# delete help with winpcdoctor



## beenthere7659 (Mar 29, 2008)

I'm using XP home edition on a DELL tower with 512 RAM 71.5 GB HD about half filled.
Yesterday I picked up PSW,x-VIR winpcdoctor and a bunch more annoying stuff. Anyone out there want to HELP!

I think I need my hend held to run a full scan, then for someone to take me through cleaning it up.

The virus seems to like to disconnect the web link from time to time without warning.


----------



## Cookiegal (Aug 27, 2003)

Hi and welcome to TSG,

I've edited your post to remove your e-mail address and telephone number. You shouldn't post these things on the Internet.

*Click here* to download *HJTsetup.exe*.

Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This. 
Continue to click *Next* in the setup dialogue boxes until you get to the *Select Addition Tasks* dialogue.
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click *Finish* and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log.
Click *Save* to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required. 

*Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.*


----------



## beenthere7659 (Mar 29, 2008)

bump


----------



## Cookiegal (Aug 27, 2003)

Why are you bumping when you haven't carried out my instructions?


----------



## beenthere7659 (Mar 29, 2008)

Cookiegal said:


> Hi and welcome to TSG,
> 
> I've edited your post to remove your e-mail address and telephone number. You shouldn't post these things on the Internet.
> 
> ...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:10:10 PM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\InternetAnonymizer\GIAProxyService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NetProject\scit.exe
C:\Program Files\NetProject\sbmntr.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Common Files\WinPCDoctor\strpmon.exe
C:\Program Files\WinSpyControl\pgs.exe
C:\PROGRA~1\COMMON~1\WINSPY~1\ugac.exe
C:\Program Files\Common Files\WinSpyControl\bm.exe
C:\Program Files\WinPCDoctor\SysRep.exe
C:\Program Files\NetProject\scm.exe
C:\Program Files\NetProject\sbsm.exe
C:\Program Files\Common Files\WinPCDoctor\cookw.exe
C:\Program Files\InternetAnonymizer\traymodule.exe
C:\PROGRA~1\COMMON~1\INTERN~1\giw.exe
C:\Program Files\WinAnonymous\GDC.exe
C:\Program Files\Common Files\WinAnonymous\stm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Express ClickYes\ClickYes.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe
C:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearchIndexer.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearchFilter.exe
C:\PROGRA~1\MICROS~4\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\ACT\act.exe
C:\PROGRA~1\ACT\actwp.wpi
C:\PROGRA~1\ACT\ActEmail.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\WinAnonymous\data\GDCW.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: IEFW Object - {6F87F145-DC2D-4766-AF03-3A3B96FFAD98} - C:\Program Files\WinSpyControl\Tools\sbiebho.dll
O2 - BHO: 375013 helper - {74F7DB6B-86E9-4B91-9D9F-B0D954D7AA5B} - C:\WINDOWS\system32\375013\375013.dll
O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - C:\Program Files\NetProject\sbmdl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Internet Service - {DB9FBA9D-AB1B-4CC6-9745-F3B549D64E40} - C:\Program Files\NetProject\wamdl.dll
O3 - Toolbar: InternetAnonymizer - {7873A33B-E2A1-4a0b-A418-B6378908ABAD} - C:\Program Files\InternetAnonymizer\GIAToolBar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [strpmon] "C:\Program Files\Common Files\WinPCDoctor\strpmon.exe" dm=http://winpcdoctor.com ad=http://winpcdoctor.com sd=http://inspaid.winpcdoctor.com
O4 - HKLM\..\Run: [WinSpyControl] C:\Program Files\WinSpyControl\pgs.exe
O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\COMMON~1\WINSPY~1\ugac.exe" -start
O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\WinSpyControl\bm.exe" dm=http://winspycontrol.com ad=http://winspycontrol.com sd=http://ykeeper.winspycontrol.com
O4 - HKLM\..\Run: [WinPCDoctor] C:\Program Files\WinPCDoctor\SysRep.exe
O4 - HKLM\..\Run: [cwriter] C:\Program Files\Common Files\WinPCDoctor\cookw.exe
O4 - HKLM\..\Run: [ptask] C:\Program Files\WinSpyControl\ptask.exe
O4 - HKLM\..\Run: [GIAReg] regsvr32 /s "C:\Program Files\InternetAnonymizer\GIAToolBar.dll"
O4 - HKLM\..\Run: [GIAN] C:\Program Files\InternetAnonymizer\traymodule.exe
O4 - HKLM\..\Run: [giw] "C:\PROGRA~1\COMMON~1\INTERN~1\giw.exe" -start
O4 - HKLM\..\Run: [WinAnonymous] C:\Program Files\WinAnonymous\GDC.exe
O4 - HKLM\..\Run: [gdcw] C:\Program Files\WinAnonymous\data\GDCW.exe
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAnonymous\stm.exe" dm=http://winanonymous.com ad=http://winanonymous.com sd=http://ilp.winanonymous.com
O4 - HKLM\..\Run: [Salestart(1)] "C:\Program Files\Common Files\WinPCDoctor\strpmon.exe" dm=http://winpcdoctor.com ad=http://winpcdoctor.com sd=http://inspaid.winpcdoctor.com
O4 - HKLM\..\Run: [Easy SpyRemover] C:\Program Files\Easy SpyRemover\EasySpyRemover.exe /smart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Express ClickYes] C:\Program Files\Express ClickYes\ClickYes.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/229?8a09e4a47a0547df8b10dd5e5f202be5
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/230?8a09e4a47a0547df8b10dd5e5f202be5
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iefixgate.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iefixgate.com/redirect.php (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.67.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135186932531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1121183721218
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\Software\..\Telephony: DomainName = workgroup
O17 - HKLM\System\CCS\Services\Tcpip\..\{C14FE8EC-0A4B-454C-8108-C949F9DD1E46}: Domain = gilmores
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O22 - SharedTaskScheduler: bimaculate - {d70e9b0f-aabc-4066-8176-c6de84d92fa1} - C:\WINDOWS\system32\kknwg.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: GIA Proxy Service (GIAProxyService) - InternetAnonymizer Corporation - C:\Program Files\InternetAnonymizer\GIAProxyService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: REJBANCSMJ - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\REJBANCSMJ.exe (file missing)
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

--
End of file - 14296 bytes


----------



## beenthere7659 (Mar 29, 2008)

Spent the day trying to learn to navigate. I believe I finally posted the hijack report.
Don't have a clue where to look for your next message. Sorry to be such a klutz. It has cost me hours and lots of $$!


----------



## beenthere7659 (Mar 29, 2008)

Just after I bumpped I discovered how to post (I think) the hijack report. Hope you got it and things can normalize here.
Sorry friend.


----------



## Cookiegal (Aug 27, 2003)

Tell me please, is this a company computer?


----------



## beenthere7659 (Mar 29, 2008)

Tell me please, is this a company computer?
I use it for our home-based business also for personal communication. I own the business.
Please- I'm at a loss navigating "tech guy" How do I opwn a view of your messages and/or the whole string? 
Thanks for your indulgence. P.S. I am getting courtesy copies of your responses on e-mail.
beenthere7659


----------



## Cookiegal (Aug 27, 2003)

Just click on the link in the e-mail you received and it opens the thread up for you.

Please visit *Combofix Guide & Instructions * for instructions for downloading and running ComboFix:

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

Combofix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished.


----------



## beenthere7659 (Mar 29, 2008)

You asked if this were a business computer. I responded. Did you receive it?


----------



## Cookiegal (Aug 27, 2003)

beenthere7659 said:


> You asked if this were a business computer. I responded. Did you receive it?


Yes, thanks. I posted new instructions for you as well.


----------



## beenthere7659 (Mar 29, 2008)

Cookiegal-

Well! Progress on this end. (BTW I was typing this just now and a popup jumped in and cut me off the net). Anyway, as I start this note again-- I opened Combofix, printed and read the instructions and reached the point that I had the red "X" button on my desktop. Then I used start-->help -->search for Recovery Console to read instructions. I had a disk and instructions were not clear (to me at least!) so I ran the recovery console. I could find no icon on my desk top nor in search utility.

