson.INTERNAL\g2mdlhlpx.exe
2008-11-09 18:19 --------- d-----w c:\program files\Trend Micro
2008-11-09 00:43 --------- d-----w c:\program files\Celtx
2008-10-25 16:08 --------- d-----w c:\program files\Sierra Wireless
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-20 00:10 --------- d-----w c:\program files\Norton Security Scan
2008-10-20 00:10 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-23 23:46 245,408 ----a-w c:\windows\system32\unicows.dll
2008-09-23 20:05 --------- d-----w c:\documents and settings\lwilson.INTERNAL\Application Data\Greyfirst
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2008-09-06 04:30 241,704 ------w c:\windows\system32\dllcache\wgaLogon.dll
2008-09-06 04:29 917,032 ------w c:\windows\system32\dllcache\WgaTray.exe
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll
2008-08-20 05:30 666,112 ------w c:\windows\system32\dllcache\wininet.dll
2008-08-20 05:30 619,520 ------w c:\windows\system32\dllcache\urlmon.dll
2008-08-20 05:30 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-08-20 05:30 1,499,136 ------w c:\windows\system32\dllcache\shdocvw.dll
2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 10:04 138,496 ------w c:\windows\system32\dllcache\afd.sys
2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe
2007-12-07 18:02 36,640 ----a-w c:\documents and settings\lwilson.INTERNAL\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot_2008-11-13_10.28.06.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-13 18:01:59 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_308.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
2008-11-12 10:53 522224 --a------ c:\program files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-12 68856]
"Google Update"="c:\documents and settings\lwilson.INTERNAL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-30 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-13 143360]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-24 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-09-25 229952]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-12 185896]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-08 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-06-16 49152]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-04-14 24576]
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2007-12-01 303104]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=PushPrinterConnections.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2000478354-630328440-725345543-1120\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2000478354-630328440-725345543-1145\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2000478354-630328440-725345543-1251\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 swmsflt;swmsflt;c:\windows\system32\drivers\swmsflt.sys [2007-08-10 24456]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\Drivers\usbbc.sys [2001-01-07 15576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-07-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 16:13]

2008-11-13 c:\windows\Tasks\Disk Defragmenter.job
- c:\windows\system32\defrag.exe [2008-04-13 18:12]

2008-11-12 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\lwilson.INTERNAL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-30 16:01]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\lwilson.INTERNAL\Application Data\Mozilla\Firefox\Profiles\wqxc4s75.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.linkpopularity.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-13 15:52:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-13 15:52:54
ComboFix-quarantined-files.txt 2008-11-13 21:52:48
ComboFix2.txt 2008-11-13 16:33:45
ComboFix3.txt 2008-11-13 16:28:25
ComboFix4.txt 2008-11-11 20:30:23

Pre-Run: 55,512,981,504 bytes free
Post-Run: 55,528,517,632 bytes free

195 --- E O F --- 2008-11-12 16:06:25



AND HERE IS MBAM:

Am I in the clear?

Sorry, here's MBAM:

Malwarebytes' Anti-Malware 1.30
Database version: 1395
Windows 5.1.2600 Service Pack 3

2008-11-13 11:58:57
mbam-log-2008-11-13 (11-58-57).txt

Scan type: Full Scan (C:\|D:\|G:\|S:\|W:\|X:\|Y:\|Z:\|)
Objects scanned: 166080
Time elapsed: 1 hour(s), 7 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9e91ef7b-6846-45c3-a8ab-67cf7c900783} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\djsfxudb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jqrugf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kahkcvyl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\mcggwt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tfrxupqn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\trcack.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vtUoljkl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0000010.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0000014.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0000015.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0000016.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0000017.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0000018.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0000020.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\QI19\QI191065.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

I'm sorry to make an additional post but there's no edit option to go back.

I just wanted to let you know that for some reason when I click on My Documents I receive this message instead of it opening up:

The network folder, //dc-01.internal....... that contains My Documents is not available. Try again later or contact your system administrator for further assistance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:39, on 2008-11-13

ComboFix 08-11-12.01 - lwilson 2008-11-13 15:49:08.5 - NTFSx86

The HJT log always needs to be run after the other tools, but in this case it is clean so it is not a big thing. MBAM is finding mostly junk in the combofix quarantine and infected System Restore files. We will address those issues shortly. Before I close I see at least one dangerously out of date program. Please post an uninstall list so I can take a look.

Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

Thanks

Ok, here's the Uninstall list. When I clicked "save list" it game me the exact same error I listed above for when I tried to open My Documents. But then it still opened it behind the error.

