Tech Support Forum - View Single Post - Windows Messenger-style hijack

DigitalGypsy · 09-02-2007, 02:26 PM

This morning my wife informed me that she was getting some strange popups asking for Paypal information. They looked eerily similar to the old Windows Messenger popups (which I disabled a long time ago). They knew her name (also the name of her profile on our computer), and kept asking for Paypal info...saying they were the FBI. They even warned about shutting off our Internet -- and then the network connections icon popped up in the sys tray and we temporarily lost our Internet connection.

We are not on any wireless LAN or anything like that.

Here is the Hijack this/Deckard's log:
Deckard's System Scanner v20070826.66
Run by Todd on 2007-09-02 16:13:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
98: 2007-09-02 20:13:35 UTC - RP692 - Deckard's System Scanner Restore Point
97: 2007-09-02 16:32:00 UTC - RP691 - Configured AVG 7.5
96: 2007-09-02 12:33:02 UTC - RP690 - System Checkpoint
95: 2007-09-01 12:24:02 UTC - RP689 - System Checkpoint
94: 2007-08-31 03:07:39 UTC - RP688 - Software Distribution Service 3.0

-- First Restore Point --
1: 2007-06-04 14:37:13 UTC - RP595 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Todd.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:15:07 PM, on 9/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Todd\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Todd.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Xfire Music] "C:\Program Files\Xfire\xfiremusic.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by119w.bay119.mail.live.com/m...s/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames...z.cab58570.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E22AF79-77EA-426C-95CA-7D2583E2A2B9}: NameServer = 192.168.15.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E22AF79-77EA-426C-95CA-7D2583E2A2B9}: NameServer = 192.168.15.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{1E22AF79-77EA-426C-95CA-7D2583E2A2B9}: NameServer = 192.168.15.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8134 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - "F:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe",2

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>

S3 GMSIPCI - d:\install\gmsipci.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV00DF\4&57AEB29&0&01
Manufacturer: Nvidia
Name: NVIDIA nForce Networking Controller
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV00DF\4&57AEB29&0&01
Service: NVENETFD

-- Scheduled Tasks -------------------------------------------------------------

2007-09-01 09:04:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-03-18 03:00:00 252 --a------ C:\WINDOWS\Tasks\Rising Conflicts Updates.job

-- Files created between 2007-08-02 and 2007-09-02 -----------------------------

2007-09-02 16:14:58 0 d-------- C:\Program Files\Trend Micro
2007-09-02 14:55:16 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-09-02 14:55:15 0 d-------- C:\WINDOWS\LastGood
2007-09-02 12:39:40 0 d-------- C:\Program Files\xp-AntiSpy
2007-08-26 12:55:43 0 d-------- C:\Documents and Settings\Todd\Application Data\Xfire Plus
2007-08-26 12:55:32 0 d-------- C:\Program Files\Xfire Plus
2007-08-18 16:21:54 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2007-08-13 21:11:03 0 d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2007-08-04 10:07:26 0 d-------- C:\Program Files\iPod
2007-08-04 10:07:23 0 d-------- C:\Program Files\iTunes
2007-08-02 14:35:07 0 dr-h----- C:\$VAULT$.AVG