I rebooted the system and found it there in the pre-windows options. Opened windows normally. Tried closing antiviruses, but they are part of my problem. Closed everything I could find and pressed the red "X" button for Combofix.

things progressed according to the instructions through Autoscan screen with all of the stages completed.

Next my desktop Icons vanished as predicted and I had only the "DELL" logo background on the screen for over 20 minutes. Eventually, I decided that since I had not dragged a Recovery Console icon over the red "X" button it could not reopen.

I rebooted, fought through closing all the annoying popups until Combofix "Find 3M" screen was alone.
Eventually it graced me with a report which I copied and pasted several places for security. Then I ran another HijackThis report and both are pasted below.

Question-- Was the Combofix successful since I had to tweak the restart?
****
ComboFix 08-04-01.2 - Ben Gilmore 2008-04-01 14:45:18.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.205 [GMT -7:00]
Running from: C:\Documents and Settings\Ben Gilmore\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Ben Gilmore\g2mdlhlpx.exe
C:\Documents and Settings\Ben Gilmore\Local Settings\Temporary Internet Files\Univera Front Line.csv
C:\Documents and Settings\Ben Gilmore\ResErrors.log
C:\Program Files\VirusHeat 4.3
C:\Program Files\VirusHeat 4.3\ignored.lst
C:\Program Files\VirusHeat 4.3\VirusHeat 4.3.exe
C:\Program Files\VirusHeat 4.3\vpp.ini
C:\WINDOWS\system32\_000233_.tmp.dll
C:\WINDOWS\SYSTEM32\375013\375013.dll
C:\WINDOWS\system32\drivers\dhlp.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DHLP
-------\Service_dhlp

((((((((((((((((((((((((( Files Created from 2008-03-01 to 2008-04-01 )))))))))))))))))))))))))))))))
.

2008-03-31 16:22 . 2008-03-31 16:22 d--------	C:\Program Files\Computer stuff
2008-03-31 15:56 . 2008-03-31 15:56 d--------	C:\Program Files\Trend Micro
2008-03-31 10:54 . 2008-03-31 14:07 d--------	C:\Program Files\Easy SpyRemover
2008-03-29 15:07 . 2008-03-29 15:07 d--------	C:\Documents and Settings\Ben Gilmore\Application Data\Uniblue
2008-03-29 15:06 . 2008-03-29 15:06 d--------	C:\Program Files\Uniblue
2008-03-28 20:45 . 2008-03-28 20:45 d--------	C:\Documents and Settings\Ben Gilmore\Application Data\WinAnonymous
2008-03-28 20:40 . 2008-03-28 20:45 d--------	C:\Program Files\WinAnonymous
2008-03-28 20:40 . 2008-03-28 20:40 d--------	C:\Program Files\Common Files\WinAnonymous
2008-03-28 20:40 . 2008-03-28 20:40 d--------	C:\Documents and Settings\All Users\Application Data\WinAnonymous
2008-03-28 20:40 . 2007-02-13 08:09	388,126	--a------	C:\WINDOWS\SYSTEM32\sqlite3.dll
2008-03-28 20:36 . 2008-03-28 20:36 d--------	C:\Program Files\InternetAnonymizer
2008-03-28 20:36 . 2008-03-28 20:36 d--------	C:\Program Files\Common Files\InternetAnonymizer
2008-03-28 20:36 . 2008-03-28 20:36 d--------	C:\Documents and Settings\Ben Gilmore\Application Data\InternetAnonymizer
2008-03-28 20:36 . 2008-03-28 20:36 d--------	C:\Documents and Settings\All Users\Application Data\InternetAnonymizer
2008-03-28 20:36 . 2007-08-20 16:35	61,440	--a------	C:\WINDOWS\SYSTEM32\anfapi.dll
2008-03-28 20:36 . 2007-08-10 10:48	14,336	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\anftdird.sys
2008-03-28 18:04 . 2008-03-28 18:04 d--hs----	C:\WinSpyControl
2008-03-28 18:03 . 2008-04-01 12:34 d--------	C:\Program Files\WinSpyControl
2008-03-28 18:03 . 2008-03-28 18:03 d--------	C:\Program Files\Common Files\WinSpyControl
2008-03-28 18:03 . 2008-04-01 14:39 d--------	C:\Documents and Settings\Ben Gilmore\Application Data\WinSpyControl
2008-03-28 18:02 . 2008-03-28 18:02	190,744	--a------	C:\Documents and Settings\Ben Gilmore\Application Data\install_en[1].exe
2008-03-28 17:58 . 2008-04-01 09:07 d--------	C:\Program Files\WinPCDoctor
2008-03-28 17:58 . 2008-04-01 15:13 d--------	C:\Program Files\Common Files\WinPCDoctor
2008-03-28 17:58 . 2008-03-28 17:58 dr-------	C:\Documents and Settings\All Users\Application Data\winpcdoctor
2008-03-28 17:58 . 2008-03-28 17:58 dr-------	C:\Documents and Settings\All Users\Application Data\SalesMon
2008-03-28 17:53 . 2008-03-28 17:53	260,376	--a------	C:\Documents and Settings\Ben Gilmore\Application Data\setup_en[1].exe
2008-03-28 09:09 . 2008-04-01 14:50 d--------	C:\WINDOWS\SYSTEM32\375013
2008-03-28 09:09 . 2008-04-01 09:09 d--------	C:\Program Files\NetProject
2008-03-19 17:26 . 2008-03-19 17:27 d--------	C:\Program Files\The Weather Channel FW

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-01 01:47	---------	d-----w	C:\Program Files\ACT
2008-03-31 23:24	14,265	----a-w	C:\Program Files\3-31-08 4-24pm hijackthis.log
2008-03-28 18:21	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-22 07:04	---------	d-----w	C:\Documents and Settings\Ben Gilmore\Application Data\TheScruffs
2008-02-22 02:42	---------	d-----w	C:\Program Files\MSN Games
2008-02-17 07:36	104,768	----a-w	C:\Documents and Settings\Ben Gilmore\Application Data\GDIPFONTCACHEV1.DAT
2008-02-16 20:13	---------	d-----w	C:\Program Files\Microsoft Small Business
2008-02-16 20:07	---------	d-----w	C:\Program Files\Microsoft SQL Server
2008-02-16 20:03	---------	d-----w	C:\Program Files\Microsoft.NET
2008-02-16 20:02	---------	d-----w	C:\Program Files\MSXML 6.0
2008-02-16 19:15	---------	d-----w	C:\Program Files\Microsoft Silverlight
2006-05-17 20:21	630,784	------w	C:\Documents and Settings\Ben Gilmore\chatlnk.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6F87F145-DC2D-4766-AF03-3A3B96FFAD98}]
2007-11-27 17:31	1102848	--a------	C:\Program Files\WinSpyControl\Tools\sbiebho.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88}]
C:\Program Files\NetProject\sbmdl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7873A33B-E2A1-4A0B-A418-B6378908ABAD}"= "C:\Program Files\InternetAnonymizer\GIAToolBar.dll" [2007-12-17 18:01 323584]

[HKEY_CLASSES_ROOT\clsid\{7873a33b-e2a1-4a0b-a418-b6378908abad}]
[HKEY_CLASSES_ROOT\GIAN.GIANObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{A525A3D8-1A0E-43ff-B46A-5DF8D187B8C8}]
[HKEY_CLASSES_ROOT\GIAN.GIANObj]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7873A33B-E2A1-4A0B-A418-B6378908ABAD}"= C:\Program Files\InternetAnonymizer\GIAToolBar.dll [2007-12-17 18:01 323584]

