Solved Continuous pop-ups running

[Resolved] Continuous pop-ups running

Hi,
My wife allowed an unknown file to download and Internet Explorer has continually launched new pop-up ads since then. I have run McAfee's virus scan twice but it only came up with cookies last time and the pop-ups are still launching.
Please help!
thanks,
Jon
Below is a copy of HijackThis log I ran this morning.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:41 AM, on 12/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common

Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft

Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program

Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\mrofinu77.exe
C:\WINDOWS\troy44.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\NETGEAR GA511 Adapter\GA511.exe
C:\Program Files\Palm\Hotsync.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start

Page = http://www.boston.com/
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Bar =

http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*ht

tp://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*ht

tp://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start

Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,CustomizeSearch =
R1 -

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyServer = sas.ne1.attbb.net:8000
R1 -

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = *.ne1.attbb.net
R3 - URLSearchHook: (no name) -

_{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn4\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper -

{02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: UberButton Class -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess -

{5CA3D70E-1895-11CF-8E15-001234567890} -

C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class -

{65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program

Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: scriptproxy -

{7DB2D5A0-7241-4E79-B68D-6309F01C5231} -

c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar4.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper -

{AE7CD045-E861-484f-8273-0445EE161910} - C:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO -

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Adobe PDF -

{47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google -

{2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program

Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program

Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla]

C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program

Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DadApp] C:\Program

Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program

Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry]

C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program

Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [MMTray] "C:\Program

Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe "
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program

Files\TARGUS\PAUM008U\Ver_2.32\LWBWHEEL.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program

Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX]

C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program

Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program

Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [us7h37e] danrecst.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] "C:\Program

Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe "
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program

Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program

Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program

Files\Adobe\Photoshop Album Starter

Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [REGSHAVE] C:\Program

Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program

Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu77.exe

61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C

2933154389A28452DA545E9B1894E754BE54C29159A7DBE80DC744B6C

DE3F516CAC59B6
O4 - HKLM\..\Run: [troy44] C:\WINDOWS\troy44.exe
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program

Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program

Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [DellSupport] "C:\Program

Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program

Files\Microsoft Location Finder\LocationFinder.exe "
O4 - HKCU\..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.

exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk =

C:\Program Files\Common Files\Adobe\Calibration\Adobe

Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk =

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk =

C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: GA511 Smart Wizard Utility.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program

Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk =

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk =

C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet

Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet

Explorer\Control Panel present
O8 - Extra context menu item: &Search -

http://bar.mywebsearch.com/menusearch.html?p=ZCxdm475YYUS
O8 - Extra context menu item: &Yahoo! Search -

file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Convert link target to

Adobe PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to

existing PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to

Adobe PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htm

l
O8 - Extra context menu item: Convert selected links to

existing PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe

PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to

existing PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel

- res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary -

file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps -

file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com -

{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE}

(SupportSoft Script Runner Class) -

http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}

(Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -

http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/

CursorManiaFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5

Networks VPN Manager) -

https://vpn1.esc.gov/vdesk/terminal/urxvpn.cab#version=55

00,0,50914,1
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB}

(YInstStarter Class) - C:\Program

Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325}

(iNotes6 Class) -

https://anemailcls1.faa.gov/iNotes6W.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}

(McAfee.com Operating System Class) -

http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4

,0,0,90/mcinsctl.cab
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5

Networks SSLTunnel) -

https://vpn1.esc.gov/vdesk/terminal/urTermProxy.cab#versi

on=5500,0,50803,1
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}

(MUWebControl Class) -

http://www.update.microsoft.com/microsoftupdate/v6/V5Cont

rols/en/x86/client/muweb_site.cab?1184535054383
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}

(DwnldGroupMgr Class) -

http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,

0,0,23/mcgdmgr.cab
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5

Networks SuperHost Class) -
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5

Networks Host Control) -

https://vpn1.esc.gov/vdesk/terminal/urxhost.cab#version=5

500,0,50928,1
O23 - Service: DSBrokerService - Unknown owner -

C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee,

Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google -

C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) -

Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc.

- C:\Program Files\Common

Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) -

McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc.

- C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee,

Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. -

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) -

McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee,

Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) -

McAfee, Inc. -

c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) -

McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee,

Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service

(MpfService) - McAfee, Inc. - C:\Program

Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee,

Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) -

NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP -

C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Check Point SecuRemote Service

(SR_Service) - Check Point Software Technologies -

C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog

(SR_WatchDog) - Check Point Software Technologies -

C:\Program

Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: WLTRYSVC - Unknown owner -

C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 15497 bytes

 

Welcome to WindowsBBS Jon

Download Deckard's System Scanner (dss.exe) and save it to your desktop.

• Close all applications and windows.
• Double click on dss.exe to run it and follow the prompts.
• When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of main.txt only for now. This will give us a better look at things.

Please do not alter the logs ....... it makes them difficult to read.

 

more info

Dave,
Thanks much.
Jon
Here is the results of DSS scan:
Deckard's System Scanner v20071014.68
Run by Jon Galvin on 2007-12-29 12:44:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
63: 2007-12-29 17:45:49 UTC - RP1146 - Deckard's System Scanner Restore Point
62: 2007-12-28 23:18:49 UTC - RP1145 - System Checkpoint
61: 2007-12-27 22:24:52 UTC - RP1144 - System Checkpoint
60: 2007-12-26 17:15:22 UTC - RP1143 - System Checkpoint
59: 2007-12-25 14:53:57 UTC - RP1142 - System Checkpoint


-- First Restore Point --
1: 2007-10-14 12:26:51 UTC - RP1084 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 5.17 GiB (less than 15%) free.


