Pop-ups keep coming !!!

[Tps.llc]

Ok here is 2118
Antivirus Version Last Update Result
AhnLab-V3 2008.1.17.11 2008.01.17 -
AntiVir 7.6.0.48 2008.01.17 -
Authentium 4.93.8 2008.01.17 -
Avast 4.7.1098.0 2008.01.16 -
AVG 7.5.0.516 2008.01.16 -
BitDefender 7.2 2008.01.17 Dropped:Adware.Fakealert.AB
CAT-QuickHeal 9.00 2008.01.16 -
ClamAV 0.91.2 2008.01.17 Trojan.Fakealert-50
DrWeb 4.44.0.09170 2008.01.17 Trojan.Fakealert.373
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5465 2008.01.17 -
Ewido 4.0 2008.01.17 -
FileAdvisor 1 2008.01.17 -
Fortinet 3.14.0.0 2008.01.17 -
F-Prot 4.4.2.54 2008.01.16 -
F-Secure 6.70.13260.0 2008.01.17 -
Ikarus T3.1.1.20 2008.01.17 -
Kaspersky 7.0.0.125 2008.01.17 not-a-virus:FraudTool.Win32.XPAntivirus.b
McAfee 5209 2008.01.16 -
Microsoft 1.3109 2008.01.17 -
NOD32v2 2801 2008.01.17 probably a variant of Win32/TrojanDownloader.Banload.BJY
Norman 5.80.02 2008.01.16 -
Panda 9.0.0.4 2008.01.17 -
Prevx1 V2 2008.01.17 -
Rising 20.27.31.00 2008.01.17 -
Sophos 4.24.0 2008.01.17 Mal/Emogen-P
Sunbelt 2.2.907.0 2008.01.17 -
Symantec 10 2008.01.17 -
TheHacker 6.2.9.189 2008.01.17 -
VBA32 3.12.2.5 2008.01.15 suspected of Trojan-Downloader.WarSpy.1
VirusBuster 4.3.26:9 2008.01.16 -
Webwasher-Gateway 6.0.1 2008.01.17 -
Additional information
File size: 1513472 bytes
MD5: 737a3008102b542756c53fb37e702897
SHA1: 7d407469c49e9eadbbbebb5bd93c5f43f853f456
PEiD: -
packers: UPX

Here is 7417
Antivirus Version Last Update Result
AhnLab-V3 2008.1.17.11 2008.01.17 -
AntiVir 7.6.0.48 2008.01.17 -
Authentium 4.93.8 2008.01.17 -
Avast 4.7.1098.0 2008.01.16 -
AVG 7.5.0.516 2008.01.16 -
BitDefender 7.2 2008.01.17 Dropped:Adware.Fakealert.AB
CAT-QuickHeal 9.00 2008.01.16 -
ClamAV 0.91.2 2008.01.17 Trojan.Fakealert-50
DrWeb 4.44.0.09170 2008.01.17 Trojan.Fakealert.373
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5465 2008.01.17 -
Ewido 4.0 2008.01.17 -
FileAdvisor 1 2008.01.17 -
Fortinet 3.14.0.0 2008.01.17 -
F-Prot 4.4.2.54 2008.01.16 -
F-Secure 6.70.13260.0 2008.01.17 -
Ikarus T3.1.1.20 2008.01.17 -
Kaspersky 7.0.0.125 2008.01.17 not-a-virus:FraudTool.Win32.XPAntivirus.b
McAfee 5209 2008.01.16 -
Microsoft 1.3109 2008.01.17 -
NOD32v2 2801 2008.01.17 probably a variant of Win32/TrojanDownloader.Banload.BJY
Norman 5.80.02 2008.01.16 -
Panda 9.0.0.4 2008.01.17 -
Prevx1 V2 2008.01.17 -
Rising 20.27.31.00 2008.01.17 -
Sophos 4.24.0 2008.01.17 Mal/Emogen-P
Sunbelt 2.2.907.0 2008.01.17 -
Symantec 10 2008.01.17 -
TheHacker 6.2.9.189 2008.01.17 -
VBA32 3.12.2.5 2008.01.15 suspected of Trojan-Downloader.WarSpy.1
VirusBuster 4.3.26:9 2008.01.16 -
Webwasher-Gateway 6.0.1 2008.01.17 -
Additional information
File size: 1513472 bytes
MD5: 737a3008102b542756c53fb37e702897
SHA1: 7d407469c49e9eadbbbebb5bd93c5f43f853f456
PEiD: -
packers: UPX
Bad stuff huh ??

[tetonbob]

Yes, indeed. I'd like to try to collect samples of those also.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

http://www.techsupportforum.com/security-center/hijackthis-log-help/212711-pop-ups-keep-coming.html

File::
C:\Documents and Settings\Kallen's\12630
C:\Documents and Settings\Kallen's\7424
C:\Documents and Settings\Kallen's\6046
C:\Documents and Settings\Kallen's\26928
C:\Documents and Settings\Kallen's\5383
C:\Documents and Settings\Kallen's\msftp.dll

Collect::
C:\Documents and Settings\Kallen's\7417
C:\Documents and Settings\Kallen's\2118

Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

---------------------------------------------------------------------------------------------

If for some reason ComboFix does not produce a complete log:

Go to Start > Run and copy/paste the following, then press Enter:

C:\ComboFix\Combobatch.bat

[Tps.llc]

Ok the file is on it's way and here is report.