[HKEY_CLASSES_ROOT\clsid\{7873a33b-e2a1-4a0b-a418-b6378908abad}]
[HKEY_CLASSES_ROOT\GIAN.GIANObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{A525A3D8-1A0E-43ff-B46A-5DF8D187B8C8}]
[HKEY_CLASSES_ROOT\GIAN.GIANObj]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"Express ClickYes"="C:\Program Files\Express ClickYes\ClickYes.exe" [2005-07-27 01:39 32256]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 06:56 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"DW4"="" []
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-12-05 15:51 1885464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 12:33 1388544]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-11-16 02:05 127035]
"WinFaxAppPortStarter"="wfxsnt40.exe" [1998-07-27 04:54 43008 C:\WINDOWS\SYSTEM32\WFXSNT40.EXE]
"EPSON Stylus CX3800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe" [2005-02-07 12:00 98304]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-12-22 12:16 98304]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-10-15 11:40 190464]
"WD Button Manager"="WDBtnMgr.exe" [2007-12-31 16:15 364544 C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"strpmon"="C:\Program Files\Common Files\WinPCDoctor\strpmon.exe" [2008-02-26 09:40 426496]
"WinSpyControl"="C:\Program Files\WinSpyControl\pgs.exe" [2008-03-05 13:14 2035712]
"ugac"="C:\PROGRA~1\COMMON~1\WINSPY~1\ugac.exe" [2007-05-22 13:06 271360]
"bm"="C:\Program Files\Common Files\WinSpyControl\bm.exe" [2007-12-20 20:12 425984]
"WinPCDoctor"="C:\Program Files\WinPCDoctor\SysRep.exe" [2008-03-05 14:24 1541120]
"cwriter"="C:\Program Files\Common Files\WinPCDoctor\cookw.exe" [2008-02-06 12:34 224256]
"ptask"="C:\Program Files\WinSpyControl\ptask.exe" [2007-11-27 17:31 28672]
"GIAReg"="regsvr32 /s C:\Program Files\InternetAnonymizer\GIAToolBar.dll" [ ]
"GIAN"="C:\Program Files\InternetAnonymizer\traymodule.exe" [2007-12-17 18:01 319488]
"giw"="C:\PROGRA~1\COMMON~1\INTERN~1\giw.exe" [2007-12-05 16:02 160645]
"WinAnonymous"="C:\Program Files\WinAnonymous\GDC.exe" [2008-03-26 13:36 1825280]
"gdcw"="C:\Program Files\WinAnonymous\data\GDCW.exe" [2007-12-25 16:07 81920]
"Salestart(1)"="C:\Program Files\Common Files\WinPCDoctor\strpmon.exe" [2008-02-26 09:40 426496]
"Easy SpyRemover"="C:\Program Files\Easy SpyRemover\EasySpyRemover.exe" [2007-11-09 17:54 3516088]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Controller.LNK - C:\Program Files\Symantec\WinFax\WFXCTL32.EXE [2005-05-14 12:32:22 503808]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 22:01:04 83360]
WD Backup Monitor.lnk - C:\Program Files\My Book\WD Backup\uBBMonitor.exe [2007-12-31 16:18:45 98304]
Windows Desktop Search.lnk - C:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe [2005-06-02 19:36:14 231936]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{d70e9b0f-aabc-4066-8176-c6de84d92fa1}"= C:\WINDOWS\system32\kknwg.dll [2008-03-27 10:23 13312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\SYSTEM32\\MMC.EXE"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\ACT\\ActUpdt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009

R2 GIAProxyService;GIA Proxy Service;C:\Program Files\InternetAnonymizer\GIAProxyService.exe [2007-12-17 18:01]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ []
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 06:29]
R2 wfxsvc;WinFax PRO;C:\WINDOWS\system32\WFXSVC.EXE [1998-07-27 04:54]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01]
S3 REJBANCSMJ;REJBANCSMJ;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\REJBANCSMJ.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-03-29 01:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (BEN-Ben Gilmore).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-04-01 22:20:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{78505AA2-5AFB-43D2-88F8-B35E9479A7C6}.job"
- C:\WINDOWS\system32\msfeedssync.exe
"2005-11-23 00:34:43 C:\WINDOWS\Tasks\WTR.job"
- C:\Program Files\BulletProofSoft.com\WinTrace Remover\44B367EE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-01 15:15:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\kknwg.dll
-> C:\Program Files\ArcSoft\PhotoImpression 5\share\pihook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\DOCUME~1\BENGIL~1\LOCALS~1\Temp\startup6cccf74f-c352-4fee-bb6a-06aed8634edc.exe
.
**************************************************************************
.
Completion time: 2008-04-01 15:23:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-01 22:23:01
Pre-Run: 36,828,495,872 bytes free
Post-Run: 37,698,535,424 bytes free
.
2008-03-12 10:06:09	--- E O F ---

-------------****************--------------------***************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:28:41 PM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\InternetAnonymizer\GIAProxyService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Common Files\WinPCDoctor\strpmon.exe
C:\Program Files\WinSpyControl\pgs.exe
C:\PROGRA~1\COMMON~1\WINSPY~1\ugac.exe
C:\Program Files\Common Files\WinSpyControl\bm.exe
C:\Program Files\WinPCDoctor\SysRep.exe
C:\Program Files\Common Files\WinPCDoctor\cookw.exe
C:\Program Files\InternetAnonymizer\traymodule.exe
C:\PROGRA~1\COMMON~1\INTERN~1\giw.exe
C:\Program Files\WinAnonymous\GDC.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Express ClickYes\ClickYes.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\WinSpyControl\Up\gup.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\WinAnonymous\data\GDCW.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: IEFW Object - {6F87F145-DC2D-4766-AF03-3A3B96FFAD98} - C:\Program Files\WinSpyControl\Tools\sbiebho.dll
O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - C:\Program Files\NetProject\sbmdl.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: InternetAnonymizer - {7873A33B-E2A1-4a0b-A418-B6378908ABAD} - C:\Program Files\InternetAnonymizer\GIAToolBar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [strpmon] "C:\Program Files\Common Files\WinPCDoctor\strpmon.exe" dm=http://winpcdoctor.com ad=http://winpcdoctor.com sd=http://inspaid.winpcdoctor.com
O4 - HKLM\..\Run: [WinSpyControl] C:\Program Files\WinSpyControl\pgs.exe
O4 - HKLM\..\Run: [ugac] "C:\PROGRA~1\COMMON~1\WINSPY~1\ugac.exe" -start
O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\WinSpyControl\bm.exe" dm=http://winspycontrol.com ad=http://winspycontrol.com sd=http://ykeeper.winspycontrol.com
O4 - HKLM\..\Run: [WinPCDoctor] C:\Program Files\WinPCDoctor\SysRep.exe
O4 - HKLM\..\Run: [cwriter] C:\Program Files\Common Files\WinPCDoctor\cookw.exe
O4 - HKLM\..\Run: [ptask] C:\Program Files\WinSpyControl\ptask.exe
O4 - HKLM\..\Run: [GIAReg] regsvr32 /s "C:\Program Files\InternetAnonymizer\GIAToolBar.dll"
O4 - HKLM\..\Run: [GIAN] C:\Program Files\InternetAnonymizer\traymodule.exe
O4 - HKLM\..\Run: [giw] "C:\PROGRA~1\COMMON~1\INTERN~1\giw.exe" -start
O4 - HKLM\..\Run: [WinAnonymous] C:\Program Files\WinAnonymous\GDC.exe
O4 - HKLM\..\Run: [gdcw] C:\Program Files\WinAnonymous\data\GDCW.exe
O4 - HKLM\..\Run: [Salestart(1)] "C:\Program Files\Common Files\WinPCDoctor\strpmon.exe" dm=http://winpcdoctor.com ad=http://winpcdoctor.com sd=http://inspaid.winpcdoctor.com
O4 - HKLM\..\Run: [Easy SpyRemover] C:\Program Files\Easy SpyRemover\EasySpyRemover.exe /smart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Express ClickYes] C:\Program Files\Express ClickYes\ClickYes.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/229?8a09e4a47a0547df8b10dd5e5f202be5
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/230?8a09e4a47a0547df8b10dd5e5f202be5
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iefixgate.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iefixgate.com/redirect.php (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.67.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135186932531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1121183721218
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\Software\..\Telephony: DomainName = workgroup
O17 - HKLM\System\CCS\Services\Tcpip\..\{C14FE8EC-0A4B-454C-8108-C949F9DD1E46}: Domain = gilmores
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O22 - SharedTaskScheduler: bimaculate - {d70e9b0f-aabc-4066-8176-c6de84d92fa1} - C:\WINDOWS\system32\kknwg.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: GIA Proxy Service (GIAProxyService) - InternetAnonymizer Corporation - C:\Program Files\InternetAnonymizer\GIAProxyService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: REJBANCSMJ - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\REJBANCSMJ.exe (file missing)
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

--
End of file - 12920 bytes


----------



## beenthere7659 (Mar 29, 2008)

Cookiegal--
As I have continued working (while waiting for your next post) I have noted a significant improvement in pop up interruptions. YEA!

