adware and spyware found by pandasoftware

[floridagator]

I ran a Panda scan and it found lots of problems. Because there are several problems I am having trouble dealing with them. I have run Ad-Aware and Spybot. Here is what Panda found.


Adware:Adware/nCase -- Windows Registry
Adware/FavoriteMan -- C:\WINDOWS\downloaded program files\ATPartners.inf
Adware:Adware/WinTools -Windows Registry
Spyware:Spyware/Bridge C:\WINDOWS\Downloaded Program Files\bridge.???
Adware:Adware/BlazeFind --Windows Registry
Adware:Adware/NetPals -- C:\WINDOWS\Downloaded Program Files\ATPartners.inf
Spyware:Spyware/Bridge -- C:\WINDOWS\Downloaded Program Files\bridge.inf


Here is my HJT
Logfile of HijackThis v1.99.1
Scan saved at 9:22:45 AM, on 5/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.partypoker.net
O15 - Trusted Zone: http://start.real.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...2/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1141bb59...p/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/...15/mcgdmgr.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/def...utLauncher.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/def...ebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/def...ploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE


Any help would be greatly appreciated.
Thanks

[MicroBell]

Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log…..

Run hijackthis and fix the following...


O15 - Trusted Zone: http://www.partypoker.net
O15 - Trusted Zone: http://start.real.com

Delete the files in RED

C:\WINDOWS\downloaded program files\ATPartners.inf
C:\WINDOWS\Downloaded Program Files\bridge.???
C:\WINDOWS\Downloaded Program Files\bridge.inf

Other then that..your log is clean. Can you describe what issues your having?

[floridagator]

The problem is that I am unable to delete those files. They do not seem to exist in that location.
I also ran norton, and it found adware.winfavorites, and adware.minibug.
I tried to remove them but I was unable to.

Any suggestions?
Thanks

[MicroBell]

The scans may be picking up old registry entrys..and not the files. Lets look deeper...

Please empty any Quarantine folder in your antivirus, empty your recycle bin and purge/delete all recovery items in the spybot program if you use it…BEFORE!!! running this tool.

Download this virus checker and tool from eScan Mwav.exe (Use Link 3)

1. Save it to a folder.
2. Reboot into safe mode
3. Double click the Mwav.exe file.(This is a stand alone tool and NOT just a virus checker......so it won't install anything)
4. Select all local drives, scan all files, press SCAN and when it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane (Bottom Window)
Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and save it to a notepad file. DO NOT post the log from the “View Log” button as that log does NOT contain the info we are after.

*Note* If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning.

We are not going to use this to remove anything..but to ID the bad guys.

Once you copy that to a notepad file...highlight the text and copy it here along with a new hijackthis log.

[floridagator]

