winantivirus and drivecleaner help

For the past couple of weeks I have been getting annoying pop-ups from drivecleaner, winantivirus, and winantivirus 2006. I have scanned my computer with McAfee VirusScan 2006 and Ad-Aware SE Personal. Neither were able to remove these pop-ups. Also my desktop icons have vanished. The picture is still there but I cannot access the desktop properties by right-clicking and it does not allow me to just drag my icon back to the desktop. When I try to drag the icons I recieve an error message that reads "Cannot move....:The source and destination file names are the same." Also there is a small white dot in the top right corner of my desktop. I assume both these problems are connected. I have read other posts about this problem and I have ran VundoFix.exe and it did not find anything. Thanks in advance for any help you can provide.

Here is my hijackthis log (I'm not really sure what this is but I have seen others post it)

Logfile of HijackThis v1.99.1
Scan saved at 3:48:16 PM, on 8/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Mike\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\system32\xeymi.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\lwinmpez.exe CORN003
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /Minimized
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe "
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\lwinmpez.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - AppInit_DLLs: inicfg32.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com Personal Firewall Service (MpfService) - McAfee.com Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe

 

Hello and welcome to WindowsBBS Forums.

OK, you have what looks to be QooLogic and E2Give infections, lets run ComboFix which is designed to deal with those two and several others.

Download combofix.exe

• Double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

We'll have more to do once we find more files.

 

I ran ComboFix

Here is the log...
Mike - 06-08-29 20:22:49.71
ComboFix 06.08.27BT - Running from: C:\Documents and Settings\Mike

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-07-25 15:56 159744 --a------ C:\WINDOWS\SYSTEM32\redist.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\SYSTEM32\hlink.dll


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *



DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Mike\Application Data\Sskcwrd.dll
C:\Documents and Settings\Mike\Application Data\Sskknwrd.dll
C:\Documents and Settings\Mike\Application Data\Sskuknwrd.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\SYSTEM32\ZICORN003.exe
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\newname.dat
C:\dfndref_7.exe
C:\drsmartload45a7i.exe
C:\drsmartload46a7i.exe
C:\drsmartload849a7i.exe
C:\kybrdef_7.exe
C:\nwnmef_7.exe
C:\webnexmknew.exe
C:\Documents and Settings\Mike\Start Menu\Programs\Startup\zeno.lnk
C:\WINDOWS\system32\bez6n4r21.exe
C:\WINDOWS\system32\dwdsregt.exe
C:\WINDOWS\system32\n9nyb.exe
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\VSL05.exe
C:\WINDOWS\ssqbn.exe
C:\WINDOWS\system32bez6n4r21.exe
C:\WINDOWS\system32ghynf.exe
C:\WINDOWS\system32n9nyb.exe
C:\WINDOWS\uni_eh.exe
C:\WINDOWS\unin101.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Cas2Stub


((((((((((((((((((((((((((((((( Files Created from 2006-07-29 to 2006-08-29 ))))))))))))))))))))))))))))))))))


