My computer has a mind of its' own

[crazycavgirl]

I have been having problems with my computer having a mind of its' own. Sometimes, when I'm using Firefox (it does it with IE, also), it will suddenly scroll all the way to the bottom of the page and not let me scroll back up. And when I click on something, for example, when I've done a search with google and wish to click on a link, it will DOWNLOAD the link properties. And if I double click on "My Computer" to open it up, it shows me the PROPERTIES of the drive. Sometimes everything works just fine, though. I've ran my McAfee Virus Scan, Panda ActiveScan, and AVG and they have found nothing. I ran Ad-Aware SE and SpyBot- Search & Destroy and they only found some minor items. I also did everything else that it says to do in the sticky. But the problems haven't stopped. I ran HiJackThis and I need help decifering what is bad and what is supposed to be there. I would really appreciate it!!! Also, when I start my computer, the message "Error Loading C:\Progra~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL Program Not Fournd" and I get another error entitled "swdoctor" that says "Error while creating the log: Class not registered". I used to Add/Remove program to remove SW Doctor a while back, so I don't understand why this keeps popping up. Plus, I had THOUGHT that I got rid of the MyWebSearch bar.

Thanks in advance,
Crystal

Logfile of HijackThis v1.99.1
Scan saved at 5:49:15 PM, on 11/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell Support\DSAgnt.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\CreataCard\Gold\FMRemind.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Documents and Settings\Jacob & Crystal\Desktop\AdwareSpyware Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\mcafee\SPAMKI~1\mskagent.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Accurate Spam Filter For OE] "C:\Program Files\Accurate Spam Filter For Outlook Express\AccurateAntiSpam.exe"
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Gold\FMRemind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZZ
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\system32\IomegaAccess.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\system32\ZipToA.exe

[fredmh]

Hello crazycavgirl, and welcome to TSF.


I am currently reviewing your log and I will be back with a fix for your problem as soon as possible.


You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply.

Please be patient during this review time.



Spyware Dotor is still on your system. Do you want to remove it completly?

[crazycavgirl]

Yes, I ran a search for Spyware Doctor last night and saw that it was still there, along with another program called "AccurateAntiSpam" that I had thought that I had removed. Apparently, when I uninstalled them, it didn't COMPLETELY uninstall them. But I don't know how to finish getting rid of them. They are both in my startup menu, also, so whenever I start the computer up, I get error messages as it tries to load them. Same goes for that MyWebSearch Bar (which I don't know where it came from).

I really appreciate it!
-Crystal

[fredmh]

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools,
then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.


Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this
webpage would not be available when you're carrying out the fix.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.

The process is not instant. Please continue to review my answers until I tell you your machine is clear.
Absence of symptoms does not mean that everything is clear. So lets do this to the end!

Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more
likely additional infections will result.

----------------------------------------

MULTIPLE ANTI-VIRUS PROGRAMS


You are currently running multiple Anti Virus programs.

Unlike firewalls, anti-virus programs have conflicts co-existing with each other
This can cause conflicts and confusion between the AV programs as well as system instability.
Please choose and run only 1 and uninstall the other.

ALL the antivirus programs must be removed via Start>Control Panel>Add/Remove program.

For any program that doesn't have an add/remove entry, you will have to do this:
Re-install the program -> Reboot -> Uninstall


The Anti-Virus Programs on your system are:

McAfee
AVG Free


----------------------------------------

DOWNLOADS


CLEANUP! version 4.52 – TEMP FILE CLEANING


Please download Cleanup! and install it. You will use this later.

*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups.



AVG Anti-Spyware 7.5



Please download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

1. Install AVG Anti-Spyware 7.5.
2. Double-click the icon on Desktop to launch AVG A-S 7.5
3. On the top of the main screen click Shield
4. Click the word active to change it to inactive
5. On the top of the main screen click Update.
6. Then click on Start Update. The update will start and a progress bar will show the updates being installed.
7. I also recommend changing the "Update interval" to something more reasonable like 12 hours.