ComboFix 08-01-23.1C - Kallen's 2008-01-25 16:51:53.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511 [GMT -6:00]
Running from: C:\Documents and Settings\Kallen's\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kallen's\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\Kallen's\12630
C:\Documents and Settings\Kallen's\26928
C:\Documents and Settings\Kallen's\5383
C:\Documents and Settings\Kallen's\6046
C:\Documents and Settings\Kallen's\7424
C:\Documents and Settings\Kallen's\msftp.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Kallen's\2118
C:\Documents and Settings\Kallen's\7417

.
((((((((((((((((((((((((( Files Created from 2007-12-25 to 2008-01-25 )))))))))))))))))))))))))))))))
.

2008-01-25 16:45 . 2008-01-25 16:45 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-01-23 19:06 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-23 19:06 . 2007-04-10 03:09 211 --a------ C:\Boot.bak
2008-01-23 19:03 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-21 14:43 . 2008-01-21 14:43 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-17 15:25 . 2008-01-17 15:25 <DIR> d-------- C:\ie-spyad_zo
2008-01-16 19:05 . 2008-01-16 19:05 <DIR> d-------- C:\Deckard
2008-01-16 18:52 . 2008-01-16 18:55 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-16 16:23 . 2008-01-16 18:30 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-16 16:23 . 2008-01-16 16:33 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-16 16:23 . 2008-01-16 16:33 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-16 16:23 . 2008-01-16 16:33 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-15 03:10 . 2008-01-15 14:30 3,412 --a------ C:\ntboot

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-25 22:45 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-20 13:13 --------- d-----w C:\Program Files\Google
2008-01-20 13:00 --------- d-----w C:\Program Files\Paint Shop Pro 6
2008-01-20 12:54 --------- d-----w C:\Program Files\Common Files\Sandlot Shared
2008-01-20 12:52 --------- d-----w C:\Program Files\The Learning Company
2008-01-16 23:49 --------- d-----w C:\Program Files\System Soap Pro
2008-01-16 23:37 --------- d-----w C:\Program Files\Norton 360
2008-01-16 23:31 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-01-12 16:46 --------- d-----w C:\Program Files\Click'N Design 3D (V5)
2007-12-19 20:05 97,216 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-12-15 22:22 --------- d-----w C:\Program Files\BIAS
2007-12-15 21:54 --------- d-----w C:\Program Files\proDAD
2007-12-15 21:36 --------- d-----w C:\Program Files\AdorageI-GfxDatas
2007-12-15 21:35 --------- d-----w C:\Program Files\AdorageI-SAL
2007-12-15 21:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-15 21:01 --------- d-----w C:\Program Files\Pinnacle
2007-12-15 12:32 --------- d-----w C:\Program Files\AIM
2007-12-15 12:31 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-11 10:18 --------- d-----w C:\Program Files\Sonic Foundry
2007-12-09 12:04 --------- d-----w C:\Program Files\Pure Motion
2007-12-09 12:04 --------- d-----w C:\Program Files\DebugMode
2007-12-05 21:42 160,297 ----a-w C:\WINDOWS\Sqirlz Morph Uninstaller.exe
2007-12-05 21:42 --------- d-----w C:\Program Files\Sqirlz Morph
2007-12-05 08:40 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-05 08:40 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-05 08:40 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-05 08:40 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-05 08:40 --------- d-----w C:\Program Files\Symantec
2007-12-01 05:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-12-01 05:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-12-01 05:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-12-01 05:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-12-01 05:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-12-01 05:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-12-01 05:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-12-01 05:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-12-01 05:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-23_19.46.58.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-24 01:04:07 1,425,408 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-25 22:51:29 1,433,600 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-24 01:04:07 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-25 22:51:30 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-24 01:04:07 1,421,312 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-25 22:51:30 1,425,408 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-24 01:04:07 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-25 22:51:30 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-24 01:04:07 10,248,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-25 22:51:30 10,268,672 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-24 01:04:07 204,800 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-25 22:51:30 204,800 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-25 20:44:05 4,386 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{72185751-3B53-4E9A-9F06-7E260E790A49}.bin
- 2008-01-24 01:21:13 73,668 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-25 21:42:56 73,668 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-24 01:21:13 448,774 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-25 21:42:56 448,774 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 03:40 218032]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"@"="C:\Program Files\Internet Explorer\iexplore.exe" [2007-10-10 04:59 625152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 11:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 11:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 11:50 114688]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [ ]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 03:40 218032]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 03:40 86960]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 03:20 122940]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 17:05 1117184]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2004-01-05 01:27 176128]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 12:38 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 14:18 241664]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30 517768]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59 115816]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 19:09 842584]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 21:31:38 241664]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 2236 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-12-20 13:05 227328 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2007-05-15 08:14 214560 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe

S1 mp32;mp3 audio;C:\WINDOWS\system32\dxdss.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-12-27 18:33:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-25 09:30:00 C:\WINDOWS\Tasks\RegSweep Scheduled Scan.job"
- C:\Program Files\RegSweep\RegSweep.ex
- C:\Program Files\RegSweep
"2008-01-13 17:26:00 C:\WINDOWS\Tasks\WebReg 20060802112613.job"
- c:\Program Files\HP\Digital Imaging\bin\hpqwrg.exeX/TaskName 20060802112613 /N
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 16:56:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-25 16:57:42
ComboFix-quarantined-files.txt 2008-01-25 22:57:40
ComboFix2.txt 2008-01-25 20:56:58
.
2008-01-24 00:33:09 --- E O F ---

[tetonbob]

Thanks again, you can now delete the zip file. Did ComboFix complete on it's own that time, or did it need "prompting"?

Go to Start > Run and copy/paste the following, then press Enter:

sc stop mp32

Next...