2006-08-20 14:07 288,320 -ra------ C:\WINDOWS\SYSTEM32\mcgdmgr.dll
2006-08-20 14:05 820 --a------ C:\WINDOWS\SYSTEM32\nt68rrtc12.sys
2006-08-19 14:02 7,882 --a------ C:\WINDOWS\SYSTEM32\GTKCMOS.sys
2006-08-19 14:02 7,626 --a------ C:\WINDOWS\SYSTEM32\GPCIEnum.sys
2006-08-19 14:02 7,168 --a------ C:\WINDOWS\SYSTEM32\DLPT64.sys
2006-08-19 14:02 6,656 --a------ C:\WINDOWS\SYSTEM32\DLPT2.sys
2006-08-19 14:02 5,632 --a------ C:\WINDOWS\SYSTEM32\GPCIEn64.sys
2006-08-19 14:02 5,120 --a------ C:\WINDOWS\SYSTEM32\GTKCMO64.sys
2006-08-19 14:02 4,608 --a------ C:\WINDOWS\SYSTEM32\DDMI64.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-29 16:10 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-29 16:10 -------- d-------- C:\Documents and Settings\Mike\Application Data\AdobeUM
2006-08-27 13:44 -------- d-------- C:\Program Files\Trend Micro
2006-08-19 22:10 -------- d-------- C:\Program Files\ErrorKiller
2006-08-16 23:55 -------- d-------- C:\Documents and Settings\Mike\Application Data\Mozilla
2006-08-11 01:07 -------- d-------- C:\Program Files\Internet Explorer
2006-07-27 15:19 -------- d-------- C:\Program Files\Common Files\WhenU
2006-07-27 09:24 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-25 22:02 -------- d-------- C:\Program Files\Common Files\fuiq
2006-07-25 19:38 23280 --a------ C:\WINDOWS\icont.exe
2006-07-25 16:45 1063 --a------ C:\WINDOWS\SYSTEM32\llif01f8.sys
2006-07-25 16:22 45093 --a------ C:\WINDOWS\SYSTEM32\oldsregq.exe
2006-07-25 15:57 -------- d-------- C:\Program Files\Windows NT
2006-07-25 15:57 -------- d-------- C:\Program Files\Common Files
2006-07-25 15:56 159872 --a------ C:\WINDOWS\SYSTEM32\lwinmpez.exe
2006-07-25 15:56 159744 --a------ C:\WINDOWS\SYSTEM32\redist.dll
2006-07-25 15:56 126464 --a------ C:\WINDOWS\SYSTEM32\redistributor.exe
2006-07-25 15:56 -------- d-------- C:\Program Files\ComPlus Applications
2006-07-25 15:52 61440 --a------ C:\WINDOWS\SYSTEM32\llif01f8.dll
2006-07-25 15:51 29696 --a------ C:\WINDOWS\SYSTEM32\w0e3da29.dll
2006-07-25 15:50 587776 --a------ C:\626_101newer.exe
2006-07-25 15:50 2560 --a------ C:\ac3_0003.exe
2006-07-25 15:48 27648 --a------ C:\dist13.exe
2006-07-25 15:47 143360 --a------ C:\WINDOWS\sys029560694932006.exe
2006-07-25 15:45 57344 --a------ C:\fym9bvo.exe
2006-07-21 04:24 72704 --a------ C:\WINDOWS\SYSTEM32\hlink.dll
2006-06-07 13:55 3626 --a------ C:\Program Files\Common Files\wopyp.html


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"VSOCheckTask "= "\ "C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask "
"VirusScan Online "= "C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe "
"OASClnt "= "C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe "
"MCAgentExe "= "c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe "
"MCUpdateExe "= "c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM "= "C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl "
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"DellSupport "= "\ "C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup "
"ctfmon.exe "= "C:\\WINDOWS\\system32\\ctfmon.exe "
@=" "
"Sony Ericsson PC Suite "= "\ "C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /Minimized "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"nddrof "= "C:\\windows\\system32\\nddrof.exe "
"wmsl_q "= "C:\\windows\\system32\\wmsl_q.exe "
"ddrotv "= "C:\\windows\\system32\\ddrotv.exe "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source "= "C:\\Program Files\\Windows NT\\zyreromyj.html "
"SubscribedURL "=" "
"FriendlyName "=" "
"Flags "=dword:00002000
"Position "=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState "=dword:40000001
"OriginalStateInfo "=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo "=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source "= "C:\\Program Files\\Common Files\\wopyp.html "
"SubscribedURL "=" "
"FriendlyName "=" "
"Flags "=dword:00002000
"Position "=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState "=dword:40000001
"OriginalStateInfo "=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo "=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=dword:40000004
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091
"CDRAutoRun "=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091
"CDRAutoRun "=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "



Completion time: Tue 08/29/2006 20:32:27.21
ComboFix.txt

 

Looks like ComboFix got a ton, but we still have a few to get.