-- HijackThis (run as Jon Galvin.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:58 PM, on 12/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\mrofinu77.exe
C:\WINDOWS\troy44.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\NETGEAR GA511 Adapter\GA511.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Documents and Settings\Jon Galvin\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Jon Galvin.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.boston.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.ne1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ne1.attbb.net
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe "
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\TARGUS\PAUM008U\Ver_2.32\LWBWHEEL.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [us7h37e] danrecst.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe "
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A28452DA545E9B1894E754BE54C29159A7DBE80DC744B6CDE3F516CAC59B6
O4 - HKLM\..\Run: [troy44] C:\WINDOWS\troy44.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe "
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: GA511 Smart Wizard Utility.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm475YYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/CursorManiaFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://vpn1.esc.gov/vdesk/terminal/urxvpn.cab#version=5500,0,50914,1
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://anemailcls1.faa.gov/iNotes6W.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://vpn1.esc.gov/vdesk/terminal/urTermProxy.cab#version=5500,0,50803,1
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1184535054383
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) -
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://vpn1.esc.gov/vdesk/terminal/urxhost.cab#version=5500,0,50928,1
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 15351 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 cdrbsdrv - c:\windows\system32\drivers\cdrbsdrv.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD7>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>
R2 LANPkt (Realtek LANPkt Protocol) - c:\windows\system32\drivers\lanpkt.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.7) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.7>
R2 Scap (SecureClient Application Policy Module) - c:\windows\system32\drivers\scap.sys <Not Verified; Check Point Software Technologies; desktop>
R2 VPN-1 (VPN-1 Module) - c:\windows\system32\drivers\vpn.sys <Not Verified; Check Point Software Technologies; vpn1>
R3 Diag69xp - c:\windows\system32\drivers\diag69xp.sys <Not Verified; Realtek Semiconductor Corporation; Realtek RTL8169 Gigabit Ethernet Adapter>
R3 STAC97 (Audio Driver (WDM) - SigmaTel CODEC) - c:\windows\system32\drivers\stac97.sys <Not Verified; SigmaTel, Inc.; AC'97 Audio Controller with SigmaTel CODEC device driver.>
R3 WmBEnum (Logitech Virtual Bus Enumerator Driver) - c:\windows\system32\drivers\wmbenum.sys <Not Verified; Logitech Inc.; Logitech WingMan Software>
R3 WmXlCore (Logitech WingMan Translation Layer Driver) - c:\windows\system32\drivers\wmxlcore.sys <Not Verified; Logitech Inc.; Logitech WingMan Software>

S3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)
S3 WmFilter (Logitech WingMan HID Filter Driver) - c:\windows\system32\drivers\wmfilter.sys <Not Verified; Logitech Inc.; Logitech WingMan Software>
S3 WmVirHid (Logitech Virtual Hid Device Driver) - c:\windows\system32\drivers\wmvirhid.sys <Not Verified; Logitech Inc.; Logitech WingMan Software>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 SR_Service (Check Point SecuRemote Service) - "c:\program files\checkpoint\securemote\bin\sr_service.exe" <Not Verified; Check Point Software Technologies; VPN-1 SecuRemote/SecureClient>
R2 SR_WatchDog (Check Point SecuRemote WatchDog) - "c:\program files\checkpoint\securemote\bin\sr_watchdog.exe" <Not Verified; Check Point Software Technologies; desktop>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-08-04 15:11:46 350 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2007-08-04 15:11:44 342 --a------ C:\WINDOWS\Tasks\McQcTask.job
2004-06-24 17:36:09 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 1.job


-- Files created between 2007-11-29 and 2007-12-29 -----------------------------

2007-12-29 11:12:09 0 d-------- C:\Program Files\Trend Micro
2007-12-27 14:14:16 0 d-------- C:\Program Files\WinAble
2007-12-27 14:14:16 0 d-------- C:\Program Files\Temporary
2007-12-27 14:03:25 39936 -ra------ C:\WINDOWS\mrofinu77.exe
2007-12-25 05:55:00 53760 --a------ C:\WINDOWS\b122.exe
2007-12-19 17:05:48 212992 --a------ C:\WINDOWS\troy44.exe <Not Verified; ; troy44>


-- Find3M Report ---------------------------------------------------------------

2007-12-26 22:22:37 0 d-------- C:\Program Files\FinePixViewer
2007-12-18 08:36:08 0 d-------- C:\Program Files\McAfee


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "C:\WINDOWS\System32\NvCpl.dll" [01/08/2004 03:26 PM]
"nwiz "= "nwiz.exe" [01/08/2004 03:26 PM C:\WINDOWS\SYSTEM32\nwiz.exe]
"BCMSMMSG "= "BCMSMMSG.exe" [08/29/2003 05:59 AM C:\WINDOWS\BCMSMMSG.exe]
"SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" []
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" []
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" []
"UpdateManager "= "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" []
"DadApp "= "C:\Program Files\Dell\AccessDirect\dadapp.exe" []
"Dell QuickSet "= "C:\Program Files\Dell\QuickSet\quickset.exe" []
"DVDSentry "= "C:\WINDOWS\System32\DSentry.exe" []
"PCMService "= "C:\Program Files\Dell\Media Experience\PCMService.exe" []
"MMTray "= "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" []
"LWBMOUSE "= "C:\Program Files\TARGUS\PAUM008U\Ver_2.32\LWBWHEEL.exe" []
"HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" []
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" []
"LVCOMSX "= "C:\WINDOWS\system32\LVCOMSX.EXE" []
"LogitechVideoRepair "= "C:\Program Files\Logitech\Video\ISStart.exe" []
"LogitechVideoTray "= "C:\Program Files\Logitech\Video\LogiTray.exe" []
"us7h37e "= "danrecst.exe" []
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" []
"mmtask "= "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" []
"LogitechGalleryRepair "= "C:\Program Files\Logitech\Video\ISStart.exe" []
"Acrobat Assistant 7.0 "= "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [01/12/2006 07:52 PM]
"@ "=" " []
"Adobe Photo Downloader "= "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" []
"REGSHAVE "= "C:\Program Files\REGSHAVE\REGSHAVE.exe" []
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" []
"runner1 "= "C:\WINDOWS\mrofinu77.exe" [12/27/2007 06:23 PM]
"troy44 "= "C:\WINDOWS\troy44.exe" [12/19/2007 05:05 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"LogitechSoftwareUpdate "= "C:\Program Files\Logitech\Video\ManifestEngine.exe" []
"DellSupport "= "C:\Program Files\DellSupport\DSAgnt.exe" []
"Microsoft Location Finder "= "C:\Program Files\Microsoft Location Finder\LocationFinder.exe" []
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []

C:\Documents and Settings\Jon Galvin\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 9:00:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2/14/2006 7:39:29 AM]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [9/6/2004 1:35:20 PM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [12/21/2005 5:31:16 PM]
DESKTOP.INI [9/3/2002 9:00:00 AM]
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [3/5/2006 1:41:14 PM]
GA511 Smart Wizard Utility.lnk - C:\WINDOWS\Installer\{52CAD7C7-1E41-43FE-8613-AB9D79B2DBBC}\NewShortcut1.exe [8/6/2005 11:31:10 AM]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [6/9/2004 2:27:34 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [9/16/2003 4:19:24 AM]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [3/29/2005 6:17:09 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools "=0 (0x0)
"disabletaskmgr "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize "=0 (0x0)
"NoMovingBands "=0 (0x0)
"NoCloseDragDropBands "=0 (0x0)
"NoSetTaskbar "=0 (0x0)
"NoToolbarsOnTaskbar "=0 (0x0)
"NoSaveSettings "=0 (0x0)
"NoActiveDesktop "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 03/01/2005 07:49 PM 24672 C:\WINDOWS\SYSTEM32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17b671e0-9cf7-11da-805f-009096b80ec8}]
AutoRun\command- G:\setupSNK.exe




-- End of Deckard's System Scanner: finished at 2007-12-29 12:54:16 ------------

 

slower and slower

Can anyone help? computer appears to be getting slower and slower...very difficult to use Internet...
tks,
Jon

 

My apologies for the late reply.

Download ComboFix by sUBs from here, saving the file to your desktop.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

ran combofix and new hijack this, pop-ups continue

Hi,
I did as you suggested. The pop-ups are still running. Here are the logs:
ComboFix results:
ComboFix 07-12-31.4 - Jon Galvin 2007-12-30 22:51:11.1 - NTFSx86
Running from: C:\Documents and Settings\Jon Galvin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Scarlet Galvin\Desktop\searchus.exe
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\ScreenSaver\Images\07D8BDDF.urr
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.htm
C:\Program Files\Temporary
C:\Program Files\WinAble
C:\Program Files\WinAble\winable.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\Gwang.exe
C:\WINDOWS\mrofinu77.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-31 )))))))))))))))))))))))))))))))
.

2007-12-30 22:47 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-29 12:44 . 2007-12-29 12:44 <DIR> d-------- C:\Deckard
2007-12-29 11:12 . 2007-12-29 11:12 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-21 22:39 . 2007-12-26 13:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-21 22:39 . 2007-12-21 22:39 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-19 17:05 . 2007-12-19 17:05 212,992 --a------ C:\WINDOWS\troy44.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-27 03:22 --------- d-----w C:\Program Files\FinePixViewer
2007-12-18 13:36 --------- d-----w C:\Program Files\McAfee
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2006-05-28 23:56 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2004-11-17 02:26 4,918,270 ----a-w C:\Program Files\Firefox Setup 1.0.exe
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"LogitechSoftwareUpdate "= "C:\Program Files\Logitech\Video\ManifestEngine.exe" [ ]
"DellSupport "= "C:\Program Files\DellSupport\DSAgnt.exe" [ ]
"Microsoft Location Finder "= "C:\Program Files\Microsoft Location Finder\LocationFinder.exe" [ ]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "C:\WINDOWS\System32\NvCpl.dll" [2004-01-08 15:26 4866048]
"nwiz "= "nwiz.exe" [2004-01-08 15:26 323584 C:\WINDOWS\SYSTEM32\nwiz.exe]
"BCMSMMSG "= "BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [ ]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [ ]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [ ]
"UpdateManager "= "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [ ]
"DadApp "= "C:\Program Files\Dell\AccessDirect\dadapp.exe" [ ]
"Dell QuickSet "= "C:\Program Files\Dell\QuickSet\quickset.exe" [ ]
"DVDSentry "= "C:\WINDOWS\System32\DSentry.exe" [ ]
"PCMService "= "C:\Program Files\Dell\Media Experience\PCMService.exe" [ ]
"MMTray "= "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [ ]
"LWBMOUSE "= "C:\Program Files\TARGUS\PAUM008U\Ver_2.32\LWBWHEEL.exe" [ ]
"HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [ ]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [ ]
"LVCOMSX "= "C:\WINDOWS\system32\LVCOMSX.EXE" [ ]
"LogitechVideoRepair "= "C:\Program Files\Logitech\Video\ISStart.exe" [ ]
"LogitechVideoTray "= "C:\Program Files\Logitech\Video\LogiTray.exe" [ ]
"us7h37e "= "danrecst.exe" []
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"mmtask "= "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [ ]
"LogitechGalleryRepair "= "C:\Program Files\Logitech\Video\ISStart.exe" [ ]
"Acrobat Assistant 7.0 "= "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 19:52 483328]
"@ "=" " []
"Adobe Photo Downloader "= "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [ ]
"REGSHAVE "= "C:\Program Files\REGSHAVE\REGSHAVE.exe" [ ]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [ ]
"runner1 "= "C:\WINDOWS\mrofinu77.exe" [ ]
"troy44 "= "C:\WINDOWS\troy44.exe" [2007-12-19 17:05 212992]
"combofix "= "C:\WINDOWS\system32\cmd.exe" [2004-08-04 02:56 388608]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2006-02-14 07:39:29]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-09-06 13:35:20]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [2005-12-21 17:31:16]
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2006-03-05 13:41:14]
GA511 Smart Wizard Utility.lnk - C:\WINDOWS\Installer\{52CAD7C7-1E41-43FE-8613-AB9D79B2DBBC}\NewShortcut1.exe [2005-08-06 11:31:10]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 04:19:24]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-03-29 18:17:09]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disabletaskmgr "= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize "= 0 (0x0)
"NoMovingBands "= 0 (0x0)
"NoCloseDragDropBands "= 0 (0x0)
"NoToolbarsOnTaskbar "= 0 (0x0)
"NoActiveDesktop "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit "= "userinit.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 2005-03-01 19:49 24672 C:\WINDOWS\SYSTEM32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=" "