Go to Start > Run and copy/paste the following, then press Enter:

sc delete mp32

Copy and paste the following into Notepad (don't forget to copy and paste REGEDIT4):

Quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Save the file as "fix.reg". Make sure to save it with the quotes. It should look like this:

Close Notepad.

Double click on the fix.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

---------------------------------------------------------------------------------------------

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

---------------------------------------------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6u4.
• Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• In the drop-down menu next to Platform select Windows
• Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement"
• Click Continue
• Click on the link to download Windows Offline Installation and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u4-windowsi586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------


Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan using Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------

Run Deckard's System Scanner once again, and post it's log.

---------------------------------------------------------------------------------------------

Also let me know how the machine is behaving.

[Tps.llc]

Ok got all the updates
Here is 1st log
KASPERSKY ONLINE SCANNER REPORT
Friday, January 25, 2008 8:38:30 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/01/2008
Kaspersky Anti-Virus database records: 532950
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 219538
Number of viruses found: 6
Number of infected objects: 17
Number of suspicious objects: 0
Duration of the scan process: 02:20:55

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\85756CC1.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\Kallen's\Application Data\~tmp.html Infected: not-virus:Hoax.Win32.Renos.cy skipped
C:\Documents and Settings\Kallen's\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kallen's\Desktop\tims\downloads\icur484.exe/data0013 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
C:\Documents and Settings\Kallen's\Desktop\tims\downloads\icur484.exe/data0014 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
C:\Documents and Settings\Kallen's\Desktop\tims\downloads\icur484.exe/data0015 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
C:\Documents and Settings\Kallen's\Desktop\tims\downloads\icur484.exe/data0016 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
C:\Documents and Settings\Kallen's\Desktop\tims\downloads\icur484.exe/data0017 Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
C:\Documents and Settings\Kallen's\Desktop\tims\downloads\icur484.exe Inno: infected - 5 skipped
C:\Documents and Settings\Kallen's\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.cf8dd223.ini.inuse Object is locked skipped
C:\Documents and Settings\Kallen's\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\Kallen's\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Kallen's\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Kallen's\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\Kallen's\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\Kallen's\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\Kallen's\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\Kallen's\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\Kallen's\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\Kallen's\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\Kallen's\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\Kallen's\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Kallen's\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Kallen's\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\Kallen's\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\Kallen's\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\Kallen's\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\Kallen's\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\Kallen's\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Kallen's\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Kallen's\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\Kallen's\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\Kallen's\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\Kallen's\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\Kallen's\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kallen's\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kallen's\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kallen's\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Kallen's\Local Settings\Temp\~DFDF58.tmp Object is locked skipped
C:\Documents and Settings\Kallen's\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Kallen's\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kallen's\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Kallen's\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAD.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWADMT.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAS.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAS.ldb Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\Norton 360\Log\AutoProtect.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVContext.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVManual.log Object is locked skipped
C:\Program Files\Norton 360\Log\Backup.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetPageViewHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetSearchHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUWindowsTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\EmailScan.log Object is locked skipped
C:\Program Files\Norton 360\Log\InternetSecurity.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIntrusionPrevented.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIOTraffic.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISNewNetwork.log Object is locked skipped
C:\Program Files\Norton 360\Log\LiveUpdate.log Object is locked skipped
C:\Program Files\Norton 360\Log\NCO.log Object is locked skipped
C:\Program Files\Norton 360\Log\VABrowserSettings.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAIPAddresses.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAWeakPasswords.log Object is locked skipped
C:\Program Files\Norton 360\Log\WDFScanner.log Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\DioCleanerPro\clsReg.dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\DioCleanerPro\dc_ie_monitor.dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\DioCleanerPro\uninstall.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\SpyKillerPro\helper.sys.vir Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\SpyKillerPro\SpyKillerProUpdate.exe.vir Infected: not-a-virus:FraudTool.Win32.XPAntivirus.a skipped
C:\salvage\c-drive\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\73L3JP8W\KingNeptunes_dh[1]/data0000.exe/WISE0017.BIN Infected: Trojan.Win32.DelFiles.s skipped
C:\salvage\c-drive\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\73L3JP8W\KingNeptunes_dh[1]/data0000.exe Infected: Trojan.Win32.DelFiles.s skipped
C:\salvage\c-drive\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\73L3JP8W\KingNeptunes_dh[1] Rsrc-Package: infected - 2 skipped
C:\salvage\c-drive\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\SV4T6T6H\KingNeptunes_dh[1].exe/data0000.exe/WISE0017.BIN Infected: Trojan.Win32.DelFiles.s skipped
C:\salvage\c-drive\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\SV4T6T6H\KingNeptunes_dh[1].exe/data0000.exe Infected: Trojan.Win32.DelFiles.s skipped
C:\salvage\c-drive\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\SV4T6T6H\KingNeptunes_dh[1].exe Rsrc-Package: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000163.dll Infected: Trojan-Downloader.Win32.Small.hpa skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP7\change.log Object is locked skipped
C:\weirdontheweb_wild.exe/data0002 Infected: not-a-virus:AdWare.Win32.WeirWeb.a skipped
C:\weirdontheweb_wild.exe NSIS: infected - 1 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\S5668C9F7.tmp Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{72185751-3B53-4E9A-9F06-7E260E790A49}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\JET6BC0.tmp Object is locked skipped
C:\WINDOWS\Temp\JET6F3A.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