Below you will find my results and recommendations. Please read ALL instructions carefully BEFORE proceeding.


1) Please download the Killbox.
Save it to the desktop and run it.

2) Select "Delete on Reboot ", and then select "All files ".

3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\Documents and Settings\Mike\Application Data\Sskcwrd.dll
C:\Documents and Settings\Mike\Application Data\Sskknwrd.dll
C:\Documents and Settings\Mike\Application Data\Sskuknwrd.dll
C:\Program Files\ErrorKiller
C:\Program Files\Common Files\WhenU
C:\Program Files\Common Files\fuiq
C:\WINDOWS\icont.exe
C:\WINDOWS\SYSTEM32\llif01f8.sys
C:\WINDOWS\SYSTEM32\oldsregq.exe
C:\WINDOWS\SYSTEM32\lwinmpez.exe
C:\WINDOWS\SYSTEM32\redist.dll
C:\WINDOWS\SYSTEM32\redistributor.exe
C:\WINDOWS\SYSTEM32\llif01f8.dll
C:\WINDOWS\SYSTEM32\w0e3da29.dll
C:\626_101newer.exe
C:\ac3_0003.exe
C:\dist13.exe
C:\WINDOWS\sys029560694932006.exe
C:\Program Files\Common Files\wopyp.html
C:\windows\system32\nddrof.exe
C:\windows\system32\wmsl_q.exe
C:\windows\system32\ddrotv.exe
C:\Program Files\Windows NT\\zyreromyj.html


4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard ".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Reboot, run ComboFix first, save the log then run HJT and save that log, posting both logs back into this thread.

 

I followed your directions as given. Thanks for your help.

Here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:45:22 PM, on 8/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Mike\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\system32\xeymi.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /Minimized
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com Personal Firewall Service (MpfService) - McAfee.com Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe




Here is my ComboFix log:

Mike - 06-08-29 22:52:42.59
ComboFix 06.08.27BT - Running from: C:\Documents and Settings\Mike\Desktop

((((((((((((((((((((((((((((((( Files Created from 2006-07-29 to 2006-08-29 ))))))))))))))))))))))))))))))))))