-- Find3M Report ---------------------------------------------------------------

2007-09-02 15:40:26 0 d-------- C:\Program Files\SmartFTP Client 2.0
2007-09-02 14:51:10 0 d-------- C:\Program Files\A1Click Ultra PC Cleaner
2007-09-02 14:51:04 0 d-------- C:\Program Files\A1Clean
2007-09-01 23:49:31 0 d-------- C:\Documents and Settings\Todd\Application Data\Azureus
2007-09-01 15:03:26 0 d-------- C:\Documents and Settings\Todd\Application Data\Xfire
2007-09-01 14:33:30 0 d---s---- C:\Program Files\Xfire
2007-09-01 13:48:04 0 d-------- C:\Program Files\DivX
2007-08-26 10:41:09 0 d-------- C:\Program Files\Common Files\Adobe
2007-08-24 19:49:32 0 d-------- C:\Program Files\RegVac Registry Cleaner
2007-08-24 19:47:41 0 d-------- C:\Program Files\Azureus
2007-08-24 19:40:55 0 d-------- C:\Documents and Settings\Todd\Application Data\AVG7
2007-08-23 23:53:59 48128 --a------ C:\WINDOWS\system32\lpr.exe
2007-08-04 10:04:27 0 d-------- C:\Program Files\QuickTime
2007-07-31 21:31:41 8 --a------ C:\WINDOWS\system32\nvModes.dat
2007-07-29 20:33:57 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-07-28 12:49:37 0 d-------- C:\Program Files\Veoh Networks
2007-07-26 22:26:53 0 d-------- C:\Program Files\SystemRequirementsLab
2007-07-26 22:26:53 0 d-------- C:\Documents and Settings\Todd\Application Data\SystemRequirementsLab
2007-07-26 19

22 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-26 19:03:48 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-07-26 19:03:48 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-07-26 19:03:38 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-07-26 19:03:38 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-26 19:03:38 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-26 19:03:38 740442 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-26 19:03:02 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-24 22:00:54 3912 --a------ C:\WINDOWS\mozver.dat
2007-07-24 22:00:08 0 d-------- C:\Documents and Settings\Todd\Application Data\Real
2007-07-24 21:59:27 0 d-------- C:\Program Files\Common Files
2007-07-24 21:59:27 0 d-------- C:\Program Files\Common Files\xing shared
2007-07-24 21:59:24 0 d-------- C:\Program Files\Common Files\Real
2007-07-23 16:24:50 0 d-------- C:\Program Files\EA SPORTS
2007-07-19 21:25:28 0 d-------- C:\Program Files\Java
2007-07-10 19:35:58 0 d-------- C:\Documents and Settings\Todd\Application Data\GameHouse
2007-07-08 13:17:22 0 d-------- C:\Program Files\IrfanView
2007-06-29 00:43:00 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2007-06-29 00:43:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2007-06-29 00:43:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2007-06-29 00:43:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-06-29 00:43:00 1474560 --a------ C:\WINDOWS\system32\nview.dll
2007-06-29 00:43:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-06-29 00:43:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-06-29 00:43:00 425984 --a------ C:\WINDOWS\system32\keystone.exe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [06/01/2006 11:34 AM C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [06/01/2006 11:34 AM C:\WINDOWS\system32\CTXFIHLP.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"SoundMan"="SOUNDMAN.EXE" [11/11/2005 03:07 PM C:\WINDOWS\soundman.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 12:50 PM]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [03/28/2006 05:38 PM C:\WINDOWS\KHALMNPR.Exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/17/2005 12:11 AM]
"NWEReboot"="" []
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [10/31/2003 08:42 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08/16/2007 03:25 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07/24/2007 09:59 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/29/2007 12:43 AM]
"nwiz"="nwiz.exe" [06/29/2007 12:43 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [06/29/2007 12:43 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 06:24 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/31/2007 06:44 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"Xfire Music"="C:\Program Files\Xfire\xfiremusic.exe" [11/20/2006 10:12 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [05/19/2005 08:38 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

C:\Documents and Settings\Todd\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 9:16:50 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [7/29/2006 9:35:53 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [11/4/2004 8:28:24 PM]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [11/4/2004 8:50:52 PM]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2/17/2006 11:39:33 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1/21/2000 4:15:54 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a8e17c22-6f31-11da-acf3-806d6172696f}]
AutoRun\command- D:\Setup\rsrc\autorun.exe
dinstall\command- D:\Directx\dxsetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{76277BAE-0003-7541-B287-7107A6F49FC2}]
C:\WINDOWS\system32:lpr.exe

-- End of Deckard's System Scanner: finished at 2007-09-02 16:15:44 ------------

Here is the Panda soft scan, too:

Incident Status Location

Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\lg2sgdfl.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\lg2sgdfl.default\cookies.txt[.com.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\lg2sgdfl.default\cookies.txt[.2o7.net/]
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\lg2sgdfl.default\cookies.txt[.ads.addynamix.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\lg2sgdfl.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\lg2sgdfl.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\lg2sgdfl.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\lg2sgdfl.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\lg2sgdfl.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\lg2sgdfl.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\lg2sgdfl.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\lg2sgdfl.default\cookies.txt[.go.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\lg2sgdfl.default\cookies.txt[.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\lg2sgdfl.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\lg2sgdfl.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\lg2sgdfl.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\lg2sgdfl.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\lg2sgdfl.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\lg2sgdfl.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\lg2sgdfl.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\lg2sgdfl.default\cookies.txt[.xiti.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\lg2sgdfl.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\lg2sgdfl.default\cookies.txt[citi.bridgetrack.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\lg2sgdfl.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Todd\Application Data\Mozilla\Firefox\Profiles\eahvs6j5.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Todd\Application Data\Mozilla\Firefox\Profiles\eahvs6j5.default\cookies.txt[.com.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Todd\Application Data\Mozilla\Firefox\Profiles\eahvs6j5.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Todd\Application Data\Mozilla\Firefox\Profiles\eahvs6j5.default\cookies.txt[.go.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Todd\Application Data\Mozilla\Firefox\Profiles\eahvs6j5.default\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/Clicktracks Not disinfected C:\Documents and Settings\Todd\Application Data\Mozilla\Firefox\Profiles\eahvs6j5.default\cookies.txt[stats1.clicktracks.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Todd\Application Data\Mozilla\Firefox\Profiles\eahvs6j5.default\cookies.txt[.overture.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Todd\Application Data\Mozilla\Firefox\Profiles\eahvs6j5.default\cookies.txt[statse.webtrendslive.com/S129102]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Todd\Application Data\Mozilla\Firefox\Profiles\eahvs6j5.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Todd\Application Data\Mozilla\Firefox\Profiles\eahvs6j5.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Todd\Application Data\Mozilla\Firefox\Profiles\eahvs6j5.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Todd\Application Data\Mozilla\Firefox\Profiles\eahvs6j5.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Todd\Application Data\Mozilla\Firefox\Profiles\eahvs6j5.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Todd\Application Data\Mozilla\Firefox\Profiles\eahvs6j5.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Todd\Application Data\Mozilla\Firefox\Profiles\eahvs6j5.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Todd\Application Data\Mozilla\Firefox\Profiles\eahvs6j5.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Todd\Application Data\Mozilla\Firefox\Profiles\eahvs6j5.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Todd\Application Data\Mozilla\Firefox\Profiles\eahvs6j5.default\cookies.txt[.adtech.de/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Todd\Application Data\Mozilla\Firefox\Profiles\eahvs6j5.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Todd\Application Data\Mozilla\Firefox\Profiles\eahvs6j5.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Todd\Application Data\Mozilla\Firefox\Profiles\eahvs6j5.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Todd\Application Data\Mozilla\Firefox\Profiles\eahvs6j5.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Todd\Application Data\Mozilla\Firefox\Profiles\eahvs6j5.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Todd\Application Data\Mozilla\Firefox\Profiles\eahvs6j5.default\cookies.txt[.did-it.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Todd\Cookies\todd@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Todd\Cookies\todd@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Todd\Cookies\todd@dist.belnk[2].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Todd\Cookies\todd@gostats[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Todd\Cookies\todd@go[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Todd\Cookies\todd@target[1].txt
Virus:Trj/Downloader.MDW Not disinfected C:\Program Files\A1Clean\Undo20070708Temp-7.zip[C:/Documents and Settings/Lisa/Local Settings/Temporary Internet Files/Content.IE5/QB2NEDQB/popcaploader[1].cab][PopCapLoader.dll]
Virus:Trj/Downloader.MDW Disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.dll
Adware:Adware/SaveNow Not disinfected F:\program files\DAEMON Tools\SetupDTSB.exe

The viruses that Panda detected were gaming software my wife uses, and A1PC Cleaner, a system tool made by SuperWin.com. I don't use it much, but I use some of his other software all the time (RegVac).

Thanks in advance.