2nd

Deckard's System Scanner v20071014.68
Run by Kallen's on 2008-01-25 20:39:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Kallen's.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:39:30 PM, on 1/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Kallen's\Desktop\dss.exe
C:\DOCUME~1\Kallen's\Desktop\Virus\Kallen's.exe
C:\Program Files\HP\hpcoretech\soln\HPOSM.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/ser...00030.0000010e
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1160389912203
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} (WwLuxor Control) - http://www.worldwinner.com/games/v49/luxor/luxor.cab
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://drm1.reelsurvey.com/ePlayer/V...ACNePlayer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://download-games.pogo.com/onlin...meLauncher.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DLM Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.3.0.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Kallen's/LOCALS~1/Temp/msohtml1/01/clip_image002.gif

--
End of file - 10364 bytes

-- Files created between 2007-12-25 and 2008-01-25 -----------------------------

2008-01-25 17:47:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-25 17:47:23 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-25 17:47:21 0 d-------- C:\WINDOWS\LastGood
2008-01-25 17:41:07 0 d-------- C:\Program Files\Common Files\Java
2008-01-25 16:45:43 0 d-------- C:\Program Files\Microsoft Silverlight
2008-01-23 1944 0 d-------- C:\cmdcons
2008-01-21 14:47:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-21 14:43:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-17 15:25:40 0 d-------- C:\ie-spyad_zo
2008-01-16 18:52:16 0 d-------- C:\Program Files\SpywareBlaster
2008-01-16 16:23:12 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-15 03:10:55 3412 --a------ C:\ntboot


-- Find3M Report ---------------------------------------------------------------

2008-01-25 17:42:00 0 d-------- C:\Program Files\Java
2008-01-25 17:41:07 0 d-------- C:\Program Files\Common Files
2008-01-25 17:40:43 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-25 17:31:43 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-20 07:13:24 0 d-------- C:\Program Files\Google
2008-01-20 07:00:57 0 d-------- C:\Program Files\Paint Shop Pro 6
2008-01-20 06:54:28 0 d-------- C:\Program Files\Common Files\Sandlot Shared
2008-01-20 06:52:56 0 d-------- C:\Program Files\The Learning Company
2008-01-20 06:33:20 134 --a------ C:\AUTOEXEC.BAT
2008-01-17 14:12:38 3397 --a------ C:\Documents and Settings\Kallen's\Application Data\~tmp.html
2008-01-16 17:49:05 0 d-------- C:\Program Files\System Soap Pro
2008-01-16 17:37:44 0 d-------- C:\Program Files\Norton 360
2008-01-16 17:31:46 0 d-------- C:\Program Files\Microsoft IntelliPoint
2008-01-12 10:46:26 0 d-------- C:\Program Files\Click'N Design 3D (V5)
2008-01-05 06:59:27 0 d-------- C:\Documents and Settings\Kallen's\Application Data\U3
2007-12-19 04:07:24 0 d-------- C:\Documents and Settings\Kallen's\Application Data\Download Manager
2007-12-15 16:22:11 0 d-------- C:\Program Files\BIAS
2007-12-15 15:54:26 0 d-------- C:\Documents and Settings\Kallen's\Application Data\proDAD
2007-12-15 15:54:23 0 d-------- C:\Program Files\proDAD
2007-12-15 15:36:49 0 d-------- C:\Program Files\AdorageI-GfxDatas
2007-12-15 15:35:49 0 d-------- C:\Program Files\AdorageI-SAL
2007-12-15 15:07:46 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-15 15:01:01 0 d-------- C:\Program Files\Pinnacle
2007-12-15 14:27:03 0 d-------- C:\Documents and Settings\Kallen's\Application Data\InstallShield
2007-12-15 06:32:38 0 d-------- C:\Program Files\AIM
2007-12-15 06:32:32 0 d-------- C:\Documents and Settings\Kallen's\Application Data\Aim
2007-12-15 06:31:52 0 d-------- C:\Program Files\Common Files\AOL
2007-12-15 06:31:52 0 d-------- C:\Documents and Settings\Kallen's\Application Data\AOL
2007-12-11 04:18:44 0 d-------- C:\Program Files\Sonic Foundry
2007-12-09 06:04:38 0 d-------- C:\Program Files\Pure Motion
2007-12-09 06:04:29 0 d-------- C:\Program Files\DebugMode
2007-12-05 15:42:05 160297 --a------ C:\WINDOWS\Sqirlz Morph Uninstaller.exe
2007-12-05 15:42:04 0 d-------- C:\Program Files\Sqirlz Morph
2007-12-05 02:40:07 0 d-------- C:\Program Files\Symantec
2007-12-01 11:03:15 0 d-------- C:\Documents and Settings\Kallen's\Application Data\PlayFirst
2007-11-27 05:57:19 0 d-------- C:\Documents and Settings\Kallen's\Application Data\Viewpoint
2007-10-27 04:35:10 83 --a------ C:\WINDOWS\lmka64.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [10/14/2005 11:49 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [10/14/2005 11:46 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [10/14/2005 11:50 AM]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" []
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [09/11/2006 03:40 AM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [09/11/2006 03:40 AM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/08/2005 03:20 AM]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [07/12/2005 05:05 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [01/05/2004 01:27 AM]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/12/2004 12:38 PM]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [05/12/2004 02:18 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 05:24 AM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [03/12/2007 05:30 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/09/2007 11:59 PM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [11/21/2006 07:09 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [12/14/2007 03:42 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:00 AM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 03:45 PM]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [09/11/2006 03:40 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
@=C:\Program Files\Internet Explorer\iexplore.exe http://www.symantec.com/techsupp/ser...00030.0000010e

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 9:05:26 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/28/2004 9:31:38 PM]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [5/28/2004 1036 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2008-01-25 20:40:35 ------------

Machine seems much quicker,able to go to MS and update and able to open Task Manager now.
Combo fix completed on its own this time,no prompting.
Have a question. When running Combo fix one of the times my background on desk top changed to a white swirly background. I went into setting to change it and the Desktop background i can't change. I try to scroll to other backgrounds but nothing moves,like it's locked.