2006-08-20 14:07 288,320 -ra------ C:\WINDOWS\SYSTEM32\mcgdmgr.dll
2006-08-20 14:05 820 --a------ C:\WINDOWS\SYSTEM32\nt68rrtc12.sys
2006-08-19 14:02 7,882 --a------ C:\WINDOWS\SYSTEM32\GTKCMOS.sys
2006-08-19 14:02 7,626 --a------ C:\WINDOWS\SYSTEM32\GPCIEnum.sys
2006-08-19 14:02 7,168 --a------ C:\WINDOWS\SYSTEM32\DLPT64.sys
2006-08-19 14:02 6,656 --a------ C:\WINDOWS\SYSTEM32\DLPT2.sys
2006-08-19 14:02 5,632 --a------ C:\WINDOWS\SYSTEM32\GPCIEn64.sys
2006-08-19 14:02 5,120 --a------ C:\WINDOWS\SYSTEM32\GTKCMO64.sys
2006-08-19 14:02 4,608 --a------ C:\WINDOWS\SYSTEM32\DDMI64.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-29 22:41 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-29 22:33 -------- d-------- C:\Program Files\Windows NT
2006-08-29 22:33 -------- d-------- C:\Program Files\Common Files
2006-08-29 16:10 -------- d-------- C:\Documents and Settings\Mike\Application Data\AdobeUM
2006-08-27 13:44 -------- d-------- C:\Program Files\Trend Micro
2006-08-16 23:55 -------- d-------- C:\Documents and Settings\Mike\Application Data\Mozilla
2006-08-11 01:07 -------- d-------- C:\Program Files\Internet Explorer
2006-07-27 09:24 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-25 15:56 -------- d-------- C:\Program Files\ComPlus Applications
2006-07-25 15:45 57344 --a------ C:\fym9bvo.exe
2006-07-21 04:24 72704 --a------ C:\WINDOWS\SYSTEM32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"VSOCheckTask "= "\ "C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask "
"VirusScan Online "= "C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe "
"OASClnt "= "C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe "
"MCAgentExe "= "c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe "
"MCUpdateExe "= "C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM "= "C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl "
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"DellSupport "= "\ "C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup "
"ctfmon.exe "= "C:\\WINDOWS\\system32\\ctfmon.exe "
@=" "
"Sony Ericsson PC Suite "= "\ "C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /Minimized "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"nddrof "= "C:\\windows\\system32\\nddrof.exe "
"wmsl_q "= "C:\\windows\\system32\\wmsl_q.exe "
"ddrotv "= "C:\\windows\\system32\\ddrotv.exe "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source "= "C:\\Program Files\\Windows NT\\zyreromyj.html "
"SubscribedURL "=" "
"FriendlyName "=" "
"Flags "=dword:00002000
"Position "=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState "=dword:40000001
"OriginalStateInfo "=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo "=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source "= "C:\\Program Files\\Common Files\\wopyp.html "
"SubscribedURL "=" "
"FriendlyName "=" "
"Flags "=dword:00002000
"Position "=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState "=dword:40000001
"OriginalStateInfo "=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo "=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=dword:40000004
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091
"CDRAutoRun "=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091
"CDRAutoRun "=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "



Completion time: Tue 08/29/2006 22:55:28.15
ComboFix.txt
ComboFix2.txt

 

I haven't had any pop-ups since yesterday, however my desktop icons are still missing and my picture is not clear.

 

OK, looks like we still have some stragglers. Lets get them all removed and see how your desktop works out.

Lets run Killbox again using the files listed below.

Select "Delete on Reboot ", and then select "All files ".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\xeymi.dll
C:\WINDOWS\SYSTEM32\nt68rrtc12.sys
C:\fym9bvo.exe
C:\windows\system32\nddrof.exe
C:\windows\system32\wmsl_q.exe
C:\windows\system32\ddrotv.exe
C:\Program Files\Windows NT\zyreromyj.html
C:\Program Files\Common Files\wopyp.html

Return to Killbox, go to the File menu, and choose "Paste from Clipboard ".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Reboot and run ComboFix first, then HJT and post both logs back into this thread.

 

ok i ran the programs

here is the ComboFix log:

Mike - 06-08-31 16:04:40.38
ComboFix 06.08.27BT - Running from: C:\Documents and Settings\Mike

((((((((((((((((((((((((((((((( Files Created from 2006-07-31 to 2006-08-31 ))))))))))))))))))))))))))))))))))