----------------------------------------

SAFE MODE RE-BOOT

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

----------------------------------------

FIXES AND DELETIONS


Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

MyWebSearch
MyWay
Spyware Doctor
Accurate Spam Filter For OE

If any of these programs are not present, please continue with the rest of the fix.

----------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Accurate Spam Filter For OE] "C:\Program Files\Accurate Spam Filter For Outlook Express\AccurateAntiSpam.exe"[/b]


Please remember to close all other windows, including browsers then click Fix checked.

----------------------------------------

UNHIDE HIDDEN FILES

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

----------------------------------------
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\PROGRAM FILES\MYWEBSEARCH
C:\Program Files\Spyware Doctor
C:\Program Files\Accurate Spam Filter For Outlook Express

----------------------------------------

RUNNING SCANNERS


Cleanup

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files (if present)
• Cleanup! All Users
• Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program and DO NOT reboot when prompted.


AVG Anti-Spyware 7.5

• Run AVG A-s with it's updated definitions: (...it's important that all windows must be closed)
  This scan can take quite a while to run, so be prepared.
• Click Scanner
• Click on the Scan tab
• Click Complete System Scan to begin scanning.
  
  
  
  
• When the scan is complete click Recommended Action and change it to Quarantine (1),
• If not click Recommended Action and choose Quarantine from the popup menu. (2)
• At the bottom of the window click on the Apply all Actions button. (3)

When done, click the Save Scan Report button. (4) then click Save Report As and save it to your desktop.

IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.



Note: DO NOT USE the computer while AVG A/S is scanning. If Explorer or the Control Panel are opened some malware types will
reinfect your system or will not be cleaned properly.

----------------------------------------

SYSTEM RE-BOOT

Reboot into Normal Mode.

----------------------------------------


ON-LINE SCANS

Perform an online scan with Internet Explorer with Panda ActiveScan

1. Click on located at the bottom of the page.
2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
3. Enter your e-mail address, country, and state & click "Free Online Scan" * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan
----------------------------------------

FOLLOW-UP

Please return and post these items:


AVG A/S
Panda scan
A new HJT log run in Normal Mode

Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode

Please let me know how your system is behaving.

[crazycavgirl]

OK, I did everything that you said to do.

First off, I had McAfee shut down, so I thought that it was OK to temporarily run AVG Free Scan. Regardless, I uninstalled AVG Free Scan and am using only McAfee. Upon completion of doing everything, I noticed two new icons have appeared on my desktop. The are called "ethumbs.db" and "Thumbs.db". I'm not sure why they are there or what to do with them.

My AVG A/S log is huge and I can't post it in the forum unless I break it up into 30 posts. So please tell me what to do so that you can view that.

Here is my Panda ActiveScan log:


Incident Status Location

Potentially unwanted tool:application/mywebsearch Not disinfected c:\windows\system32\f3PSSavr.scr
Potentially unwanted tool:application/funweb Not disinfected hkey_classes_root\clsid\{00A6FAF6-072E-44cf-8957-5838F569A31D}
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-112.txt[searchportal.information.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-113.txt[searchportal.information.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-114.txt[searchportal.information.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-115.txt[searchportal.information.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-116.txt[searchportal.information.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-117.txt[searchportal.information.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-118.txt[searchportal.information.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-119.txt[searchportal.information.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-120.txt[searchportal.information.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-121.txt[searchportal.information.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-122.txt[searchportal.information.com/]
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-158.txt[.ccbill.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-158.txt[searchportal.information.com/]
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-159.txt[.ccbill.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-159.txt[searchportal.information.com/]
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-160.txt[.ccbill.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-160.txt[searchportal.information.com/]
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-161.txt[.ccbill.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-161.txt[searchportal.information.com/]
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-162.txt[.ccbill.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-162.txt[searchportal.information.com/]
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-163.txt[.ccbill.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-163.txt[searchportal.information.com/]
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-164.txt[.ccbill.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-164.txt[searchportal.information.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-165.txt[searchportal.information.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-166.txt[searchportal.information.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-167.txt[searchportal.information.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-168.txt[searchportal.information.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-169.txt[searchportal.information.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-170.txt[searchportal.information.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-171.txt[searchportal.information.com/]
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-179.txt[.ccbill.com/]
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-180.txt[.ccbill.com/]
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-181.txt[.ccbill.com/]
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-182.txt[.ccbill.com/]
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-183.txt[.ccbill.com/]
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-184.txt[.ccbill.com/]
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-185.txt[.ccbill.com/]
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-186.txt[.ccbill.com/]
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-187.txt[.ccbill.com/]
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-188.txt[.ccbill.com/]
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-189.txt[.ccbill.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-33.txt[searchportal.information.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-34.txt[searchportal.information.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-37.txt[searchportal.information.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-38.txt[searchportal.information.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-39.txt[searchportal.information.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-40.txt[searchportal.information.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cookies-57.txt[searchportal.information.com/]
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll




Here is my new HTJ log:

Logfile of HijackThis v1.99.1
Scan saved at 8:24:19 AM, on 11/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\mcafee\SPAMKI~1\mskagent.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Gold\FMRemind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZZ
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\system32\IomegaAccess.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\system32\ZipToA.exe

Thank You!
-Crystal

[fredmh]

Please zip the AVG A/S and post it as an attachment.

[crazycavgirl]

I hope I did it right!

AVG Anti-Spyware Scan Report.zip

Thanks!
Crystal

[fredmh]

WOW!!!

While I'm reviewing these logs, please clean out your firefox cookies:


Clear Firefox' Cookies

• Open Firefox.
• Click Tools » Options.
• Click the Privacy tab, then the Cookies tab.
• Click the Clear Cookies Now button.
• Then click OK to exit.

[crazycavgirl]

I'm sorry, it's been a little while since I've done that.

But it's done now!

-Crystal

[fredmh]

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this
webpage would not be available when you're carrying out the fix.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

Your logs are starting to look a lot better.

As to your other question: The Thumbs.db is normally a hidden file. It is a database file containing the small images displayed when you view a
folder in "thumbnail" view (as opposed to tile, icon, list, or detail view). They've appeared because we've unhid system files--they 'go away' once
we re-hide the files when we're through.

This next fix will take care of some leftovers and let me know if anything else is hiding in your system.

----------------------------------------

DOWNLOADS



ComboFix


1. Download this file - You MUST save it to your desktop

COMBOFIX




2. Double click combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

----------------------------------------

SAFE MODE RE-BOOT

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

----------------------------------------

FIXES AND DELETIONS



UNHIDE HIDDEN FILES

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

----------------------------------------
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

c:\windows\system32\f3PSSavr.scr

C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll

----------------------------------------


SYSTEM RE-BOOT

Reboot into Normal Mode.

----------------------------------------

ON-LINE SCANS


Kaspersky - Extended

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect.
  We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

----------------------------------------

FOLLOW-UP

Please return and post these items:

c:\combofix.txt
Kaspersky scan
A new HJT log run in Normal Mode

Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode

Please let me know how your system is behaving.

[crazycavgirl]

I downloaded the COMBOFIX to my desktop, but when I open it, a MSDOS window pops up for a second and then disappears very quickly. I can tell that it says C: something, but that's it. It doesn't appear to be doing anything.

Should I just go ahead with the rest of your instructions?
-Crystal

[fredmh]

Go ahead with the rest of the fix and look for the C\:combofix.txt file

[crazycavgirl]

I deleted the two files and here is the Kaspersky Online Scanner log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, November 30, 2006 5:12:49 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 30/11/2006
Kaspersky Anti-Virus database records: 247029
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 71389
Number of viruses found: 10
Number of infected objects: 36 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:48:39