Still interested in making sure the whole system is cleaned up.


----------



## beenthere7659 (Mar 29, 2008)

Good morning (From California) Cookiegal--
I'm looking forward to your analysis of yesterday's efforts. I reported that popups had improved. OOPS! They are back. I have to be away from my desk most of today(Wednesday and tonight. I'll be on early Thursday to resume my (our) efforts. Thanks in advance.

Beenthere7659


----------



## Cookiegal (Aug 27, 2003)

Open Notepad and copy and paste the text in the code box below into it:


```
File::
C:\Documents and Settings\Ben Gilmore\Application Data\install_en[1].exe
C:\Documents and Settings\Ben Gilmore\Application Data\setup_en[1].exe
C:\WINDOWS\system32\kknwg.dll
C:\Documents and Settings\Ben Gilmore\Local Settings\Temp\startup6cccf74f-c352-4fee-bb6a-06aed8634edc.exe

Folder::
C:\Documents and Settings\Ben Gilmore\Application Data\WinAnonymous
C:\Program Files\WinAnonymous
C:\Program Files\Common Files\WinAnonymous
C:\Documents and Settings\All Users\Application Data\WinAnonymous
C:\WinSpyControl
C:\Program Files\WinSpyControl
C:\Program Files\Common Files\WinSpyControl
C:\Documents and Settings\Ben Gilmore\Application Data\WinSpyControl
C:\Program Files\WinPCDoctor
C:\Program Files\Common Files\WinPCDoctor
C:\Documents and Settings\All Users\Application Data\winpcdoctor
C:\Documents and Settings\All Users\Application Data\SalesMon
C:\WINDOWS\SYSTEM32\375013
C:\Program Files\NetProject

Driver::
REJBANCSMJ

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6F87F145-DC2D-4766-AF03-3A3B96FFAD98}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinSpyControl"=- 
"ugac"=-
"bm"=- 
"WinPCDoctor"=- 
"cwriter"=- 
"ptask"=-
"WinAnonymous"=-
"gdcw"=- 
"Salestart(1)"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{d70e9b0f-aabc-4066-8176-c6de84d92fa1}"=-
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


----------



## beenthere7659 (Mar 29, 2008)

I followed your instructions and posted a long response with the requested reports.
It has been two days now without any further input.
Likely it is because I don't understand something.
Can you e-mail, phone, enter here --- something to give me a clue to "next"?


----------



## Cookiegal (Aug 27, 2003)

Look at the post just above yours. I posted further instructions for you two days ago.


----------



## beenthere7659 (Mar 29, 2008)

Combined reports are too long- I'll try sending them individually.
ComboFix 08-04-01.2 - Ben Gilmore 2008-04-03 20:01:59.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.257 [GMT -7:00]
Running from: C:\Documents and Settings\Ben Gilmore\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-03-04 to 2008-04-04 )))))))))))))))))))))))))))))))
.

2008-04-02 08:55 . 2008-04-02 08:55 d--------	C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-02 08:15 . 2008-04-02 08:16 d--------	C:\Program Files\USS
2008-04-02 08:15 . 2006-11-09 14:48	11,776	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\wasfsd.sys
2008-03-31 16:22 . 2008-03-31 16:22 d--------	C:\Program Files\Computer stuff
2008-03-31 15:56 . 2008-03-31 15:56 d--------	C:\Program Files\Trend Micro
2008-03-31 10:54 . 2008-03-31 14:07 d--------	C:\Program Files\Easy SpyRemover
2008-03-29 15:07 . 2008-03-29 15:07 d--------	C:\Documents and Settings\Ben Gilmore\Application Data\Uniblue
2008-03-29 15:06 . 2008-03-29 15:06 d--------	C:\Program Files\Uniblue
2008-03-28 20:40 . 2007-02-13 08:09	388,126	--a------	C:\WINDOWS\SYSTEM32\sqlite3.dll
2008-03-28 20:36 . 2008-03-28 20:36 d--------	C:\Program Files\Common Files\InternetAnonymizer
2008-03-28 20:36 . 2008-03-28 20:36 d--------	C:\Documents and Settings\Ben Gilmore\Application Data\InternetAnonymizer
2008-03-28 20:36 . 2008-03-28 20:36 d--------	C:\Documents and Settings\All Users\Application Data\InternetAnonymizer
2008-03-19 17:26 . 2008-03-19 17:27 d--------	C:\Program Files\The Weather Channel FW

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-01 01:47	---------	d-----w	C:\Program Files\ACT
2008-03-31 23:24	14,265	----a-w	C:\Program Files\3-31-08 4-24pm hijackthis.log
2008-03-28 18:21	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-22 07:04	---------	d-----w	C:\Documents and Settings\Ben Gilmore\Application Data\TheScruffs
2008-02-22 02:42	---------	d-----w	C:\Program Files\MSN Games
2008-02-17 07:36	104,768	----a-w	C:\Documents and Settings\Ben Gilmore\Application Data\GDIPFONTCACHEV1.DAT
2008-02-16 20:13	---------	d-----w	C:\Program Files\Microsoft Small Business
2008-02-16 20:07	---------	d-----w	C:\Program Files\Microsoft SQL Server
2008-02-16 20:03	---------	d-----w	C:\Program Files\Microsoft.NET
2008-02-16 20:02	---------	d-----w	C:\Program Files\MSXML 6.0
2008-02-16 19:15	---------	d-----w	C:\Program Files\Microsoft Silverlight
2006-05-17 20:21	630,784	------w	C:\Documents and Settings\Ben Gilmore\chatlnk.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"Express ClickYes"="C:\Program Files\Express ClickYes\ClickYes.exe" [2005-07-27 01:39 32256]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 06:56 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"DW4"="" []
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-12-05 15:51 1885464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 12:33 1388544]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-11-16 02:05 127035]
"WinFaxAppPortStarter"="wfxsnt40.exe" [1998-07-27 04:54 43008 C:\WINDOWS\SYSTEM32\WFXSNT40.EXE]
"EPSON Stylus CX3800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe" [2005-02-07 12:00 98304]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-12-22 12:16 98304]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-10-15 11:40 190464]
"WD Button Manager"="WDBtnMgr.exe" [2007-12-31 16:15 364544 C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"strpmon"="C:\Program Files\Common Files\WinPCDoctor\strpmon.exe" [ ]
"giw"="C:\PROGRA~1\COMMON~1\INTERN~1\giw.exe" [2007-12-05 16:02 160645]
"Easy SpyRemover"="C:\Program Files\Easy SpyRemover\EasySpyRemover.exe" [2007-11-09 17:54 3516088]
"USS"="C:\Program Files\USS\USS.exe" [2008-02-08 13:37 143360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Controller.LNK - C:\Program Files\Symantec\WinFax\WFXCTL32.EXE [2005-05-14 12:32:22 503808]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 22:01:04 83360]
WD Backup Monitor.lnk - C:\Program Files\My Book\WD Backup\uBBMonitor.exe [2007-12-31 16:18:45 98304]
Windows Desktop Search.lnk - C:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe [2005-06-02 19:36:14 231936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\SYSTEM32\\MMC.EXE"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\ACT\\ActUpdt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009

R0 wasfsd;wasfsd;C:\WINDOWS\system32\drivers\wasfsd.sys [2006-11-09 14:48]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ []
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 06:29]
R2 wfxsvc;WinFax PRO;C:\WINDOWS\system32\WFXSVC.EXE [1998-07-27 04:54]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-03-29 01:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (BEN-Ben Gilmore).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-04-04 03:00:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{78505AA2-5AFB-43D2-88F8-B35E9479A7C6}.job"
- C:\WINDOWS\system32\msfeedssync.exe
"2005-11-23 00:34:43 C:\WINDOWS\Tasks\WTR.job"
- C:\Program Files\BulletProofSoft.com\WinTrace Remover\44B367EE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-03 20:03:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\ArcSoft\PhotoImpression 5\share\pihook.dll
.
Completion time: 2008-04-03 20:04:27
ComboFix-quarantined-files.txt 2008-04-04 03:04:00
ComboFix2.txt 2008-04-04 02:56:55
ComboFix3.txt 2008-04-04 02:14:29
ComboFix4.txt 2008-04-01 22:23:08
Pre-Run: 37,676,425,216 bytes free
Post-Run: 37,665,996,800 bytes free
.
2008-03-12 10:06:09	--- E O F ---


----------



## beenthere7659 (Mar 29, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:07:54 PM, on 4/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\PROGRA~1\COMMON~1\INTERN~1\giw.exe
C:\Program Files\USS\USS.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Express ClickYes\ClickYes.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\wasffNT.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.techguy.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [strpmon] "C:\Program Files\Common Files\WinPCDoctor\strpmon.exe" dm=http://winpcdoctor.com ad=http://winpcdoctor.com sd=http://inspaid.winpcdoctor.com
O4 - HKLM\..\Run: [giw] "C:\PROGRA~1\COMMON~1\INTERN~1\giw.exe" -start
O4 - HKLM\..\Run: [Easy SpyRemover] C:\Program Files\Easy SpyRemover\EasySpyRemover.exe /smart
O4 - HKLM\..\Run: [USS] "C:\Program Files\USS\USS.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Express ClickYes] C:\Program Files\Express ClickYes\ClickYes.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/229?8a09e4a47a0547df8b10dd5e5f202be5
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/230?8a09e4a47a0547df8b10dd5e5f202be5