[tetonbob]

ComboFix has a desktop repair in it's routine, so it's unusual you'd have issues afterward.

Copy and paste the following into Notepad (don't forget to copy and paste REGEDIT4):

Quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=-

Save the file as "delete.reg". Make sure to save it with the quotes. It should look like this:

Close Notepad.

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

---------------------------------------------------------------------------------------------

Go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

See if you can then apply your normal desktop


Open NOTEPAD.exe and copy/paste the text in the codebox below into it:

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\Documents and Settings\Kallen's\Desktop\tims\downloads\icur484.exe"
"C:\salvage\c-drive\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\73L3JP8W\KingNeptunes_dh[1]"
"C:\salvage\c-drive\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\SV4T6T6H\KingNeptunes_dh[1].exe"
"C:\weirdontheweb_wild.exe"
"C:\Documents and Settings\Kallen's\Application Data\~tmp.html"

) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)

for %%g in (

%systemdrive%\Deckard

) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says

[Tps.llc]

Ok followed thru with the desk top but each time I Uncheck after I apply I still can't change background still not being able to choose. When I go back and look at the web the check is back. The fix.bat said Delete Successful.

[Tps.llc]

The file that desktop keeps pointing to as background is
file:///C:/DOCUME~1/Kallen's/LOCALS~1/Temp/msohtml1/01/clip_image002.gif

Every time i uncheck this and apply, I go back and look at it and its checked again.
I then deleted out of the back ground web page choices and then applied and still can't make a change on backgroung. Then rebooted and went back and check and that file was back. In administrative tools i found a file called desktop.ini Could this be doing anything?
the file reads as below
[LocalizedFileNames]
Component Services.lnk=@C:\WINDOWS\system32\comres.dll,-661
Computer Management.lnk=@%SystemRoot%\system32\shell32.dll,-22023
Event Viewer.lnk=@%SystemRoot%\system32\shell32.dll,-22029
Performance.lnk=@%SystemRoot%\system32\shell32.dll,-22055
Data Sources (ODBC).lnk=@%SystemRoot%\system32\shell32.dll,-22025
Services.lnk=@%SystemRoot%\system32\shell32.dll,-22059
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21762

[Tps.llc]

Ok found something
I ran Options to change wallpaper may be missing or unavailable on a Windows XP-based computer
View products that this article applies to.
Article ID : 921049
Last Review : August 25, 2006
Revision : 1.2
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 (http://support.microsoft.com/kb/256986/) Description of the Microsoft Windows registry
SYMPTOMS
When you try to change the desktop wallpaper in a Microsoft Windows XP-based computer, the options may be missing or unavailable. Therefore, you cannot change your wallpaper or use other options that are located in the Display Properties dialog box. This problem may occur after you remove spyware from the system.
Back to the top

CAUSE
This problem occurs when a registry key is set to hide or to lock the display settings on the computer. The registry key can be set by an administration policy or by malicious software.
Back to the top

RESOLUTION
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To resolve this problem, follow these steps:1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
3. In the right-pane, right-click the NoDispAppearancePage value if the value exists, and then click Delete.
4. Repeat step 3 for the following registry values if these values exist in the registry:• NoDispCPL
• NoDispBackgroundPage
• NoDispScrSavPage
• NoDispSettingsPage

Note Locate any registry value that says "Wallpaper" if it exists. In the right pane, right-click the registry value, click Delete, and then click OK.
5. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE_\Software\Microsoft\Windows\CurrentVersion\Policies\System
6. In the right-pane, right-click the NoDispAppearancePage value if the value exists, and then click Delete.
7. Repeat step 6 for the following registry values if these values exist in the registry:• NoDispCPL
• NoDispBackgroundPage
• NoDispScrSavPage
• NoDispSettingsPage

Note Locate any registry value that says "Wallpaper" if it exists. In the right pane, right-click the registry value, click Delete, and then click OK.
8. For the changes to take effect, you may have to restart the computer after you delete these registry values.

Back to the top

MORE INFORMATION
The following list describes the previous registry values. The list also describes how the settings of these values affect the options that are located in the Display Properties dialog box:

Display Name: Disable Display Control Panel
Description: Prevents the Display icon in Control Panel from working
Value Name: NoDispCPL
Type: DWORD
Setting: 1 = Enabled and 0 (zero) = Disabled

Display Name: Hide Background page
Description: Prevents the displaying of the Background tab
Value Name: NoDispBackgroundPage
Type: DWORD
Setting: 1 = Enabled and 0 (zero) = Disabled

Display Name: Hide Screen Saver page
Description: Prevents the displaying of the Screen Saver tab
Value Name: NoDispScrSavPage
Type: DWORD
Setting: 1 = Enabled and 0 (zero) = Disabled

Display Name: Hide Appearance page
Description: Prevents the displaying of the Appearance tab
Value Name: NoDispAppearancePage
Type:
DWORD Setting: 1 = Enabled and 0 (zero) = Disabled

Display Name: Hide Settings page
Description: Prevents the displaying of the Settings tab
Value Name: NoDispSettingsPage
Type:
DWORD Setting: 1 = Enabled and 0 (zero) = Disabled
Back to the top

--------------------------------------------------------------------------------
I could not find the problem until i went into Active Desktop under Local Machine there was a setting of No Change Wallpaper and set at 1. I changed to 0 and background is able to be changed.....
All pop-up have disappeared, Puter is running quick again.
Now i need your advice on Norton 360 i have not been able to reset Phishing for it,,, Do i need it with Spybot S&D running? Was it a waste to hhave paid for Norton 360 for all three computers here at my house if it did not protect and then have them tell me a charge of $110.00 to clean it? I did delete AdAware. A tech that i had purchase this unit had told me he himself did not like Norton due to it seemed to use alot of resources inthe back ground to run is this true? What would had been better to use ? What Downloads should i delete if machine is clean that i do not need Spykiller, Spyware blaster, Combofix, etc.etc ?