R2 LANPkt;Realtek LANPkt Protocol;C:\WINDOWS\system32\DRIVERS\LANPkt.sys [2003-12-25 10:53]
R2 Scap;SecureClient Application Policy Module;C:\WINDOWS\system32\DRIVERS\Scap.sys [2005-03-01 19:49]
R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys [2005-03-01 19:49]
R3 Diag69xp;Diag69xp;C:\WINDOWS\system32\Drivers\Diag69xp.sys [2003-12-25 10:53]
R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys [2005-03-01 19:49]
R3 urvpndrv;F5 Networks VPN Adapter;C:\WINDOWS\system32\DRIVERS\urvpndrv.sys [2005-09-14 07:45]
S3 f5ipfw;F5 Networks StoneWall Filter;C:\WINDOWS\system32\drivers\urfltw2k.sys [2005-09-14 07:45]
S3 OMVA;VPN-1 SecureClient Adapter;C:\WINDOWS\system32\DRIVERS\OMVA.sys [2005-03-01 19:49]
S3 PhilCam8116_XP;Logitech QuickCam Pro 3000(PID_08B1);C:\WINDOWS\system32\DRIVERS\CamDrL20.sys [2004-05-21 14:16]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17b671e0-9cf7-11da-805f-009096b80ec8}]
\Shell\AutoRun\command - G:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2004-06-24 22:36:09 C:\WINDOWS\Tasks\ISP signup reminder 1.job "
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
"2007-08-04 20:11:46 C:\WINDOWS\Tasks\McDefragTask.job "
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2007-08-04 20:11:44 C:\WINDOWS\Tasks\McQcTask.job "
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-30 23:18:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-30 23:25:53 - machine was rebooted
C:\qoobox\ComboFix-quarantined-files.txt 2007-12-31 04:25:46
.
2007-12-22 04:29:13 --- E O F ---

Here is the new hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:00 PM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\troy44.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\NETGEAR GA511 Adapter\GA511.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.boston.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.ne1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ne1.attbb.net
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe "
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\TARGUS\PAUM008U\Ver_2.32\LWBWHEEL.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [us7h37e] danrecst.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe "
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [troy44] C:\WINDOWS\troy44.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe "
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: GA511 Smart Wizard Utility.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm475YYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/CursorManiaFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://vpn1.esc.gov/vdesk/terminal/urxvpn.cab#version=5500,0,50914,1
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://anemailcls1.faa.gov/iNotes6W.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://vpn1.esc.gov/vdesk/terminal/urTermProxy.cab#version=5500,0,50803,1
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1184535054383
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) -
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://vpn1.esc.gov/vdesk/terminal/urxhost.cab#version=5500,0,50928,1
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 14830 bytes

 

Scan again with HijackThis and place a check next to the following entry, close all other windows then click Fix Checked.

R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)

Close HijackThis.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
C:\WINDOWS\troy44.exe
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "us7h37e "=-
 "runner1 "=-
 "troy44 "=-
 "combofix "=-

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

 

not seeing pop-ups so far

Maybe this worked? I'm not seeing any pop-ups so far.
thanks much...do I need to do anything else?
Jon
Here are the logs:
ComboFix 07-12-31.4 - Jon Galvin 2007-12-31 14:57:06.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.206 [GMT -5:00]
Running from: C:\Documents and Settings\Jon Galvin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jon Galvin\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\troy44.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\troy44.exe
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-31 )))))))))))))))))))))))))))))))
.

2007-12-30 22:47 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-29 12:44 . 2007-12-29 12:44 <DIR> d-------- C:\Deckard
2007-12-29 11:12 . 2007-12-29 11:12 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-21 22:39 . 2007-12-26 13:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-21 22:39 . 2007-12-21 22:39 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-27 03:22 --------- d-----w C:\Program Files\FinePixViewer
2007-12-18 13:36 --------- d-----w C:\Program Files\McAfee
2007-11-14 07:26 450,560 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jscript.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 09:55 3,065,856 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-10-11 05:57 96,256 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\inseng.dll
2007-10-11 05:57 666,112 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-10-11 05:57 617,984 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-10-11 05:57 55,808 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-10-11 05:57 532,480 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-10-11 05:57 474,112 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
2007-10-11 05:57 449,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-10-11 05:57 39,424 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
2007-10-11 05:57 357,888 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
2007-10-11 05:57 251,904 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iepeers.dll
2007-10-11 05:57 205,824 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-10-11 05:57 16,384 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-10-11 05:57 151,040 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\cdfview.dll
2007-10-11 05:57 146,432 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-10-11 05:57 1,498,112 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
2007-10-11 05:57 1,054,208 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\danim.dll
2007-10-11 05:57 1,024,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
2007-10-10 10:48 18,432 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
2006-05-28 23:56 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2004-11-17 02:26 4,918,270 ----a-w C:\Program Files\Firefox Setup 1.0.exe
.

((((((((((((((((((((((((((((( snapshot@2007-12-30_23.25.17.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-31 17:56:18 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_240.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 483,328 2006-01-13 01:52:32 C:\Program Files\Adobe\Acrobat 7.0\Distillr\bak\Acrotray.exe
----a-w 483,328 2006-01-13 00:52:32 C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

----a-w 57,344 2005-06-07 04:46:24 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe

----a-w 180,269 2005-06-03 00:40:32 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 110,592 2003-08-19 06:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w 211,828 2004-03-04 16:36:22 C:\Program Files\Dell\AccessDirect\bak\dadapp.exe

----a-w 217,088 2003-12-12 19:22:12 C:\Program Files\Dell\Media Experience\bak\PCMService.exe

----a-w 487,424 2004-03-05 01:59:30 C:\Program Files\Dell\QuickSet\bak\quickset.exe

----a-w 460,784 2007-03-15 15:09:36 C:\Program Files\DellSupport\bak\DSAgnt.exe

----a-w 68,856 2007-05-19 16:11:29 C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe

----a-w 49,152 2005-02-17 03:11:42 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe

----a-w 241,664 2005-01-12 18:54:58 C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe

----a-w 458,752 2004-06-01 16:09:50 C:\Program Files\Logitech\Video\bak\ISStart.exe

----a-w 217,088 2004-06-01 16:03:18 C:\Program Files\Logitech\Video\bak\LogiTray.exe

----a-w 196,608 2004-06-01 10:46:37 C:\Program Files\Logitech\Video\bak\ManifestEngine.exe

----a-w 101,064 2005-11-06 03:25:42 C:\Program Files\Microsoft Location Finder\bak\LocationFinder.exe

----a-w 53,248 2005-03-15 12:58:08 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe

----a-w 135,168 2005-03-15 12:58:08 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe

----a-w 98,304 2004-10-31 22:59:01 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 53,248 2002-02-05 03:32:10 C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE

----a-w 536,576 2004-05-14 13:35:50 C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe

----a-w 98,304 2004-05-13 23:23:56 C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe

----a-w 438,272 2003-05-19 03:24:20 C:\Program Files\TARGUS\PAUM008U\Ver_2.32\bak\LWBWHEEL.exe

----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\SYSTEM32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\SYSTEM32\ctfmon.exe

----a-w 28,672 2003-08-13 15:27:40 C:\WINDOWS\SYSTEM32\bak\DSentry.exe

----a-w 221,184 2004-05-22 00:11:22 C:\WINDOWS\SYSTEM32\bak\LVCOMSX.EXE

----a-w 122,933 2004-03-15 06:04:00 C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"LogitechSoftwareUpdate "= "C:\Program Files\Logitech\Video\ManifestEngine.exe" [ ]
"DellSupport "= "C:\Program Files\DellSupport\DSAgnt.exe" [ ]
"Microsoft Location Finder "= "C:\Program Files\Microsoft Location Finder\LocationFinder.exe" [ ]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "C:\WINDOWS\System32\NvCpl.dll" [2004-01-08 15:26 4866048]
"nwiz "= "nwiz.exe" [2004-01-08 15:26 323584 C:\WINDOWS\SYSTEM32\nwiz.exe]
"BCMSMMSG "= "BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [ ]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [ ]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [ ]
"UpdateManager "= "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [ ]
"DadApp "= "C:\Program Files\Dell\AccessDirect\dadapp.exe" [ ]
"Dell QuickSet "= "C:\Program Files\Dell\QuickSet\quickset.exe" [ ]
"DVDSentry "= "C:\WINDOWS\System32\DSentry.exe" [ ]
"PCMService "= "C:\Program Files\Dell\Media Experience\PCMService.exe" [ ]
"MMTray "= "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [ ]
"LWBMOUSE "= "C:\Program Files\TARGUS\PAUM008U\Ver_2.32\LWBWHEEL.exe" [ ]
"HP Component Manager "= "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [ ]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [ ]
"LVCOMSX "= "C:\WINDOWS\system32\LVCOMSX.EXE" [ ]
"LogitechVideoRepair "= "C:\Program Files\Logitech\Video\ISStart.exe" [ ]
"LogitechVideoTray "= "C:\Program Files\Logitech\Video\LogiTray.exe" [ ]
"us7h37e "= "danrecst.exe" []
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"mmtask "= "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [ ]
"LogitechGalleryRepair "= "C:\Program Files\Logitech\Video\ISStart.exe" [ ]
"Acrobat Assistant 7.0 "= "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 19:52 483328]
"Adobe Photo Downloader "= "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [ ]
"REGSHAVE "= "C:\Program Files\REGSHAVE\REGSHAVE.exe" [ ]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [ ]
"troy44 "= "C:\WINDOWS\troy44.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2006-02-14 07:39:29]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-09-06 13:35:20]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [2005-12-21 17:31:16]
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2006-03-05 13:41:14]
GA511 Smart Wizard Utility.lnk - C:\WINDOWS\Installer\{52CAD7C7-1E41-43FE-8613-AB9D79B2DBBC}\NewShortcut1.exe [2005-08-06 11:31:10]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 04:19:24]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-03-29 18:17:09]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize "= 0 (0x0)
"NoMovingBands "= 0 (0x0)
"NoCloseDragDropBands "= 0 (0x0)
"NoToolbarsOnTaskbar "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 2005-03-01 19:49 24672 C:\WINDOWS\SYSTEM32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=" "

R2 LANPkt;Realtek LANPkt Protocol;C:\WINDOWS\system32\DRIVERS\LANPkt.sys [2003-12-25 10:53]
R2 Scap;SecureClient Application Policy Module;C:\WINDOWS\system32\DRIVERS\Scap.sys [2005-03-01 19:49]
R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys [2005-03-01 19:49]
R3 Diag69xp;Diag69xp;C:\WINDOWS\system32\Drivers\Diag69xp.sys [2003-12-25 10:53]
R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys [2005-03-01 19:49]
R3 PhilCam8116_XP;Logitech QuickCam Pro 3000(PID_08B1);C:\WINDOWS\system32\DRIVERS\CamDrL20.sys [2004-05-21 14:16]
R3 urvpndrv;F5 Networks VPN Adapter;C:\WINDOWS\system32\DRIVERS\urvpndrv.sys [2005-09-14 07:45]
S3 f5ipfw;F5 Networks StoneWall Filter;C:\WINDOWS\system32\drivers\urfltw2k.sys [2005-09-14 07:45]
S3 OMVA;VPN-1 SecureClient Adapter;C:\WINDOWS\system32\DRIVERS\OMVA.sys [2005-03-01 19:49]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17b671e0-9cf7-11da-805f-009096b80ec8}]
\Shell\AutoRun\command - G:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2004-06-24 22:36:09 C:\WINDOWS\Tasks\ISP signup reminder 1.job "
- C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
"2007-08-04 20:11:46 C:\WINDOWS\Tasks\McDefragTask.job "
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2007-08-04 20:11:44 C:\WINDOWS\Tasks\McQcTask.job "
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-31 15:07:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-31 15:10:44
C:\qoobox\ComboFix-quarantined-files.txt 2007-12-31 20:10:40
C:\qoobox\ComboFix2.txt 2007-12-31 04:25:53
.
2007-12-22 04:29:13 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:18:41 PM, on 12/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroDist.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\NETGEAR GA511 Adapter\GA511.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.boston.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.ne1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ne1.attbb.net
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe "
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\TARGUS\PAUM008U\Ver_2.32\LWBWHEEL.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe "
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe "
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: GA511 Smart Wizard Utility.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm475YYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/CursorManiaFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://vpn1.esc.gov/vdesk/terminal/urxvpn.cab#version=5500,0,50914,1
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://anemailcls1.faa.gov/iNotes6W.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://vpn1.esc.gov/vdesk/terminal/urTermProxy.cab#version=5500,0,50803,1
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1184535054383
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) -
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://vpn1.esc.gov/vdesk/terminal/urxhost.cab#version=5500,0,50928,1
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 14720 bytes

 

Looks much better, but I'm now seeing signs of yet another infection that affects legitimate files.

Please download FindAWF
Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, awf.txt will open. Please post it's contents here.