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iefixgate.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iefixgate.com/redirect.php (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.67.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135186932531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1121183721218
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\Software\..\Telephony: DomainName = workgroup
O17 - HKLM\System\CCS\Services\Tcpip\..\{C14FE8EC-0A4B-454C-8108-C949F9DD1E46}: Domain = gilmores
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

--
End of file - 10849 bytes


----------



## beenthere7659 (Mar 29, 2008)

This is the last message I see -- 
:Look at the post just above yours. I posted further instructions for you two days ago."
I found the instructions and sent you two reports yesterday afternoon (combined they were too long).
Did you get them?


----------



## beenthere7659 (Mar 29, 2008)

After posting that message (but not before??) , my two report messages openedd mysteriously. Making my message about sending them redundant. What am I doing wrong that they don't open first?


----------



## Cookiegal (Aug 27, 2003)

You're probably not refreshing your browser. The browser only gets refreshed if you make a post or refresh it manually.

Now, I need to know why you ran ComboFix 4 times. The log you posted is from the fourth run. I need to see the log from the second run, right after doing the fix I posted. please.


----------



## beenthere7659 (Mar 29, 2008)

If I type something here it weems to open more string??????????


----------



## beenthere7659 (Mar 29, 2008)

Wiuth each exchange, I learn something more about communicating. Perhaps we'll bot live long enough to solve my problem. Thank you for your patience and grace as well as your skill.

I ran Combofix 4 times before I figured out how to get the report to you! Now I've pretty well got that down - but - the old reports are gone. Is it possible to take it from here somehow?


----------



## Cookiegal (Aug 27, 2003)

Open HijackThis and click on "Config" and then on the "Misc Tools" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here please.


----------



## beenthere7659 (Mar 29, 2008)

I click on hijackthis icon on desktop and get a window offering options for search and report------ no "Config"?


----------



## beenthere7659 (Mar 29, 2008)

Nothing comes easy!


----------



## Cookiegal (Aug 27, 2003)

Then you must be viewing it from the Main Menu. Click on *Open the Miscellaneous Tools section*.


----------



## beenthere7659 (Mar 29, 2008)

ACT!
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe PDF IFilter 6.0
Adobe Reader 7.0.9
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
ArcSoft PhotoImpression 5
Attachment Migration
Banctec Service Agreement
BPS Data Shredder 1.3.0.0
Conexant D850 56K V.9x DFVc Modem
Dell Driver Reset Tool
Dell Media Experience
Dell Picture Studio v3.0
Dell Support 5.0.0 (630)
Digital Line Detect
EarthLink setup files
Easy SpyRemover 4.2
EPSON CX 3800 Guide
EPSON PhotoCenter
EPSON Printer Software
EPSON Scan
EPSON Web-To-Page
Express ClickYes 1.2
Galactic Civilizations II
Get High Speed Internet!
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
Internet Service
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_06
Learn2 Player (Uninstall Only)
LiveUpdate
Luxor
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Accounting 2008
Microsoft Office Accounting 2008
Microsoft Office Accounting 2008 Equifax Addin
Microsoft Office Accounting 2008 Fixed Asset Manager
Microsoft Office Accounting 2008 PayPal Addin
Microsoft Office Accounting ADP Payroll Addin
Microsoft Office Small Business Connectivity Components
Microsoft Office XP Professional with FrontPage
Microsoft Office XP SBS Files
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Journal Viewer
Modem Helper
MSN
MSN Search Toolbar
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Musicmatch for Windows Media Player
Musicmatch® Jukebox
My Way Search Assistant
NetWaiting
NetZeroInstallers
Quicken 2007
QuickTime
RealPlayer
SecondLife (remove only)
Secure Browsing
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
SoundMAX
Stardock Central
Sweetopia
The Print Shop® 6.0 Deluxe
The Scruffs
The Ultimate Troubleshooter
The Weather Channel Desktop
Uniblue RegistryBooster 2
Update for Windows XP (KB894391)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
URGE
USS_USSPlugin 2.0.17.0
USS_USSPlugin 2.0.17.0
Viewpoint Media Player
Virtual Earth 3D (Beta)
WD Backup
WD Diagnostics
WD Firewire HID Driver
Weather Services
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinFax PRO
WinSpyControl 2.2.362.6
WinTrace Remover 6.0.0.0
WordPerfect Office 12
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger Explorer Bar
Yahoo! Toolbar


----------



## beenthere7659 (Mar 29, 2008)

These are things I recognize as popping up uninvited--
Easy SpyRemover 4.2
Uniblue RegistryBooster 2
WinSpyControl 2.2.362.6
WinTrace Remover 6.0.0.0


----------



## beenthere7659 (Mar 29, 2008)

Also the annonymouse software- I don't need annonymity.


----------



## Cookiegal (Aug 27, 2003)

Uninstall these via the Control Panel - Add/Remove programs:

*BPS Data Shredder 1.3.0.0
Easy SpyRemover 4.2
My Way Search Assistant
Viewpoint Media Player
WinSpyControl 2.2.362.6
WinTrace Remover 6.0.0.0*

Uniblue is not malicious but I don't recommend using such programs as they can do more harm than good. You may as well uninstall it also.

Now, why do I not see any anti-virus program listed?


----------



## beenthere7659 (Mar 29, 2008)

Did as instructed. Rebooted and produced the following report as before--
ACT!
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe PDF IFilter 6.0
Adobe Reader 7.0.9
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
ArcSoft PhotoImpression 5
Attachment Migration
Banctec Service Agreement
Conexant D850 56K V.9x DFVc Modem
Dell Driver Reset Tool
Dell Media Experience
Dell Picture Studio v3.0
Dell Support 5.0.0 (630)
Digital Line Detect
EarthLink setup files
EPSON CX 3800 Guide
EPSON PhotoCenter
EPSON Printer Software
EPSON Scan
EPSON Web-To-Page
Express ClickYes 1.2
Galactic Civilizations II
Get High Speed Internet!
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
Internet Service
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_06
Learn2 Player (Uninstall Only)
LiveUpdate
Luxor
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Accounting 2008
Microsoft Office Accounting 2008
Microsoft Office Accounting 2008 Equifax Addin
Microsoft Office Accounting 2008 Fixed Asset Manager
Microsoft Office Accounting 2008 PayPal Addin
Microsoft Office Accounting ADP Payroll Addin
Microsoft Office Small Business Connectivity Components
Microsoft Office XP Professional with FrontPage
Microsoft Office XP SBS Files
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Journal Viewer
Modem Helper
MSN
MSN Search Toolbar
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Musicmatch for Windows Media Player
Musicmatch® Jukebox
NetWaiting
NetZeroInstallers
Quicken 2007
QuickTime
RealPlayer
SecondLife (remove only)
Secure Browsing
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
SoundMAX
Stardock Central
Sweetopia
The Print Shop® 6.0 Deluxe
The Scruffs
The Ultimate Troubleshooter
The Weather Channel Desktop
Update for Windows XP (KB894391)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
URGE
USS_USSPlugin 2.0.17.0
USS_USSPlugin 2.0.17.0
Virtual Earth 3D (Beta)
WD Backup
WD Diagnostics
WD Firewire HID Driver
Weather Services
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinFax PRO
WordPerfect Office 12
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger Explorer Bar
Yahoo! Toolbar

On reboot there is a worrisom pane that won't move in the lower right of the screen regarding being attacked by virus. I delete it by pressing "block Attack" which produces a blank internet screen which I close immediately. Then it stays gone and I can operate the computer. 

A week prior to the pronlem, my AVG software malfunctioned. I removed it in preparation for installing a new AVG purchased version. The problems began before I got it installed. I purchased an AVG system, but it showed an error message on downloading. When the system is clean, I plan contacting AVG to help install it. -- Hope all this helps. What do you suggest I do next?


----------



## Cookiegal (Aug 27, 2003)

Do you know what program is generating that message? What is the entire message? Better yet, can you attach a screen shot?

You really need to get an anti-virus program installed immediately. Why don't you try to install the free version in the meantime?

http://free.grisoft.com/doc/2/


----------



## beenthere7659 (Mar 29, 2008)

Cookiegal-
Thanks for hanging in with all my klutzing efforts. I will be sending a check.

It appears to me the only apparent problem is that annoying popup in the lower right of the startup screen when I boot. It reads in part-- 
Spyware attack detected.
Threat name "Tribalfusion.com"
Danger level "low"
Buttons "Allow attack" "Block Attavk"