[tetonbob]

Sorry I overlooked this...

Had I not thought you'd wanted this image, I'd have fixed this entry with HijackThis and saved you some trouble:

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Kallen's/LOCALS~1/Temp/msohtml1/01/clip_image002.gif


One more bit of tidying up to do....I'll answer your questions in next reply.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

File::
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W9QVGTUZ\xall[1].htm
C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL
C:\Program Files\iWin Games\iWinGamesHookIE.dll
C:\weirdontheweb_wild.exe
c:\windows\cdmxtras
C:\WINDOWS\inf\ultra.inf
C:\WINDOWS\system32\ultra\ultra.inf

Folder::
c:\program files\Lycos
c:\program files\Need2Find
c:\program files\System Soap Pro
c:\program files\INSTAFINK
c:\windows\cdmxtras

Registry::
[-hkey_classes_root\clsid\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------

[Tps.llc]

Here ya go

ComboFix 08-01-23.1C - Kallen's 2008-01-26 10:42:42.7 - NTFSx86
Running from: C:\Documents and Settings\Kallen's\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kallen's\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W9QVGTUZ\xall[1].htm
C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL
C:\Program Files\iWin Games\iWinGamesHookIE.dll
C:\weirdontheweb_wild.exe
c:\windows\cdmxtras
C:\WINDOWS\inf\ultra.inf
C:\WINDOWS\system32\ultra\ultra.inf
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Lycos
c:\program files\Need2Find
c:\program files\Need2Find\bar\History\search
c:\program files\System Soap Pro
c:\program files\System Soap Pro\forms\1\images\bawp01.gif
c:\program files\System Soap Pro\forms\1\images\bawsanimated1.gif
c:\program files\System Soap Pro\forms\1\images\bawsanimated2.gif
c:\program files\System Soap Pro\forms\1\images\close.gif
c:\program files\System Soap Pro\forms\1\images\transparent.gif
c:\program files\System Soap Pro\forms\1\index.htm
c:\program files\System Soap Pro\forms\2\images\bawp02.gif
c:\program files\System Soap Pro\forms\2\images\bawp02[0].gif
c:\program files\System Soap Pro\forms\2\images\bawp02[1].gif
c:\program files\System Soap Pro\forms\2\images\bawp02[2].gif
c:\program files\System Soap Pro\forms\2\images\bawp02[3].gif
c:\program files\System Soap Pro\forms\2\images\bawp02[4].gif
c:\program files\System Soap Pro\forms\2\images\bawp02[5].gif
c:\program files\System Soap Pro\forms\2\images\bawp02[6].gif
c:\program files\System Soap Pro\forms\2\images\bawp02[7].gif
c:\program files\System Soap Pro\forms\2\images\bawp02[9].gif
c:\program files\System Soap Pro\forms\2\images\baws2animated1.gif
c:\program files\System Soap Pro\forms\2\images\close.gif
c:\program files\System Soap Pro\forms\2\images\transparent.gif
c:\program files\System Soap Pro\forms\2\index.htm
c:\program files\System Soap Pro\forms\3\images\bawp03.gif
c:\program files\System Soap Pro\forms\3\images\bawp03[0].gif
c:\program files\System Soap Pro\forms\3\images\bawp03[1].gif
c:\program files\System Soap Pro\forms\3\images\bawp03[2].gif
c:\program files\System Soap Pro\forms\3\images\bawp03[3].gif
c:\program files\System Soap Pro\forms\3\images\bawp03[4].gif
c:\program files\System Soap Pro\forms\3\images\bawp03[5].gif
c:\program files\System Soap Pro\forms\3\images\bawp03[6].gif
c:\program files\System Soap Pro\forms\3\images\bawp03[7].gif
c:\program files\System Soap Pro\forms\3\images\bawp03[9].gif
c:\program files\System Soap Pro\forms\3\images\transparent.gif
c:\program files\System Soap Pro\forms\3\index.htm
c:\program files\System Soap Pro\help.chm
c:\program files\System Soap Pro\plugins\~GLH005e.TMP
c:\program files\System Soap Pro\plugins\1 Cool Button Tool - Java 4.5.te
c:\program files\System Soap Pro\plugins\ACDSee 3.x.te
c:\program files\System Soap Pro\plugins\ACDsee 4.0.te
c:\program files\System Soap Pro\plugins\Acrobat Reader 3.x.te
c:\program files\System Soap Pro\plugins\Acrobat Reader 4.x.te
c:\program files\System Soap Pro\plugins\Acrobat Reader 5.te
c:\program files\System Soap Pro\plugins\Agent NewsReader.te
c:\program files\System Soap Pro\plugins\AOL 6.0 Temp File.te
c:\program files\System Soap Pro\plugins\AOL 7.0 Chat Log.te
c:\program files\System Soap Pro\plugins\AOL Instant Messenger.te
c:\program files\System Soap Pro\plugins\AX-Icons 4.x.te
c:\program files\System Soap Pro\plugins\CoffeeCup GIF Animator.te
c:\program files\System Soap Pro\plugins\CuteFTP 4.0.te
c:\program files\System Soap Pro\plugins\CuteHtml 1.x.te
c:\program files\System Soap Pro\plugins\Divx Player.te
c:\program files\System Soap Pro\plugins\DLExpert v0.99.te
c:\program files\System Soap Pro\plugins\Download Accelerator (DAP).te
c:\program files\System Soap Pro\plugins\Flash 5.te
c:\program files\System Soap Pro\plugins\FlashGet.te
c:\program files\System Soap Pro\plugins\GetRight 4.x.te
c:\program files\System Soap Pro\plugins\GO!ZLLA.te
c:\program files\System Soap Pro\plugins\Google Tool Bar.te
c:\program files\System Soap Pro\plugins\Hotbar 3.0.te
c:\program files\System Soap Pro\plugins\HTML Help Workshop.te
c:\program files\System Soap Pro\plugins\ICQ2000a.te
c:\program files\System Soap Pro\plugins\ICQ2000B.te
c:\program files\System Soap Pro\plugins\iMesh.te
c:\program files\System Soap Pro\plugins\KaZaA.te
c:\program files\System Soap Pro\plugins\LeapFTP 2.61.te
c:\program files\System Soap Pro\plugins\Macromedia Dreamweaver 4.0.te
c:\program files\System Soap Pro\plugins\Macromedia Firework 3.0.te
c:\program files\System Soap Pro\plugins\Macromedia Firework 4.0.te
c:\program files\System Soap Pro\plugins\Media Player.te
c:\program files\System Soap Pro\plugins\Morpheus 1.x.te
c:\program files\System Soap Pro\plugins\MS Imaging.te
c:\program files\System Soap Pro\plugins\MS Paint.te
c:\program files\System Soap Pro\plugins\MSN Messenger.te
c:\program files\System Soap Pro\plugins\Net Vampire 3.x.te
c:\program files\System Soap Pro\plugins\NetCaptor.te
c:\program files\System Soap Pro\plugins\Office XP.te
c:\program files\System Soap Pro\plugins\Office2000.te
c:\program files\System Soap Pro\plugins\Office97.te
c:\program files\System Soap Pro\plugins\Sonique.te
c:\program files\System Soap Pro\plugins\SWiSH 2.0.te
c:\program files\System Soap Pro\plugins\The Playa.te
c:\program files\System Soap Pro\plugins\Ulead GIF Animator 5.0.te
c:\program files\System Soap Pro\plugins\WebFerret.te
c:\program files\System Soap Pro\plugins\WinAce 2.x.te
c:\program files\System Soap Pro\plugins\Winamp 2.7x.te
c:\program files\System Soap Pro\plugins\WinRar 2.x.te
c:\program files\System Soap Pro\plugins\WinZip.te
c:\program files\System Soap Pro\plugins\Word Pad.te
c:\program files\System Soap Pro\plugins\Yahoo! Message.te
c:\program files\System Soap Pro\plugins\Yahoo! Messenger.te
c:\program files\System Soap Pro\UNWISE.EXE
c:\windows\cdmxtras
C:\WINDOWS\system32\ultra\ultra.inf