 

not sure it worked

Hi,
I'm not sure the program worked. A msg popped up saying it was not suitable for Windows or something like that.
Jon
Here are the results:

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Mon 12/31/2007
The current time is: 19:30:50.68


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

 

You are correct ..... it didn't work. No doubt one or more of your system files have gone missing. Open C:\Windows\Repair and locate the files autoexec.nt and config.nt
Copy both of them to C:\Windows\system32 then run FindAWF again.

 

ran this time

Dave,
Here are the scan results. What issues are you seeing?
tks,
Jon

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Tue 01/01/2008
The current time is: 19:33:56.77


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\DELLSU~1\BAK

03/15/2007 10:09 AM 460,784 DSAgnt.exe
1 File(s) 460,784 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MI0A1E~1\BAK

11/05/2005 10:25 PM 101,064 LocationFinder.exe
1 File(s) 101,064 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/31/2004 05:59 PM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\REGSHAVE\BAK

02/04/2002 10:32 PM 53,248 REGSHAVE.EXE
1 File(s) 53,248 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 02:56 AM 15,360 ctfmon.exe
08/13/2003 10:27 AM 28,672 DSentry.exe
05/21/2004 07:11 PM 221,184 LVCOMSX.EXE
3 File(s) 265,216 bytes

Directory of C:\PROGRA~1\DELL\ACCESS~1\BAK

03/04/2004 11:36 AM 211,828 dadapp.exe
1 File(s) 211,828 bytes

Directory of C:\PROGRA~1\DELL\MEDIAE~1\BAK

12/12/2003 02:22 PM 217,088 PCMService.exe
1 File(s) 217,088 bytes

Directory of C:\PROGRA~1\DELL\QUICKSET\BAK

03/04/2004 08:59 PM 487,424 quickset.exe
1 File(s) 487,424 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\BAK

05/19/2007 11:11 AM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

01/12/2005 01:54 PM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

02/16/2005 10:11 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\LOGITECH\VIDEO\BAK

06/01/2004 11:09 AM 458,752 ISStart.exe
06/01/2004 11:03 AM 217,088 LogiTray.exe
06/01/2004 05:46 AM 196,608 ManifestEngine.exe
3 File(s) 872,448 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~2\BAK

03/15/2005 07:58 AM 135,168 mm_tray.exe
03/15/2005 07:58 AM 53,248 mmtask.exe
2 File(s) 188,416 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

05/14/2004 08:35 AM 536,576 SynTPEnh.exe
05/13/2004 06:23 PM 98,304 SynTPLpr.exe
2 File(s) 634,880 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

03/15/2004 01:04 AM 122,933 tfswctrl.exe
1 File(s) 122,933 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~3.0\DISTILLR\BAK

01/12/2006 08:52 PM 483,328 Acrotray.exe
1 File(s) 483,328 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

06/02/2005 07:40 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 01:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\TARGUS\PAUM008U\VER_2.32\BAK

05/18/2003 10:24 PM 438,272 LWBWHEEL.exe
1 File(s) 438,272 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK

06/06/2005 11:46 PM 57,344 apdproxy.exe
1 File(s) 57,344 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

460784 Mar 15 2007 "C:\Program Files\DellSupport\bak\DSAgnt.exe "
101064 Nov 5 2005 "C:\Program Files\Microsoft Location Finder\bak\LocationFinder.exe "
98304 Oct 31 2004 "C:\Program Files\QuickTime\bak\qttask.exe "
53248 Feb 4 2002 "C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE "
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\ctfmon.exe "
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\bak\ctfmon.exe "
28672 Aug 13 2003 "C:\WINDOWS\SYSTEM32\bak\DSentry.exe "
221184 May 21 2004 "C:\WINDOWS\SYSTEM32\bak\LVCOMSX.EXE "
211828 Mar 4 2004 "C:\Program Files\Dell\AccessDirect\bak\dadapp.exe "
217088 Dec 12 2003 "C:\Program Files\Dell\Media Experience\bak\PCMService.exe "
487424 Mar 4 2004 "C:\Program Files\Dell\QuickSet\bak\quickset.exe "
52272 Jan 31 2007 "C:\Program Files\Google\googletoolbar4user.exe "
1507328 May 28 2006 "C:\Program Files\Real\RealArcade\GoogleInstApp.exe "
558248 Oct 11 2005 "C:\Program Files\Rhapsody\google_bar\GoogleToolbarInstaller_en.exe "
138168 Jan 31 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe "
68856 May 19 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe "
421888 Dec 8 2005 "E:\wd_windows_tools\Google\GoogleInstaller.exe "
755816 Nov 12 2005 "E:\wd_windows_tools\Google\Desktop\GoogleDesktopSearchSetup_de.exe "
562160 Nov 7 2005 "E:\wd_windows_tools\Google\Toolbar\W2KXP\GoogleToolbarInstaller_da.exe "
708080 Nov 7 2005 "E:\wd_windows_tools\Google\Toolbar\Win9XMe\GoogleToolbarInstaller_da.exe "
241664 Jan 12 2005 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe "
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe "
458752 Jun 1 2004 "C:\Program Files\Logitech\Video\bak\ISStart.exe "
217088 Jun 1 2004 "C:\Program Files\Logitech\Video\bak\LogiTray.exe "
196608 Jun 1 2004 "C:\Program Files\Logitech\Video\bak\ManifestEngine.exe "
53248 Mar 10 2007 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mmtask.exe "
53248 Mar 15 2005 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe "
135168 Mar 10 2007 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mm_tray.exe "
135168 Mar 15 2005 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe "
536576 May 14 2004 "C:\DELL\drivers\R81989\SynTPEnh.exe "
536576 May 14 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe "
536576 May 14 2004 "C:\Program Files\Synaptics\SynTP\Media\SynTPEnh.exe "
98304 May 13 2004 "C:\DELL\drivers\R81989\SynTPLpr.exe "
98304 May 13 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe "
98304 May 13 2004 "C:\Program Files\Synaptics\SynTP\Media\SynTPLpr.exe "
122933 Mar 15 2004 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe "
122933 Mar 15 2004 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe "
483328 Jan 12 2006 "C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe "
483328 Jan 12 2006 "C:\Program Files\Adobe\Acrobat 7.0\Distillr\bak\Acrotray.exe "
180269 Jun 2 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe "
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe "
438272 May 18 2003 "C:\Program Files\TARGUS\PAUM008U\Ver_2.32\bak\LWBWHEEL.exe "
57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe "


end of report

 

You had an AWF infection that replaced legitmate files on your system with rogue copies and placed the originals in a different location. Lets get them restored.