Ok here is the MWAV virus log information :
File C:\Documents and Settings\Kelli Taylor\Desktop\New Folder\stuff\backups\backup-20050125-133208-830.dll tagged as not-a-virus:Downloader.Win32.PopCap.a. No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\popcaploader.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\System32\iuctl.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\DIMM.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\iuctl.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\popcaploader.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\QDow.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\Default.rul". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Enigma Software Group\SpyHunter\Uninstall.exe". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}" refers to invalid object "C:\PROGRA~1\AWS\WEATHE~1\MINIBU~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9EFBF860-5685-11D3-AA3D-00C04F4C5275}" refers to invalid object "cdooff.dll". Action Taken: No Action Taken.
Entry "HKCR\AOLFlash.AOLFlash" refers to invalid object "{C1145550-A454-11D4-9020-00D0B7239081}". Action Taken: No Action Taken.
Entry "HKCR\AOLFlash.AOLFlash.1" refers to invalid object "{C1145550-A454-11D4-9020-00D0B7239081}". Action Taken: No Action Taken.
Entry "HKCR\AOLFlash.AOLFlash.3" refers to invalid object "{C1145550-A454-11D4-9020-00D0B7239081}". Action Taken: No Action Taken.
Entry "HKCR\AOLFlash.AOLFlash.4" refers to invalid object "{C1145550-A454-11D4-9020-00D0B7239081}". Action Taken: No Action Taken.
Entry "HKCR\AOLFlash.AOLFlash.5" refers to invalid object "{C1145550-A454-11D4-9020-00D0B7239081}". Action Taken: No Action Taken.
Entry "HKCR\AOLFlash.AOLFlash.6" refers to invalid object "{C1145550-A454-11D4-9020-00D0B7239081}". Action Taken: No Action Taken.
Entry "HKCR\AOLFlashFactory.AOLFlashFactory" refers to invalid object "{C1145551-A454-11D4-9020-00D0B7239081}". Action Taken: No Action Taken.
Entry "HKCR\AOLFlashFactory.AOLFlashFactory.1" refers to invalid object "{C1145551-A454-11D4-9020-00D0B7239081}". Action Taken: No Action Taken.
Entry "HKCR\AOLFlashProp.AOLFlashProp.1" refers to invalid object "{75D44B92-DCAF-43f3-A7D1-91041F34E719}". Action Taken: No Action Taken.
Entry "HKCR\AxTrack.CoAxTrack" refers to invalid object "{B9F3009B-976B-41C4-A992-229DCCF3367C}". Action Taken: No Action Taken.
Entry "HKCR\AxTrack.CoAxTrack.1" refers to invalid object "{B9F3009B-976B-41C4-A992-229DCCF3367C}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlRoxio.CddbFullName.1" refers to invalid object "{1c6e0e46-4e5f-492d-b946-44291b931361}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlRoxio.FullName" refers to invalid object "{1c6e0e46-4e5f-492d-b946-44291b931361}". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSP" refers to invalid object "{9C123EA9-AEC9-4f75-BBC0-7565FA1398966}". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSPDMOProp_Chorus.1" refers to invalid object "{6F63B172-5543-4593-91CE-EDBA65B9FACDB}". Action Taken: No Action Taken.
Entry "HKCR\NCTWMVFile.NCTProfileManager" refers to invalid object "{E27FC1E5-B5CB-4C3E-8AA6-81C2A4BAC8AF}". Action Taken: No Action Taken.
Entry "HKCR\NCTWMVFile.NCTProfileManager.1" refers to invalid object "{E27FC1E5-B5CB-4C3E-8AA6-81C2A4BAC8AF}". Action Taken: No Action Taken.
Entry "HKCR\NCTWMVFile.WMVFile" refers to invalid object "{D2AE39EF-965C-4058-A21B-AC0E0673F72D}". Action Taken: No Action Taken.
Entry "HKCR\NCTWMVFile.WMVFile.1" refers to invalid object "{D2AE39EF-965C-4058-A21B-AC0E0673F72D}". Action Taken: No Action Taken.
Entry "HKCR\RealDownloadExpress.InfoWindow" refers to invalid object "{56336BCA-3D8A-11d6-A00B-0050DA18DE71}". Action Taken: No Action Taken.
Entry "HKCR\RealDownloadExpress.InfoWindow.1" refers to invalid object "{56336BCA-3D8A-11d6-A00B-0050DA18DE71}". Action Taken: No Action Taken.
Entry "HKCR\RTCIMSP.RTCIMService" refers to invalid object "{83D4679F-B6D7-11D2-BF36-00C04FB90A03}". Action Taken: No Action Taken.
Entry "HKCR\RTCIMSP.RTCIMService.1" refers to invalid object "{83D4679F-B6D7-11D2-BF36-00C04FB90A03}". Action Taken: No Action Taken.
Entry "HKCR\SAS.Workspace" refers to invalid object "{440196D4-90F0-11D0-9F41-00A024BB830C}". Action Taken: No Action Taken.
Entry "HKCR\SAS.Workspace.1" refers to invalid object "{440196D4-90F0-11D0-9F41-00A024BB830C}". Action Taken: No Action Taken.
Entry "HKCR\SASGMS.GMSAppl" refers to invalid object "{9C186A64-83E4-11D2-B956-00C04F81993C}". Action Taken: No Action Taken.
Entry "HKCR\SASGMS.GMSAppl.1" refers to invalid object "{9C186A64-83E4-11D2-B956-00C04F81993C}". Action Taken: No Action Taken.
Entry "HKCR\SASMQX.MQXAppl" refers to invalid object "{8D9EF489-8D1E-11D2-B94F-00C04F8198C0}". Action Taken: No Action Taken.
Entry "HKCR\SASMQX.MQXAppl.1" refers to invalid object "{8D9EF489-8D1E-11D2-B94F-00C04F8198C0}". Action Taken: No Action Taken.
Entry "HKCR\SASOLAP.OLAP" refers to invalid object "{0ADE178A-6A1D-11D4-8349-00B0D0292DCA}". Action Taken: No Action Taken.
Entry "HKCR\SASOLAP.OLAP.1" refers to invalid object "{0ADE178A-6A1D-11D4-8349-00B0D0292DCA}". Action Taken: No Action Taken.
Entry "HKCR\SASOMI.OMI" refers to invalid object "{2887E7D7-4780-11D4-879F-00C04F38F0DB}". Action Taken: No Action Taken.
Entry "HKCR\SASOMI.OMI.1" refers to invalid object "{2887E7D7-4780-11D4-879F-00C04F38F0DB}". Action Taken: No Action Taken.
File C:\Documents and Settings\Kelli Taylor\Desktop\New Folder\stuff\backups\backup-20050125-133208-830.dll tagged as not-a-virus:Downloader.Win32.PopCap.a. No Action Taken.
File C:\Program Files\ScrabbleRackAttack_Setup-dm.exe tagged as "not-a-virus:AdWare.Trymedia.b". Action Taken: No Action Taken.
File C:\Program Files\Scrabble_Setup-dm.exe tagged as "not-a-virus:AdWare.Trymedia.b". Action Taken: No Action Taken.