The red close X in the pane's upper right does nothing, nor can I drag the pane out of the way of my lower right screen. When I click "block attack" it immediately starts loading a web site which I can immediatly close while it is still blank and the problem is gone until the next boot. However - If I have something else open on the web, it closes that as well.


----------



## Cookiegal (Aug 27, 2003)

Please post a new HijackThis log.


----------



## beenthere7659 (Mar 29, 2008)

Downloaded free AVG as suggested. Ran full AVG scan and found a list of trojans.
Was unable to find a way to print screen or extract the list.
Managed to print a hard copy of one of the lists to hard copy and scanned it to a picture file.
I see no way to attach the jpg file to this message. <sigh>

There were 8 trojans listed by AVG. I did not attempt to use AVG to deal with them.

Windows information gives me various ways to use "print Screen" - none work? Any ideas?
My dell KB has "Print Screen" ___over____ "SysRq" key


----------



## beenthere7659 (Mar 29, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:53 PM, on 4/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\PROGRA~1\COMMON~1\INTERN~1\giw.exe
C:\Program Files\USS\USS.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Express ClickYes\ClickYes.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\wasffNT.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.techguy.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [strpmon] "C:\Program Files\Common Files\WinPCDoctor\strpmon.exe" dm=http://winpcdoctor.com ad=http://winpcdoctor.com sd=http://inspaid.winpcdoctor.com
O4 - HKLM\..\Run: [giw] "C:\PROGRA~1\COMMON~1\INTERN~1\giw.exe" -start
O4 - HKLM\..\Run: [Easy SpyRemover] C:\Program Files\Easy SpyRemover\EasySpyRemover.exe /smart
O4 - HKLM\..\Run: [USS] "C:\Program Files\USS\USS.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Express ClickYes] C:\Program Files\Express ClickYes\ClickYes.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/229?8a09e4a47a0547df8b10dd5e5f202be5
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/230?8a09e4a47a0547df8b10dd5e5f202be5
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iefixgate.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iefixgate.com/redirect.php (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.67.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135186932531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1121183721218
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\Software\..\Telephony: DomainName = workgroup
O17 - HKLM\System\CCS\Services\Tcpip\..\{C14FE8EC-0A4B-454C-8108-C949F9DD1E46}: Domain = gilmores
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

--
End of file - 11274 bytes


----------



## Cookiegal (Aug 27, 2003)

After you hit the Print Screen key, you have to open us MS Paint (you'll find it in Accessories) and then click on "Edit" and "paste" and the screen shot should appear in the Paint window. Then save it and change the file type to jpeg.

Then post a reply here and below the dialog box, click on Manage Attachments - then "Browse" to locate the file on your computer. Open the file and then click on "Upload" and that will upload it here. Then submit your reply.


----------



## beenthere7659 (Mar 29, 2008)

Searching the Tech Guy site for "Manage Attachments"??????????


----------



## beenthere7659 (Mar 29, 2008)

Notice the MSN note in tray.
I believe I uploaded the bood screen. Did it come through?
Nothing here indicates it is attached that I see.


----------



## beenthere7659 (Mar 29, 2008)

Hope this is useful


----------



## beenthere7659 (Mar 29, 2008)

see if this works--
Got this message---
AVG Virus list 4-5-08 12 noon001.jpg:
Your file of 614.0 KB bytes exceeds the forum's limit of 300.0 KB for this filetype. 

Is there a way to shrink the file? That is the way it came out of my scanner into the rile.


----------



## Cookiegal (Aug 27, 2003)

It's OK. I've seen it and deleted it as it was too large and we don't need it anymore.

Please download *SmitfraudFix* (by *S!Ri*) to your Desktop.

Double-click *SmitfraudFix.exe*
Select option #1 - *Search* by typing *1* and press "*Enter*"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move *SmitfraudFix.exe* directly to the root of the system drive (usually *C:*), and launch from there.

*Note* : *process.exe* is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Warning: Do not run Option #2 until you are instructed to do so. Running option #2 on a non infected computer will remove your Desktop background.


----------



## beenthere7659 (Mar 29, 2008)

Thank you Cookiegal-- I expected you to take the weekend off. You must really love helpint folks like us. It is appreciated!


----------



## beenthere7659 (Mar 29, 2008)

SmitFraudFix v2.309

Scan done at 11:55:22.14, Sun 04/06/2008
Run from C:\Documents and Settings\Ben Gilmore\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\PROGRA~1\COMMON~1\INTERN~1\giw.exe
C:\Program Files\USS\USS.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Express ClickYes\ClickYes.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\wasffNT.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Ben Gilmore

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Ben Gilmore\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\BENGIL~1\FAVORI~1

C:\DOCUME~1\BENGIL~1\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~2\\GOEC62~1.DLL"

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{C14FE8EC-0A4B-454C-8108-C949F9DD1E46}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C14FE8EC-0A4B-454C-8108-C949F9DD1E46}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{C14FE8EC-0A4B-454C-8108-C949F9DD1E46}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End


----------



## Cookiegal (Aug 27, 2003)

You should print out these instructions or copy them to a Notepad file for reading while in Safe Mode because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in *Safe Mode* by doing the following:
Restart your computer
After hearing your computer beep once during startup but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear
Select the first option, to run Windows in Safe Mode then press "Enter"
Choose your usual account
Once in Safe Mode, double-click *smitfraudfix.exe*
Select option #2 - *Clean* by typing *2* and press "*Enter*" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing *Y* and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if *wininet.dll* is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing *Y* and press "Enter".

The tool may need to restart your computer to finish the cleaning process. If it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process. Please copy/paste the content of that report into your next reply *along with a new HijackThis log*. The report can also be found at the root of the system drive, usually at *C:\rapport.txt*


----------



## beenthere7659 (Mar 29, 2008)

Cookiegal--

When I click the smitfraudfix icon on my desktop in normal mode, I get the list of options 
"1,3,4..."

When I click on that icon in safe mode I get a different window without any numbered options? See attached screenshot.


----------



## Cookiegal (Aug 27, 2003)

Please attach the screen shot.


----------



## beenthere7659 (Mar 29, 2008)

I scroll(ed) down below this to manage attachments and browsed for the bmp file I saved from mspaint screenshot. clicked it and clicked upload. When the progress field indicated complete, I scrolled to the bottom and closed the page. Now I'll submit this reply. Hope you get it.


----------



## Cookiegal (Aug 27, 2003)

It's not there. After you've browsed to the file on your computer, you have to click on "Open" in that window first and then click on "upload".


----------



## beenthere7659 (Mar 29, 2008)

Did it come through? Is there a place on this site that indicates an attachment is fixed?


----------



## Cookiegal (Aug 27, 2003)

You would see it at the bottom of the post.


----------



## beenthere7659 (Mar 29, 2008)

I scroll down to "manage attachments and click
Then browse to the file containing the screenshot.
(note-- before trying this, I went to MSpaint and opened the file to make sure the shot was there. It was)
I hilighted the file and clicked open.
(note- I saw no change anywhere)
Then I clicked "upload"
(The progress field indicated upload)
Then I scrolled down to "close this window" and clicked
(Still no indications anywhere)
Cookiegal I'm at a loss.


----------



## Cookiegal (Aug 27, 2003)

Let's leave it for now and do this please:

Please download Malwarebytes Anti-Malware form *Here* or *Here*

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply along with a new HijackThis log please.

Extra Note:
*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.*


----------



## beenthere7659 (Mar 29, 2008)

Malwarebytes' Anti-Malware 1.11
Database version: 600

Scan type: Quick Scan
Objects scanned: 34084
Time elapsed: 11 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 43