32 Bit HP CIO Components Installer
ABBYY FineReader 6.0 Sprint
Adobe Acrobat 5.0
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Photoshop Elements 2.0
Adobe Reader 7.0
Adobe Shockwave Player 11
AnswerWorks 4.0 Runtime - English
Apple Software Update
ATI Catalyst Control Center
ATI Display Driver
AVI to MPEG Converter
AVS Video Converter 6
AVS4YOU Software Navigator 1.2
Bluetooth Stack for Windows by Toshiba
Broadcom Management Programs
Business Complete Care Services Agreement
Celtx (1.0)
CoffeeCup Image Mapper
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
Coupon Printer for Windows
Dell Media Experience
DellSupport
Digital Content Portal
Digital Line Detect
Disney Pirates of the Caribbean Online
DVDx
EarthLink setup files
EPSON Attach To Email
EPSON Copy Utility
EPSON Copy Utility 3
EPSON Event Manager
EPSON File Manager
EPSON Perf 4490P Guide
EPSON Printer Software
EPSON Scan
EPSON Scan Assistant
EPSON TWAIN 5
FinePix Studio
FinePixViewer Resource
FinePixViewer Ver.5.4
FUJIFILM USB Driver
Google Earth
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix 2050 for SQL Server 2000 ENU (KB948110)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Deskjet 460
HP Deskjet 460 Series
HP Imaging Device Functions 8.0
HP Officejet J3600 Series
Intel(R) PROSet/Wireless Software
Internal Network Card Power Management
iSofter DVD Ripper Platinum 1.0.2006.912
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Learn2 Player (Uninstall Only)
Macromedia Dreamweaver 8
Macromedia Dreamweaver UltraDev 4
Macromedia Extension Manager
Macromedia Flash Player
Magic Swf2Gif 1.35
Malwarebytes' Anti-Malware
mCore
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft Office Small Business Accounting 2006
Microsoft Office XP Professional
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
mIWA
mLogView
mMHouse
Modem Helper
Mozilla Firefox (2.0.0.17)
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
mWlsSafe
mWMI
mXML
My Screen Recorder Pro 2.51
mZConfig
NetWaiting
NetZeroInstallers
Norton Security Scan
ParetoLogic Privacy Controls
PC-Linq
Pdf995
Photo Click
PowerDVD 5.7
Presto! BizCard 4.1 Eng
Qualxserve Service Agreement
QuickBooks Simple Start Special Edition
QuickSet
QuickTime
RealPlayer
Rhapsody MP3 Download Manager
Rhapsody Player Engine
SBA
SecondLife (remove only)
SecondLifeBetaHavok (remove only)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Skype 2.5
Smart WAV Converter 2.5
SmartCDRipper
SmartSoft Video Converter
Sonic DLA
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sprint Mobile Broadband (Sierra)
Spybot - Search & Destroy
Super Mp3 Recorder Professional v6.2
Synaptics Pointing Device Driver
Trend Micro PC-cillin Internet Security 12
TurboTax Deluxe 2007
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Viewpoint Media Player
WebCyberCoach 3.2 Dell
Windows Defender Signatures
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
Xenu's Link Sleuth

I'm sorry, guess I am trying to help too many folks at once. Could you post that error message for me again, word for word, just as Windows gives it to you. I tried a search engine and got no results, please be sure it is word for word.

Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.

Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested: https://psi.secunia.com/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Reader 7.0 <<< out of date, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/

Java 2 Runtime Environment, SE v1.4.2_03 <<< this one is VERY BADLY out of date, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php

Some folks have a problem uninstalling these old versions, that being the case, this tool will help.
http://www.majorgeeks.com/JavaRa_d5967.html

Mozilla Firefox (2.0.0.17) <<< If you are going to run Firefix, I suggest you run the newest version.
http://www.mozilla.com/en-US/firefox/

I also suggest the same thing about Internet Explorer:
http://www.microsoft.com/windows/products/winfamily/ie/default.mspx

Viewpoint Media Player <<< if you don't use this, I would uninstall it.
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546

Let's move on and see if we can wrap up.

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

Clean infected System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.

Update the antivirus program and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions. If all is well at this point, let me know and I will close the topic.


Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html

This is the message I get when I try to open My Documents:

The network folder, \\dc-01.internal.familydynamics.net/HomeRo...\My Documents, that contains My Documents is not available.

Try again later, or contact your system administrator for further assistance.


I thought I'd tell you that first in case I need to run any of those other things.

No information available and it is not complete. I doubt it would make a difference but part of the message is missing here:
The network folder, \\dc-01.internal.familydynamics.net/HomeRo...\My Documents, that contains My Documents is not available. Where the red is.

I suggest you update your Internet Explorer browser and see if that message goes away.

Try this and tell me what happens.

Click on MyComputer > C:\ drive > Documents and Settings > Your user Name > My Documents. I am interested in the pathway that is now
in the Address line of the My Documents windows, like in my case it is:
C:\Documents and Settings\Philip Skelley\My Documents

Thanks

When I follow the path you give me there is no My Documents folder. I guess therein lies the problem.

Check to see if My Documents is elsewhere besides the user name as in my case.

Click on MyComputer > C:\ drive > Documents and Settings >

May be in:

Administrator
All Users
Default User
Any other user name

But you are right, if there is no My Documents folder in your user name I would guess that could cause a problem if you are signed in to that user.
You may find information here:
http://www.google.com/search?hl=en&q=missing+MyDocuments+folder&btnG=Search

I found it in another location. Would you please let me know how I set it to where I can go to start and click on the My Documents folder there and get to it?

MBAM is still scanning by the way.

I really don't know, never ran into this one before. Did you look at that information I provided you with from Google?

You can try creating another My Documents folder in your user name...just go there and right click, then choose New Folder. Once you have the folder, then see what happens if you save a notepad text file to that folder.

Malwarebytes' Anti-Malware 1.30
Database version: 1395
Windows 5.1.2600 Service Pack 3

2008-11-14 12:00:30 PM
mbam-log-2008-11-14 (12-00-30).txt

Scan type: Full Scan (C:\|D:\|G:\|S:\|W:\|X:\|Y:\|Z:\|)
Objects scanned: 172700
Time elapsed: 1 hour(s), 11 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I really don't know, never ran into this one before. Did you look at that information I provided you with from Google?

You can try creating another My Documents folder in your user name...just go there and right click, then choose New Folder. Once you have the folder, then see what happens if you save a notepad text file to that folder.

Yes, thanks.

The report came back clearn from MBAM so I guess it's clean. I'm very greatful for your help! You are awesome! I don't know what else to say except, again, thank you.