File C:\Program Files\TestGen\stub.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP114\A0009437.EXE infected by "Trojan-Downloader.Win32.Small.wk" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009951.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009952.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009953.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009954.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009955.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009956.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009957.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009958.exe infected by "Backdoor.Win32.Agobot.gen" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009959.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009960.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009961.scr infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009962.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009963.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009964.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009965.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009966.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009967.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009968.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009969.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009970.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009971.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009972.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009973.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009974.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009975.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009976.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009977.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009978.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009979.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009980.scr infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009981.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009982.scr infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009983.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009984.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009985.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009986.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009987.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009988.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009989.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009990.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009991.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009992.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009993.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009994.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009995.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009996.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009997.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009998.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0009999.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010000.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010001.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010002.scr infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010003.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010004.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010005.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010006.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010007.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010008.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010009.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010010.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010011.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010012.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010013.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010014.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010015.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010016.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010017.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010018.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010019.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010020.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010021.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010022.scr infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010023.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010024.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010025.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010026.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010027.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010028.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010029.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010030.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010031.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010032.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010033.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010034.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010035.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010036.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010037.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010038.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP116\A0010039.exe infected by "Email-Worm.Win32.Bagle.k" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP85\A0007652.EXE tagged as not-a-virus:Downloader.Win32.DigStream. No Action Taken.
File C:\WINDOWS\Downloaded Program Files\popcaploader.dll tagged as not-a-virus:Downloader.Win32.PopCap.b. No Action Taken.