Highlight and copy the bolded list of files to be restored from below, all quotes included.


"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe "
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe "
"C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe "
"C:\Program Files\Dell\AccessDirect\bak\dadapp.exe "
"C:\Program Files\Dell\Media Experience\bak\PCMService.exe "
"C:\Program Files\Dell\QuickSet\bak\quickset.exe "
"C:\Program Files\DellSupport\bak\DSAgnt.exe "
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe "
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe "
"C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe "
"C:\Program Files\Logitech\Video\bak\ISStart.exe "
"C:\Program Files\Logitech\Video\bak\LogiTray.exe "
"C:\Program Files\Logitech\Video\bak\ManifestEngine.exe "
"C:\Program Files\Microsoft Location Finder\bak\LocationFinder.exe "
"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe "
"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe "
"C:\Program Files\QuickTime\bak\qttask.exe "
"C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE "
"C:\Program Files\TARGUS\PAUM008U\Ver_2.32\bak\LWBWHEEL.exe "
"C:\WINDOWS\SYSTEM32\bak\DSentry.exe "
"C:\WINDOWS\SYSTEM32\bak\LVCOMSX.EXE "
"C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe "



Double-click the FindAWF icon once again.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file will open called: files.txt
Click below the line and paste the list of files to be restored.

Next, close files.txt and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log. Please post the contents of the new awf.txt log here.

 

ran awf again

Hi,
Here are the results. How are things looking?
tks,
Jon

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Tue 01/01/2008
The current time is: 21:50:32.00


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\DELLSU~1\BAK

03/15/2007 10:09 AM 460,784 DSAgnt.exe
1 File(s) 460,784 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MI0A1E~1\BAK

11/05/2005 10:25 PM 101,064 LocationFinder.exe
1 File(s) 101,064 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/31/2004 05:59 PM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\REGSHAVE\BAK

02/04/2002 10:32 PM 53,248 REGSHAVE.EXE
1 File(s) 53,248 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 02:56 AM 15,360 ctfmon.exe
08/13/2003 10:27 AM 28,672 DSentry.exe
05/21/2004 07:11 PM 221,184 LVCOMSX.EXE
3 File(s) 265,216 bytes

Directory of C:\PROGRA~1\DELL\ACCESS~1\BAK

03/04/2004 11:36 AM 211,828 dadapp.exe
1 File(s) 211,828 bytes

Directory of C:\PROGRA~1\DELL\MEDIAE~1\BAK

12/12/2003 02:22 PM 217,088 PCMService.exe
1 File(s) 217,088 bytes

Directory of C:\PROGRA~1\DELL\QUICKSET\BAK

03/04/2004 08:59 PM 487,424 quickset.exe
1 File(s) 487,424 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\BAK

05/19/2007 11:11 AM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

01/12/2005 01:54 PM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

02/16/2005 10:11 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\LOGITECH\VIDEO\BAK

06/01/2004 11:09 AM 458,752 ISStart.exe
06/01/2004 11:03 AM 217,088 LogiTray.exe
06/01/2004 05:46 AM 196,608 ManifestEngine.exe
3 File(s) 872,448 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~2\BAK

03/15/2005 07:58 AM 135,168 mm_tray.exe
03/15/2005 07:58 AM 53,248 mmtask.exe
2 File(s) 188,416 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

05/14/2004 08:35 AM 536,576 SynTPEnh.exe
05/13/2004 06:23 PM 98,304 SynTPLpr.exe
2 File(s) 634,880 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

03/15/2004 01:04 AM 122,933 tfswctrl.exe
1 File(s) 122,933 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~3.0\DISTILLR\BAK

01/12/2006 08:52 PM 483,328 Acrotray.exe
1 File(s) 483,328 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

06/02/2005 07:40 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 01:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\TARGUS\PAUM008U\VER_2.32\BAK

05/18/2003 10:24 PM 438,272 LWBWHEEL.exe
1 File(s) 438,272 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK

06/06/2005 11:46 PM 57,344 apdproxy.exe
1 File(s) 57,344 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