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd002.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_5b150187-0f05-4c72-917c-77c8e6964ac4 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\LOGS\ehRecvr.log Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\cert8.db Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\history.dat Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\key3.db Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\parent.lock Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.cf8dd223.ini.inuse Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Application Data\Mozilla\Firefox\Profiles\sbgfwnjp.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\History\History.IE5\MSHist012006113020061201\index.dat Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Temp\Perflib_Perfdata_204.dat Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Temp\~DF3FF8.tmp Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Temp\~DF762C.tmp Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jacob & Crystal\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\billing_Jacob & Crystal.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\client_Jacob & Crystal.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\network_Jacob & Crystal.log Object is locked skipped
C:\RECYCLER\S-1-5-21-1381202016-210873337-560807926-1005\Dc1.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\RECYCLER\S-1-5-21-1381202016-210873337-560807926-1005\Dc2.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP130\change.log Object is locked skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP47\A0020747.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP47\A0020748.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP47\A0020751.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.al skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP47\A0020753.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP47\A0020756.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP47\A0020757.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP47\A0020758.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.v skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP47\A0020761.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP47\A0020762.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP47\A0020765.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.w skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP47\A0020768.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP47\A0020769.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP47\A0020770.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP47\A0020772.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP47\A0020773.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ab skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP47\A0020774.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP47\A0020775.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP48\A0021860.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP48\A0021862.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.al skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP48\A0021864.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP48\A0021867.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP48\A0021868.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP48\A0021869.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.v skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP48\A0021872.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP48\A0021873.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP48\A0021876.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.w skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP48\A0021879.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP48\A0021880.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP48\A0021881.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP48\A0021883.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP48\A0021884.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP50\A0022058.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP50\A0022060.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ab skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP50\A0022061.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Intel(R) 537EP V9x DF PCI Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{B0D83C9B-33E0-46EF-B568-5DA57B014E6A}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{D2D5113B-C87B-4FEF-BE66-9224E54ECFE7}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Media Ce.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

[crazycavgirl]

Here is the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:14:19 PM, on 11/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jacob & Crystal\Desktop\AdwareSpyware Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\mcafee\SPAMKI~1\mskagent.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZZ
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\system32\IomegaAccess.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\system32\ZipToA.exe



I was unable to find the C\:combofix.txt file anywhere.

Thanks,
Crystal

[fredmh]

We are going to try another version of ComboFix:


ComboFix



1. Download this file - You MUST save it to your desktop

COMBOFIX




2. Double click combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


please post the c:\combofix.txt log

[crazycavgirl]

It's doing the same thing as the first version. The window opens and closes so fast that I can't even get a screen capture to see the text that it's displaying.

-Crystal

[fredmh]

OK. I'm going to contact the tool's author and see what can be done.

[fredmh]

While I'm waiting for a reply, please follow these steps:



Clean Temporary Files

• Go to Start » Run » type: cleanmgr » OK.
• Choose (C:) and then click OK.
• Make sure these are the only ones that are checked :
  • Temporary Internet Files
  • Temporary Files
  • Recycle Bin
• Click OK to remove them.
• Click Yes to confirm the deletion.

Clean-out and Reset System Restore

This will clean out any junk or malicious files left behind in System Restore

• To turn off System Restore click Start > Right Click My Computer > Properties.
• Click the System Restore tab and Check
• "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply.
• When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.
  
  
• Turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties.
• Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
• Click Apply, and then OK.

This will create a new Restore Point.

Please let me know how your system is bahaving.

[fredmh]

After we go back to that, let's try ComboFix again:

1 = Delete this file c:\subs

2= Check for a file c:\ComboLog. If found, please post the contents.


3= ComboFix - delete any previous versions


ComboFix



1. Download this file - You MUST save it to your desktop

COMBOFIX




2. Double click combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Also, please run:



GMER ANTI-ROOTKIT


Download GMER and extract it to your desktop.

Double-click gmer.exe to run it and select the Rootkit tab

Press scan

When it has finished, press copy and paste the log back here.

[fredmh]

Regarding ComboFix: Here is the response from the tool's author:

Found the problem. The user profile's name has an ampersand (&). I created a new userprofile & it encountered the same problem. Have her run it from a user account that doesnt have an ampersand in it. If they dont have a preexisting account, boot to safe mode as administrator