Here is the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 8:00:41 AM, on 6/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...2/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1141bb59...p/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/...lowActiveX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/...15/mcgdmgr.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/def...utLauncher.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/def...ebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/def...ploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Thanks

[jgvernonco]

Disable, then re-enable system restore; with a reboot in-between. Then immediately create a new system point manually.

Please give us another mwav and Hjt log

[floridagator]

how do i create a new system point manually?

[MicroBell]

Quote:

Originally Posted by floridagator

how do i create a new system point manually?

You don't have too. Simply unchecking the system restore box...and then put a checkmark back in it..windows creates a new restore point automaticaly. That said if you ever want to make one...run the restore wizard. It will step you through on createing a restore point...or using one you already created...ect.

[floridagator]

Here is the new mwav and hjt log

File C:\Documents and Settings\Kelli Taylor\Desktop\New Folder\stuff\backups\backup-20050125-133208-830.dll tagged as not-a-virus:Downloader.Win32.PopCap.a. No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\popcaploader.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\System32\iuctl.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\DIMM.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\iuctl.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\popcaploader.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\QDow.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\Default.rul". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Enigma Software Group\SpyHunter\Uninstall.exe". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}" refers to invalid object "C:\PROGRA~1\AWS\WEATHE~1\MINIBU~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9EFBF860-5685-11D3-AA3D-00C04F4C5275}" refers to invalid object "cdooff.dll". Action Taken: No Action Taken.
Entry "HKCR\AOLFlash.AOLFlash" refers to invalid object "{C1145550-A454-11D4-9020-00D0B7239081}". Action Taken: No Action Taken.
Entry "HKCR\AOLFlash.AOLFlash.1" refers to invalid object "{C1145550-A454-11D4-9020-00D0B7239081}". Action Taken: No Action Taken.
Entry "HKCR\AOLFlash.AOLFlash.3" refers to invalid object "{C1145550-A454-11D4-9020-00D0B7239081}". Action Taken: No Action Taken.
Entry "HKCR\AOLFlash.AOLFlash.4" refers to invalid object "{C1145550-A454-11D4-9020-00D0B7239081}". Action Taken: No Action Taken.
Entry "HKCR\AOLFlash.AOLFlash.5" refers to invalid object "{C1145550-A454-11D4-9020-00D0B7239081}". Action Taken: No Action Taken.
Entry "HKCR\AOLFlash.AOLFlash.6" refers to invalid object "{C1145550-A454-11D4-9020-00D0B7239081}". Action Taken: No Action Taken.
Entry "HKCR\AOLFlashFactory.AOLFlashFactory" refers to invalid object "{C1145551-A454-11D4-9020-00D0B7239081}". Action Taken: No Action Taken.
Entry "HKCR\AOLFlashFactory.AOLFlashFactory.1" refers to invalid object "{C1145551-A454-11D4-9020-00D0B7239081}". Action Taken: No Action Taken.
Entry "HKCR\AOLFlashProp.AOLFlashProp.1" refers to invalid object "{75D44B92-DCAF-43f3-A7D1-91041F34E719}". Action Taken: No Action Taken.
Entry "HKCR\AxTrack.CoAxTrack" refers to invalid object "{B9F3009B-976B-41C4-A992-229DCCF3367C}". Action Taken: No Action Taken.
Entry "HKCR\AxTrack.CoAxTrack.1" refers to invalid object "{B9F3009B-976B-41C4-A992-229DCCF3367C}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlRoxio.CddbFullName.1" refers to invalid object "{1c6e0e46-4e5f-492d-b946-44291b931361}". Action Taken: No Action Taken.
Entry "HKCR\CDDBControlRoxio.FullName" refers to invalid object "{1c6e0e46-4e5f-492d-b946-44291b931361}". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSP" refers to invalid object "{9C123EA9-AEC9-4f75-BBC0-7565FA1398966}". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSPDMOProp_Chorus.1" refers to invalid object "{6F63B172-5543-4593-91CE-EDBA65B9FACDB}". Action Taken: No Action Taken.
Entry "HKCR\NCTWMVFile.NCTProfileManager" refers to invalid object "{E27FC1E5-B5CB-4C3E-8AA6-81C2A4BAC8AF}". Action Taken: No Action Taken.