2006-08-20 14:07 288,320 -ra------ C:\WINDOWS\SYSTEM32\mcgdmgr.dll
2006-08-19 14:02 7,882 --a------ C:\WINDOWS\SYSTEM32\GTKCMOS.sys
2006-08-19 14:02 7,626 --a------ C:\WINDOWS\SYSTEM32\GPCIEnum.sys
2006-08-19 14:02 7,168 --a------ C:\WINDOWS\SYSTEM32\DLPT64.sys
2006-08-19 14:02 6,656 --a------ C:\WINDOWS\SYSTEM32\DLPT2.sys
2006-08-19 14:02 5,632 --a------ C:\WINDOWS\SYSTEM32\GPCIEn64.sys
2006-08-19 14:02 5,120 --a------ C:\WINDOWS\SYSTEM32\GTKCMO64.sys
2006-08-19 14:02 4,608 --a------ C:\WINDOWS\SYSTEM32\DDMI64.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-31 15:53 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-29 22:33 -------- d-------- C:\Program Files\Windows NT
2006-08-29 22:33 -------- d-------- C:\Program Files\Common Files
2006-08-29 16:10 -------- d-------- C:\Documents and Settings\Mike\Application Data\AdobeUM
2006-08-27 13:44 -------- d-------- C:\Program Files\Trend Micro
2006-08-16 23:55 -------- d-------- C:\Documents and Settings\Mike\Application Data\Mozilla
2006-08-11 01:07 -------- d-------- C:\Program Files\Internet Explorer
2006-07-27 09:24 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-25 15:56 -------- d-------- C:\Program Files\ComPlus Applications
2006-07-21 04:24 72704 --a------ C:\WINDOWS\SYSTEM32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"VSOCheckTask "= "\ "C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask "
"VirusScan Online "= "C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe "
"OASClnt "= "C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe "
"MCAgentExe "= "c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe "
"MCUpdateExe "= "C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM "= "C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl "
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"DellSupport "= "\ "C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup "
"ctfmon.exe "= "C:\\WINDOWS\\system32\\ctfmon.exe "
@=" "
"Sony Ericsson PC Suite "= "\ "C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /Minimized "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"nddrof "= "C:\\windows\\system32\\nddrof.exe "
"wmsl_q "= "C:\\windows\\system32\\wmsl_q.exe "
"ddrotv "= "C:\\windows\\system32\\ddrotv.exe "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source "= "C:\\Program Files\\Windows NT\\zyreromyj.html "
"SubscribedURL "=" "
"FriendlyName "=" "
"Flags "=dword:00002000
"Position "=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState "=hex:01,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo "=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source "= "C:\\Program Files\\Common Files\\wopyp.html "
"SubscribedURL "=" "
"FriendlyName "=" "
"Flags "=dword:00002000
"Position "=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState "=hex:01,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo "=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091
"CDRAutoRun "=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091
"CDRAutoRun "=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "



Completion time: Thu 08/31/2006 16:07:04.82
ComboFix.txt
ComboFix2.txt
ComboFix3.txt








Here is the hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 4:08:10 PM, on 8/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Mike\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\system32\xeymi.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /Minimized
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com Personal Firewall Service (MpfService) - McAfee.com Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe

 

OK, almost done, nice work.

Lets remove some of those registry points as we have gotten rid of all the related files.

But lets first back up your registry.

Click the 'Start' button, select 'Run', hit 'Enter'.

When box appears, type 'regedit', hit 'Enter'.

Navigate to the following key, by unticking the '+' next to each subkey:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0

In the right hand side of the window, look for:
Source

Right-click it to highlight it and select 'Modify' and delete the 'Value Data' Field.

Do the same for the following key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1

Then move onto this key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\explorer\Run

Look for the following:
wmsl_q
nddrof
ddrotv

Right-click each, and delete each one.

Close the registry.

Reboot, into 'Safe mode', run HJT, and place a check next to the following lines, then, with all browsers and windows closed, hit 'Fix checked':

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=


O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\system32\xeymi.dll (file missing)

While still in safe mode run Killbox again and insert the following:
C:\WINDOWS\system32\xeymi.dll

Run KB as previously instructed, once done, reboot run a new ComboFix log and a new HJT log file as well.

 

I removed the registry points, but i don't know what safemode is or how to do it.

 

My bad, I forgot we hadn't covered that part:

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Then do the other stuff, apologies for that oversight.

 

ok thanks

 

I tried running my pc in safemode, but i had no internet connection and could not access the file hijackthis to create the log. Also, i don't no if this is normal, but my computer's colors were messed up in safemode.

 

You don't need internet access to get to the HJT file, it should be here:
C:\Documents and Settings\Mike\My Documents\hijackthis<<<--in this folder.

And it is normal to have a messed up display in safe mode, not all drivers are loaded, it's just the bare minimum.