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{50ccd00a-66b6-4d95-aaef-8ee959498f92} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e94eb13e-d78f-0857-7734-5e67a49ffff1} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d70e9b0f-aabc-4066-8176-c6de84d92fa1} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4567ab12-a884-4ca6-b739-cedb12fef096} (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{4567ab12-ae24-4fd6-b479-e2b464f32da6} (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{_clsid_washellexecutecheck} (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d761645b-6b20-4698-aee8-729981152a82} (Rogue.PCSecureSystem) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sbiebho.iefw (Rogue.PCSecureSystem) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sbiebho.iefw.2 (Rogue.PCSecureSystem) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{14e6d991-db22-4661-981d-20c168d6847b} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2242513c-f5e9-41b3-bc89-4d9daf487450} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3b489b37-fc1b-45c8-b1ce-78d9aef5b336} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3d6a6e24-fdff-418e-a93d-9fbdcba377af} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e318e44-0c35-4292-af91-18dd17795636} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{495349a3-3a35-465f-88df-6ccfc1348246} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{575e8879-d6cf-4992-a7fe-651da9277bcb} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{76a15001-ff88-47ee-9e34-9f68e34246af} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{819a1c55-735f-4696-8727-3772ec87ad26} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8dc7e656-ffbc-4ba2-af81-1c6c4fe04407} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a86bed71-2b56-4778-9c48-829a3d01c687} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ae119e11-cf86-43cb-91aa-1acf2bbf9ec6} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b5a1ce7f-011d-4475-98db-076aaf3b1d18} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b667f141-171c-4ac6-bd2b-8e0c646fb920} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{da4f8351-05ef-4956-b9ab-1093b732436f} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e1e4e46d-53b8-45dc-abf0-3e7adef79012} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{83b0cadc-ea64-4ac6-822a-3ece95f44da6} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Purchased Products (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\WinPCDoctor (Rogue.WinPCDoctor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\WinPCDoctor (Rogue.WinPCDoctor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\WinAnonymous (Rogue.WinAnonymous) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\WinAnonymous (Rogue.WinAnonymous) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\NetProject (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Service (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Secure Browsing (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ugac (Rogue.PCSecureSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\stfngdvw.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\WinSpyControl (Rogue.WinSpyControl) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\WinSpyControl (Rogue.WinSpyControl) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\videoPl.chl (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.safetyincludes.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.securemanaging.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\WinSpyControl (Rogue.WinSpyControl) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\WinAnonymous (Rogue.WinAnonymous) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\WinPCDoctor (Rogue.WinPCDoctor) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\sqlite3.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\WinSpyControl\Contact Customer Support.lnk (Rogue.WinSpyControl) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\WinSpyControl\Uninstall WinSpyControl.lnk (Rogue.WinSpyControl) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\WinSpyControl\WinSpyControl.lnk (Rogue.WinSpyControl) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\WinAnonymous\Contact Customer Service.lnk (Rogue.WinAnonymous) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\WinAnonymous\Uninstall WinAnonymous.lnk (Rogue.WinAnonymous) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\WinAnonymous\WinAnonymous unregistered.lnk (Rogue.WinAnonymous) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\WinAnonymous\WinAnonymous web page.lnk (Rogue.WinAnonymous) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\WinPCDoctor\Contact Customer Service.lnk (Rogue.WinPCDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\WinPCDoctor\Uninstall WinPCDoctor.lnk (Rogue.WinPCDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\WinPCDoctor\WinPCDoctor.lnk (Rogue.WinPCDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ben Gilmore\Desktop\WinPCDoctor.lnk (Rogue.WinPCDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ben Gilmore\Desktop\WinAnonymous unregistered.lnk (Rogue.WinAnonymous) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ben Gilmore\Application Data\Microsoft\Internet Explorer\Quick Launch\WinAnonymous unregistered.lnk (Rogue.WinAnonymous) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\WinSpyControl.lnk (Rogue.WinSpyControl) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ben Gilmore\Favorites\Online Security Test.url (Rogue.Link) -> Quarantined and deleted successfully.


----------



## beenthere7659 (Mar 29, 2008)

Cookiegal-

Don't know if this is a factor or not--

On my tool tray appears a note about trouble with the MSN Toolbar. When I click it I get a dialog box that I put on a screenshot. I'll try to attach it here.

Sigh Nothing appears at the foot of this note. I gues it is the same problem with screenshots.


----------



## beenthere7659 (Mar 29, 2008)

ignire this message please


----------



## beenthere7659 (Mar 29, 2008)

Perhaps the problem was .bmp rather than .jpg

At any rate, here is a screenshot of the pesky popup that blocks the lower right screen. The only way I have found to get rid of it is to click block attack which opens the web and I click the red X in the upper right before it does anything. What follows is a dialog box that informs me I have to close all tabs and I get kicked off the net.


----------



## beenthere7659 (Mar 29, 2008)

Let's see if it goes through as .jpg file


----------



## beenthere7659 (Mar 29, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:55:10 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\PROGRA~1\COMMON~1\INTERN~1\giw.exe
C:\Program Files\USS\USS.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Express ClickYes\ClickYes.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\wasffNT.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.techguy.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [strpmon] "C:\Program Files\Common Files\WinPCDoctor\strpmon.exe" dm=http://winpcdoctor.com ad=http://winpcdoctor.com sd=http://inspaid.winpcdoctor.com
O4 - HKLM\..\Run: [giw] "C:\PROGRA~1\COMMON~1\INTERN~1\giw.exe" -start
O4 - HKLM\..\Run: [Easy SpyRemover] C:\Program Files\Easy SpyRemover\EasySpyRemover.exe /smart
O4 - HKLM\..\Run: [USS] "C:\Program Files\USS\USS.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Express ClickYes] C:\Program Files\Express ClickYes\ClickYes.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/229?8a09e4a47a0547df8b10dd5e5f202be5
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/230?8a09e4a47a0547df8b10dd5e5f202be5
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.67.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135186932531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1121183721218
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\Software\..\Telephony: DomainName = workgroup
O17 - HKLM\System\CCS\Services\Tcpip\..\{C14FE8EC-0A4B-454C-8108-C949F9DD1E46}: Domain = gilmores
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

--
End of file - 10819 bytes


----------



## beenthere7659 (Mar 29, 2008)

Haven't seen you since early this morning?


----------



## beenthere7659 (Mar 29, 2008)

I'll be out of the office all day Wednesday 4/9/08


----------



## Cookiegal (Aug 27, 2003)

I'm sorry I wasn't able to get back to you yesterday.

Please open HijackThis.
Click on *Open Misc Tools Section*
Make sure that both boxes beside "Generate StartupList Log" are checked:

*List all minor sections(Full)*
*List Empty Sections(Complete)*
Click *Generate StartupList Log*.
Click *Yes* at the prompt.
It will open a text file. Please copy the entire contents of that page and paste it here.


----------



## beenthere7659 (Mar 29, 2008)

I'm back at my desk


----------



## beenthere7659 (Mar 29, 2008)

I'll be gone most of tomorrow and here over the weekend.


----------



## Cookiegal (Aug 27, 2003)

I'm still waiting for you to carry out my last instructions.


----------



## beenthere7659 (Mar 29, 2008)

StartupList report, 4/10/2008, 10:56:20 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16608)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\PROGRA~1\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\PROGRA~1\COMMON~1\INTERN~1\giw.exe