Entry "HKCR\NCTWMVFile.NCTProfileManager.1" refers to invalid object "{E27FC1E5-B5CB-4C3E-8AA6-81C2A4BAC8AF}". Action Taken: No Action Taken.
Entry "HKCR\NCTWMVFile.WMVFile" refers to invalid object "{D2AE39EF-965C-4058-A21B-AC0E0673F72D}". Action Taken: No Action Taken.
Entry "HKCR\NCTWMVFile.WMVFile.1" refers to invalid object "{D2AE39EF-965C-4058-A21B-AC0E0673F72D}". Action Taken: No Action Taken.
Entry "HKCR\RealDownloadExpress.InfoWindow" refers to invalid object "{56336BCA-3D8A-11d6-A00B-0050DA18DE71}". Action Taken: No Action Taken.
Entry "HKCR\RealDownloadExpress.InfoWindow.1" refers to invalid object "{56336BCA-3D8A-11d6-A00B-0050DA18DE71}". Action Taken: No Action Taken.
Entry "HKCR\RTCIMSP.RTCIMService" refers to invalid object "{83D4679F-B6D7-11D2-BF36-00C04FB90A03}". Action Taken: No Action Taken.
Entry "HKCR\RTCIMSP.RTCIMService.1" refers to invalid object "{83D4679F-B6D7-11D2-BF36-00C04FB90A03}". Action Taken: No Action Taken.
Entry "HKCR\SAS.Workspace" refers to invalid object "{440196D4-90F0-11D0-9F41-00A024BB830C}". Action Taken: No Action Taken.
Entry "HKCR\SAS.Workspace.1" refers to invalid object "{440196D4-90F0-11D0-9F41-00A024BB830C}". Action Taken: No Action Taken.
Entry "HKCR\SASGMS.GMSAppl" refers to invalid object "{9C186A64-83E4-11D2-B956-00C04F81993C}". Action Taken: No Action Taken.
Entry "HKCR\SASGMS.GMSAppl.1" refers to invalid object "{9C186A64-83E4-11D2-B956-00C04F81993C}". Action Taken: No Action Taken.
Entry "HKCR\SASMQX.MQXAppl" refers to invalid object "{8D9EF489-8D1E-11D2-B94F-00C04F8198C0}". Action Taken: No Action Taken.
Entry "HKCR\SASMQX.MQXAppl.1" refers to invalid object "{8D9EF489-8D1E-11D2-B94F-00C04F8198C0}". Action Taken: No Action Taken.
Entry "HKCR\SASOLAP.OLAP" refers to invalid object "{0ADE178A-6A1D-11D4-8349-00B0D0292DCA}". Action Taken: No Action Taken.
Entry "HKCR\SASOLAP.OLAP.1" refers to invalid object "{0ADE178A-6A1D-11D4-8349-00B0D0292DCA}". Action Taken: No Action Taken.
Entry "HKCR\SASOMI.OMI" refers to invalid object "{2887E7D7-4780-11D4-879F-00C04F38F0DB}". Action Taken: No Action Taken.
Entry "HKCR\SASOMI.OMI.1" refers to invalid object "{2887E7D7-4780-11D4-879F-00C04F38F0DB}". Action Taken: No Action Taken.
File C:\Documents and Settings\Kelli Taylor\Desktop\New Folder\stuff\backups\backup-20050125-133208-830.dll tagged as not-a-virus:Downloader.Win32.PopCap.a. No Action Taken.
File C:\Program Files\ScrabbleRackAttack_Setup-dm.exe tagged as "not-a-virus:AdWare.Trymedia.b". Action Taken: No Action Taken.
File C:\Program Files\Scrabble_Setup-dm.exe tagged as "not-a-virus:AdWare.Trymedia.b". Action Taken: No Action Taken.
File C:\Program Files\TestGen\stub.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\Downloaded Program Files\popcaploader.dll tagged as not-a-virus:Downloader.Win32.PopCap.b. No Action Taken.

here is the hjt:
Logfile of HijackThis v1.99.1
Scan saved at 1:26:32 AM, on 6/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...2/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1141bb59...p/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/...lowActiveX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/...15/mcgdmgr.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/def...utLauncher.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/def...ebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/def...ploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
thanks,
Kelli

[floridagator]

I am not sure if I was supposed to or not, but the last mwav information i posted was from running it in safe mode. if that is incorrect let me know and I will rerun it.

[MicroBell]

Kelli:

From what I can see...it looks like the scans are just picking up old registry entrys. Your logs are clean of any malware files. You can delete these files though...

C:\Program Files\ScrabbleRackAttack_Setup-dm.exe
C:\Program Files\Scrabble_Setup-dm.exe

Both contain adware Trymedia.b code.

The only way to remove those old entrys (asumming a registry cleaner cant) would be to delete them manually which I would not recommend since there is so many. But if your brave enough...run Adaware and save it's log. It will list the keys the adware was found under.

You can then navigate to that key and delete the entry involved. Try another online scan from another site....

Run an online virus scan from TrendMicro Please select the “autoclean” option when prompted to do so. See what it finds.

[floridagator]

ok thank you