.
((((((((((((((((((((((((( Files Created from 2007-12-26 to 2008-01-26 )))))))))))))))))))))))))))))))
.

2008-01-25 17:47 . 2008-01-25 17:47 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-25 17:42 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-25 17:41 . 2008-01-25 17:41 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-25 16:45 . 2008-01-25 16:45 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-01-23 19:06 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-23 19:06 . 2007-04-10 03:09 211 --a------ C:\Boot.bak
2008-01-23 19:03 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-17 15:25 . 2008-01-17 15:25 <DIR> d-------- C:\ie-spyad_zo
2008-01-16 18:52 . 2008-01-16 18:55 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-16 16:23 . 2008-01-16 18:30 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-16 16:23 . 2008-01-16 16:33 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-16 16:23 . 2008-01-16 16:33 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-16 16:23 . 2008-01-16 16:33 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-15 03:10 . 2008-01-15 14:30 3,412 --a------ C:\ntboot

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-26 09:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-25 23:42 --------- d-----w C:\Program Files\Java
2008-01-25 23:31 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-20 13:13 --------- d-----w C:\Program Files\Google
2008-01-20 13:00 --------- d-----w C:\Program Files\Paint Shop Pro 6
2008-01-20 12:54 --------- d-----w C:\Program Files\Common Files\Sandlot Shared
2008-01-20 12:52 --------- d-----w C:\Program Files\The Learning Company
2008-01-16 23:37 --------- d-----w C:\Program Files\Norton 360
2008-01-16 23:31 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-01-12 16:46 --------- d-----w C:\Program Files\Click'N Design 3D (V5)
2007-12-19 20:05 97,216 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-12-15 22:22 --------- d-----w C:\Program Files\BIAS
2007-12-15 21:54 --------- d-----w C:\Program Files\proDAD
2007-12-15 21:36 --------- d-----w C:\Program Files\AdorageI-GfxDatas
2007-12-15 21:35 --------- d-----w C:\Program Files\AdorageI-SAL
2007-12-15 21:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-15 21:01 --------- d-----w C:\Program Files\Pinnacle
2007-12-15 12:32 --------- d-----w C:\Program Files\AIM
2007-12-15 12:31 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-11 10:18 --------- d-----w C:\Program Files\Sonic Foundry
2007-12-09 12:04 --------- d-----w C:\Program Files\Pure Motion
2007-12-09 12:04 --------- d-----w C:\Program Files\DebugMode
2007-12-05 21:42 160,297 ----a-w C:\WINDOWS\Sqirlz Morph Uninstaller.exe
2007-12-05 21:42 --------- d-----w C:\Program Files\Sqirlz Morph
2007-12-05 08:40 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-05 08:40 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-05 08:40 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-05 08:40 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-05 08:40 --------- d-----w C:\Program Files\Symantec
2007-12-01 05:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-12-01 05:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-12-01 05:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-12-01 05:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-12-01 05:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-12-01 05:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-12-01 05:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-12-01 05:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-12-01 05:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-23_19.46.58.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-24 01:04:07 1,425,408 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-26 16:42:06 1,433,600 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-24 01:04:07 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-26 16:42:06 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-24 01:04:07 1,421,312 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-26 16:42:06 1,429,504 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-24 01:04:07 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-26 16:42:06 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-24 01:04:07 10,248,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-26 16:42:07 10,285,056 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-24 01:04:07 204,800 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-26 16:42:07 290,816 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
- 2003-11-19 20:36:26 24,681 -c--a-w C:\WINDOWS\system32\java.exe
+ 2007-12-14 06:57:22 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2003-11-19 20:36:30 28,779 -c--a-w C:\WINDOWS\system32\javaw.exe
+ 2007-12-14 06:57:24 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-12-14 07:59:16 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2005-05-24 18:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 21:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 21:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-01-24 01:21:13 73,668 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-26 11:21:17 73,668 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-24 01:21:13 448,774 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-26 11:21:17 448,774 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 03:40 218032]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"@"="C:\Program Files\Internet Explorer\iexplore.exe" [2007-10-10 04:59 625152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 11:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 11:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 11:50 