 

When I entered C:\WINDOWS\system32\xeymi.dll into Killbox, it said the file doesn't exsist.

 

Here my new logs:

ComboFix

Mike - 06-08-31 18:16:10.78
ComboFix 06.08.27BT - Running from: C:\Documents and Settings\Mike\Desktop

((((((((((((((((((((((((((((((( Files Created from 2006-07-31 to 2006-08-31 ))))))))))))))))))))))))))))))))))


2006-08-20 14:07 288,320 -ra------ C:\WINDOWS\SYSTEM32\mcgdmgr.dll
2006-08-19 14:02 7,882 --a------ C:\WINDOWS\SYSTEM32\GTKCMOS.sys
2006-08-19 14:02 7,626 --a------ C:\WINDOWS\SYSTEM32\GPCIEnum.sys
2006-08-19 14:02 7,168 --a------ C:\WINDOWS\SYSTEM32\DLPT64.sys
2006-08-19 14:02 6,656 --a------ C:\WINDOWS\SYSTEM32\DLPT2.sys
2006-08-19 14:02 5,632 --a------ C:\WINDOWS\SYSTEM32\GPCIEn64.sys
2006-08-19 14:02 5,120 --a------ C:\WINDOWS\SYSTEM32\GTKCMO64.sys
2006-08-19 14:02 4,608 --a------ C:\WINDOWS\SYSTEM32\DDMI64.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-31 18:02 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-29 22:33 -------- d-------- C:\Program Files\Windows NT
2006-08-29 22:33 -------- d-------- C:\Program Files\Common Files
2006-08-29 16:10 -------- d-------- C:\Documents and Settings\Mike\Application Data\AdobeUM
2006-08-27 13:44 -------- d-------- C:\Program Files\Trend Micro
2006-08-16 23:55 -------- d-------- C:\Documents and Settings\Mike\Application Data\Mozilla
2006-08-11 01:07 -------- d-------- C:\Program Files\Internet Explorer
2006-07-27 09:24 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-25 15:56 -------- d-------- C:\Program Files\ComPlus Applications
2006-07-21 04:24 72704 --a------ C:\WINDOWS\SYSTEM32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"VSOCheckTask "= "\ "C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask "
"VirusScan Online "= "C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe "
"OASClnt "= "C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe "
"MCAgentExe "= "c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe "
"MCUpdateExe "= "C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM "= "C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl "
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"DellSupport "= "\ "C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup "
"ctfmon.exe "= "C:\\WINDOWS\\system32\\ctfmon.exe "
@=" "
"Sony Ericsson PC Suite "= "\ "C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /Minimized "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"nddrof "=" "
"wmsl_q "=" "
"ddrotv "=" "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source "=" "
"SubscribedURL "=" "
"FriendlyName "=" "
"Flags "=dword:00002000
"Position "=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState "=dword:40000001
"OriginalStateInfo "=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo "=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source "=" "
"SubscribedURL "=" "
"FriendlyName "=" "
"Flags "=dword:00002000
"Position "=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState "=dword:40000001
"OriginalStateInfo "=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo "=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=dword:40000004
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091
"CDRAutoRun "=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091
"CDRAutoRun "=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "



Completion time: Thu 08/31/2006 18:18:39.84
ComboFix.txt
ComboFix2.txt
ComboFix3.txt


Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 6:19:18 PM, on 8/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Mike\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /Minimized
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com Personal Firewall Service (MpfService) - McAfee.com Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe

 

That's a good thing then!!

Run HJT and see if that line is gone, if it is, then we're done

 

Ah, I see e cross posted.

Those lines are still there in the registry, did that process go ok?

 

yes, but I enabled the 'show hidden folders' after everything. Was the where i messed up?

 

No that wouldn't have made any difference to the registry.

Try the process again please, see what happens. Also realize that the entries in and of themselves are harmless because we neutered the files.

Worse case scenario I can get a registry fix created and do it that way.