460784 Mar 15 2007 "C:\Program Files\DellSupport\DSAgnt.exe "
460784 Mar 15 2007 "C:\Program Files\DellSupport\bak\DSAgnt.exe "
101064 Nov 5 2005 "C:\Program Files\Microsoft Location Finder\LocationFinder.exe "
101064 Nov 5 2005 "C:\Program Files\Microsoft Location Finder\bak\LocationFinder.exe "
98304 Oct 31 2004 "C:\Program Files\QuickTime\qttask.exe "
98304 Oct 31 2004 "C:\Program Files\QuickTime\bak\qttask.exe "
53248 Feb 4 2002 "C:\Program Files\REGSHAVE\REGSHAVE.EXE "
53248 Feb 4 2002 "C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE "
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\ctfmon.exe "
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\bak\ctfmon.exe "
28672 Aug 13 2003 "C:\WINDOWS\SYSTEM32\DSentry.exe "
28672 Aug 13 2003 "C:\WINDOWS\SYSTEM32\bak\DSentry.exe "
221184 May 21 2004 "C:\WINDOWS\SYSTEM32\LVCOMSX.EXE "
221184 May 21 2004 "C:\WINDOWS\SYSTEM32\bak\LVCOMSX.EXE "
211828 Mar 4 2004 "C:\Program Files\Dell\AccessDirect\dadapp.exe "
211828 Mar 4 2004 "C:\Program Files\Dell\AccessDirect\bak\dadapp.exe "
217088 Dec 12 2003 "C:\Program Files\Dell\Media Experience\PCMService.exe "
217088 Dec 12 2003 "C:\Program Files\Dell\Media Experience\bak\PCMService.exe "
487424 Mar 4 2004 "C:\Program Files\Dell\QuickSet\quickset.exe "
487424 Mar 4 2004 "C:\Program Files\Dell\QuickSet\bak\quickset.exe "
52272 Jan 31 2007 "C:\Program Files\Google\googletoolbar4user.exe "
68856 May 19 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe "
1507328 May 28 2006 "C:\Program Files\Real\RealArcade\GoogleInstApp.exe "
558248 Oct 11 2005 "C:\Program Files\Rhapsody\google_bar\GoogleToolbarInstaller_en.exe "
138168 Jan 31 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe "
68856 May 19 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe "
421888 Dec 8 2005 "E:\wd_windows_tools\Google\GoogleInstaller.exe "
755816 Nov 12 2005 "E:\wd_windows_tools\Google\Desktop\GoogleDesktopSearchSetup_de.exe "
562160 Nov 7 2005 "E:\wd_windows_tools\Google\Toolbar\W2KXP\GoogleToolbarInstaller_da.exe "
708080 Nov 7 2005 "E:\wd_windows_tools\Google\Toolbar\Win9XMe\GoogleToolbarInstaller_da.exe "
241664 Jan 12 2005 "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
241664 Jan 12 2005 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe "
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe "
458752 Jun 1 2004 "C:\Program Files\Logitech\Video\ISStart.exe "
458752 Jun 1 2004 "C:\Program Files\Logitech\Video\bak\ISStart.exe "
217088 Jun 1 2004 "C:\Program Files\Logitech\Video\LogiTray.exe "
217088 Jun 1 2004 "C:\Program Files\Logitech\Video\bak\LogiTray.exe "
196608 Jun 1 2004 "C:\Program Files\Logitech\Video\ManifestEngine.exe "
196608 Jun 1 2004 "C:\Program Files\Logitech\Video\bak\ManifestEngine.exe "
53248 Mar 15 2005 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe "
53248 Mar 10 2007 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mmtask.exe "
53248 Mar 15 2005 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe "
135168 Mar 15 2005 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe "
135168 Mar 10 2007 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mm_tray.exe "
135168 Mar 15 2005 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe "
536576 May 14 2004 "C:\DELL\drivers\R81989\SynTPEnh.exe "
536576 May 14 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe "
536576 May 14 2004 "C:\Program Files\Synaptics\SynTP\Media\SynTPEnh.exe "
98304 May 13 2004 "C:\DELL\drivers\R81989\SynTPLpr.exe "
98304 May 13 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe "
98304 May 13 2004 "C:\Program Files\Synaptics\SynTP\Media\SynTPLpr.exe "
122933 Mar 15 2004 "C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe "
122933 Mar 15 2004 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe "
122933 Mar 15 2004 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe "
483328 Jan 12 2006 "C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe "
483328 Jan 12 2006 "C:\Program Files\Adobe\Acrobat 7.0\Distillr\bak\Acrotray.exe "
180269 Jun 2 2005 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe "
180269 Jun 2 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe "
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe "
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe "
438272 May 18 2003 "C:\Program Files\TARGUS\PAUM008U\Ver_2.32\LWBWHEEL.exe "
438272 May 18 2003 "C:\Program Files\TARGUS\PAUM008U\Ver_2.32\bak\LWBWHEEL.exe "
57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe "


end of report

 

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Highlight and copy the following bolded list of folders to be removed:


C:\Program Files\Adobe\Acrobat 7.0\Distillr\bak
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Common Files\Sonic\Update Manager\bak
C:\Program Files\Dell\AccessDirect\bak
C:\Program Files\Dell\Media Experience\bak
C:\Program Files\Dell\QuickSet\bak
C:\Program Files\DellSupport\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Program Files\HP\HP Software Update\bak
C:\Program Files\HP\hpcoretech\bak
C:\Program Files\Logitech\Video\bak
C:\Program Files\Microsoft Location Finder\bak
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak
C:\Program Files\QuickTime\bak
C:\Program Files\REGSHAVE\bak
C:\Program Files\Synaptics\SynTP\bak
C:\Program Files\TARGUS\PAUM008U\Ver_2.32\bak
C:\WINDOWS\SYSTEM32\bak
C:\WINDOWS\SYSTEM32\dla\bak

Click below the line of folders.txt and paste the list.
Close folders.txt and click Yes to save the changes.

Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders

When done with the above, it automatically runs a new scan and opens a new awf.txt log. Please post the contents of the new awf.txt log here.

 

results

Dave,
I ran it again. Also, don't know if this is related to anything you have looked at already but I consistently get error msgs when closing Internet Explorer. Like these:
iexplore.exe - Application error
The instruction at "0x6230b361" referenced memory at "0x6230b361." The memory could not be "read ".
The instruction at "9x6600accc" referenced memory at "0x6600accc ". The memory could not be "read ".

Here are the results of the AWF scan:

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Wed 01/02/2008
The current time is: 20:22:47.27


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

 

Run FindAWF option 3 again then paste the following in folders.txt and save.

C:\PROGRA~1\MESSEN~1\BAK

Let me know if it still shows up in the new awf.txt log.


That error may be due to a browser add-on. I'll review your log while awaiting your response on the FindAWF run.

 

ran again

Dave,
Here are the results:
tks,
Jon

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Wed 01/02/2008
The current time is: 22:15:06.84


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

 

Great! The AWF infection generally adds entries to the registry that can give trusted permissions to many bad domains. Lets make sure we remove those.

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zones
then press 1 to continue at the next screen.
This removes all entries from the domain zones.
At the next screen, press E to exit.
You can now delete FindAWF.exe


Lets do a bit of cleanup then run an online scan to be sure we haven't missed anything.

Click Start>Run and type ComboFix /u then hit enter. This will uninstall ComboFix and remove it's quarantined items.

Download ATF Cleaner by Atribune and save it to your Desktop.

• Double click ATF-Cleaner.exe to run the program.
• Check the boxes to the left of:
  
  
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Prefetch
  • Java Cache
  • Recycle bin
  
  
• The rest are optional - if you want it to remove everything check "Select All ".
• Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK then exit.

Reboot

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

Post the Kaspersky log and one more fresh dss log. Let me know if you're still getting errors with IE.

 

not sure how to proceed - please provide more info

Dave,
I followed the steps you outlined until I got to the part about Kaspersky WebScanner or Online Scanner. I was not able to find this program on the Kaspersky site. Instead, I downloaded Kaspersky Antivirus 7.0. [Also, prior to doing this I downloaded and ran Spybot - Search and Destroy]. Not sure if you really wanted me to run these programs or really something else. In any case, booting the computer and in fact, doing anything, was very slow after I installed Kapersky and I'm not sure if it was because the program was running or because there is some conflict with the programs. For now, I stopped the Kaspersky program from completing its updates and scanning...will wait to complete the steps you outlined until I hear from you.
tks,
Jon