114688]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [ ]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 03:40 218032]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 03:40 86960]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 03:20 122940]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 17:05 1117184]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2004-01-05 01:27 176128]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 12:38 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 14:18 241664]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30 517768]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59 115816]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 19:09 842584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 21:31:38 241664]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 2236 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2006-12-20 13:05 227328 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2007-05-15 08:14 214560 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-12-27 18:33:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-25 09:30:00 C:\WINDOWS\Tasks\RegSweep Scheduled Scan.job"
- C:\Program Files\RegSweep\RegSweep.ex
- C:\Program Files\RegSweep
"2008-01-13 17:26:00 C:\WINDOWS\Tasks\WebReg 20060802112613.job"
- c:\Program Files\HP\Digital Imaging\bin\hpqwrg.exeX/TaskName 20060802112613 /N
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-26 10:48:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-26 10:49:55
ComboFix-quarantined-files.txt 2008-01-26 16:49:33
ComboFix2.txt 2008-01-25 22:57:43
ComboFix3.txt 2008-01-25 20:56:58
.
2008-01-24 00:33:09 --- E O F ---

[tetonbob]

Ok, looking good. Let's see what I can do about answering your questions.

SpyKillerPro

It's rogueware, should never have been installed, and we nuked it.

We will uninstall ComboFix as part of the final housekeeping. I'll also be giving you some protection ideas, and there's also the link in my signature

PC Safety and Security--What Do I Need?

I personally don't care for Norton either. Like your tech, I find it resource hungry, even if effective.

The AntiPhishing in Norton 360 would not be replaced by anything in Spybot S&D that I'm aware of. Spybot is an anti-spyware application, with some home page and registry protection agents, as well as some additional tools.

Quote:

Was it a waste to have paid for Norton 360 for all three computers here at my house if it did not protect and then have them tell me a charge of $110.00 to clean it?

I hope you did not pay them. If you're already invested in the application, you should probably get your money's worth out of it.

Even with protection, one visit to the wrong site, one click on a bad link, or downloading and running a bad file, can cause an infection. It's a constant cat and mouse....the bad guys are always trying new things, and the AV vendors are often playing catchup.

One of the things I don't like about Norton is that it does not update automatically as frequently as other products, or at least, in past configurations, that's been the case. I do believe you can manually tweak those update settings, but I'm not exactly sure how to. I believe there is an Automatic Updates tab in the application interface where you can change the frequency. You can also manually update whenever you want to.

My NOD32 by Eset, for example, will update definitions sometimes several times a day. Frequent updating definitions against new threats is what helps keep systems protected better, as well as heuristic detection.

SpywareBlaster works in the registry, and uses no system resources.

I hope that answers your questions.

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and use the following free programs (if you don't already have them):

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• IE-SpyAd - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. An installation tutorial is available here.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    
  • Once updated you should see another prompt that the task was completed.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  
• FIREWALL
  Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here
  
  Do not install more than one firewall program because they will conflict with each other.

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• MAKING INTERNET EXPLORER SAFER

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[Tps.llc]

Can i get rid of all the logs?
Exe filees like the updated Java after installing can i delete the file on my desktop.
Always have been saving them as not sure after installing them if it was safe to delete.
I want to thank you for your time. I know i will always refer this site as a way to help when all hopes fade. No we did not pay Norton techs to get rid of the problem but also will look into something else when it is tiime to update Norton for another year. Hope i can contact you once in awhile to let you know what some of my decisions that i make on other software.
Thanks again, your the tops.

[tetonbob]

Quote:

Can i get rid of all the logs?

Yes.

Quote:

Exe files like the updated Java after installing can i delete the file on my desktop.

Yes.

You're welcome for the help. Happy Computing, and Safe Surfing to you!

[Tps.llc]

The firewall that SBC global uses with my 2wire dsl unit is that good or do i need another on the computer itself or is the DSL on network ok?

[tetonbob]

That should be fine. Some will argue that a software firewall is also needed. I use a hardware firewall and common sense.

For those types of questions, you may want to ask in our Security and Firewalls forum to get a broader opinion.