C:\Program Files\USS\USS.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Express ClickYes\ClickYes.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\wasffNT.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Ben Gilmore\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SoundMAXPnP = C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
dla = C:\WINDOWS\system32\dla\tfswctrl.exe
WinFaxAppPortStarter = wfxsnt40.exe
EPSON Stylus CX3800 Series = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
igfxpers = C:\WINDOWS\system32\igfxpers.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
Google Desktop Search = "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
WD Button Manager = WDBtnMgr.exe
strpmon = "C:\Program Files\Common Files\WinPCDoctor\strpmon.exe" dm=http://winpcdoctor.com ad=http://winpcdoctor.com sd=http://inspaid.winpcdoctor.com
giw = "C:\PROGRA~1\COMMON~1\INTERN~1\giw.exe" -start
Easy SpyRemover = C:\Program Files\Easy SpyRemover\EasySpyRemover.exe /smart
USS = "C:\Program Files\USS\USS.exe"
AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
Express ClickYes = C:\Program Files\Express ClickYes\ClickYes.exe
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
WMPNSCFG = C:\Program Files\Windows Media Player\WMPNSCFG.exe
DW4 = 
Uniblue RegistryBooster 2 = C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*


----------



## beenthere7659 (Mar 29, 2008)

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1 %*)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\system32\dla\tfswshx.dll - {5CA3D70E-1895-11CF-8E15-001234567890}
(no name) - c:\program files\google\googletoolbar3.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
(no name) - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}

--------------------------------------------------

Enumerating Task Scheduler jobs:

McAfee.com Scan for Viruses - My Computer (BEN-Ben Gilmore).job
User_Feed_Synchronization-{78505AA2-5AFB-43D2-88F8-B35E9479A7C6}.job
WTR.job

--------------------------------------------------

Enumerating Download Program Files:

[Office Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\OGACheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=58813

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[CPlayFirstTriJinxControl Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.67.dll
CODEBASE = http://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.67.cab

[YInstStarter Class]
InProcServer32 = C:\Program Files\Yahoo!\Common\yinsthelper.dll
CODEBASE = C:\Program Files\Yahoo!\Common\yinsthelper.dll

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc3.cab

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135186932531

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1121183721218

[ZoneIntro Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
CODEBASE = http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

[Java Plug-in 1.4.2_03]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
CODEBASE = http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

[Java Plug-in 1.4.2_06]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
CODEBASE = http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

[Java Plug-in 1.5.0_02]
InProcServer32 = C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

abp480n5: system32\DRIVERS\ABP480N5.SYS (system)
Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
adpu160m: system32\DRIVERS\adpu160m.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: system32\DRIVERS\agp440.sys (system)
Compaq AGP Bus Filter: system32\DRIVERS\agpCPQ.sys (system)
Aha154x: system32\DRIVERS\aha154x.sys (system)
aic78u2: system32\DRIVERS\aic78u2.sys (system)
aic78xx: system32\DRIVERS\aic78xx.sys (system)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AliIde: system32\DRIVERS\aliide.sys (system)
ALI AGP Bus Filter: system32\DRIVERS\alim1541.sys (system)
AMD AGP Bus Filter Driver: system32\DRIVERS\amdagp.sys (system)
amsint: system32\DRIVERS\amsint.sys (system)
AOL Connectivity Service: C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe (autostart)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
asc: system32\DRIVERS\asc.sys (system)
asc3350p: system32\DRIVERS\asc3350p.sys (system)
asc3550: system32\DRIVERS\asc3550.sys (system)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: system32\DRIVERS\audstub.sys (manual start)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (autostart)
AVG7 Clean Driver: \SystemRoot\System32\Drivers\avgclean.sys (system)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
catchme: \??\C:\DOCUME~1\BENGIL~1\LOCALS~1\Temp\catchme.sys (manual start)
cbidf: system32\DRIVERS\cbidf2k.sys (system)
cd20xrnt: system32\DRIVERS\cd20xrnt.sys (system)
CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
CmdIde: system32\DRIVERS\cmdide.sys (system)
COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cpqarray: system32\DRIVERS\cpqarray.sys (system)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
dac2w2k: system32\DRIVERS\dac2w2k.sys (system)
dac960nt: system32\DRIVERS\dac960nt.sys (system)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Disk Driver: system32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
dpti2o: system32\DRIVERS\dpti2o.sys (system)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
drvmcdb: system32\drivers\drvmcdb.sys (system)
drvnddm: system32\drivers\drvnddm.sys (autostart)
Intel(R) PRO Adapter Driver: system32\DRIVERS\e100b325.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (autostart)
Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: system32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\DRIVERS\fltMgr.sys (system)
Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start)
Google Updater Service: "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
hpn: system32\DRIVERS\hpn.sys (system)
HSFHWBS2: system32\DRIVERS\HSFHWBS2.sys (manual start)
HSF_DP: system32\DRIVERS\HSF_DP.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i2omp: system32\DRIVERS\i2omp.sys (system)
i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)
ialm: system32\DRIVERS\ialmnt5.sys (manual start)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)
ini910u: system32\DRIVERS\ini910u.sys (system)
IntelIde: system32\DRIVERS\intelide.sys (system)
Intel Processor Driver: system32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\DRIVERS\Ip6Fw.sys (manual start)
IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: system32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: system32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: system32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
LexBce Server: C:\WINDOWS\system32\LEXBCES.EXE (manual start)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
mdmxsdk: system32\DRIVERS\mdmxsdk.sys (autostart)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: system32\DRIVERS\mouhid.sys (manual start)
mraid35x: system32\DRIVERS\mraid35x.sys (system)
WebDav Client Redirector: system32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (manual start)
Windows Installer: %systemroot%\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
SQL Server (MSSMLBIZ): "C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (autostart)
SQL Server Active Directory Helper: "C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe" (disabled)
Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: system32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Intel NCS NetService: C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe (manual start)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: system32\DRIVERS\nv4_mini.sys (manual start)
IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)
Parallel port driver: system32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: system32\DRIVERS\pci.sys (system)
PCIIde: system32\DRIVERS\pciide.sys (system)
perc2: system32\DRIVERS\perc2.sys (system)
perc2hib: system32\DRIVERS\perc2hib.sys (system)
Padus ASPI Shell: system32\drivers\pfc.sys (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: system32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
ql1080: system32\DRIVERS\ql1080.sys (system)
Ql10wnt: system32\DRIVERS\ql10wnt.sys (system)
ql12160: system32\DRIVERS\ql12160.sys (system)
ql1240: system32\DRIVERS\ql1240.sys (system)
ql1280: system32\DRIVERS\ql1280.sys (system)
Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: system32\DRIVERS\raspti.sys (manual start)
Rdbss: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: system32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: system32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
senfilt: system32\drivers\senfilt.sys (manual start)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: system32\DRIVERS\serenum.sys (manual start)
Serial port driver: system32\DRIVERS\serial.sys (system)
High-Capacity Floppy Disk Drive: system32\DRIVERS\sfloppy.sys (manual start)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SIS AGP Bus Filter: system32\DRIVERS\sisagp.sys (system)
smwdm: system32\drivers\smwdm.sys (manual start)
Sparrow: system32\DRIVERS\sparrow.sys (system)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
SQL Server Browser: "C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" (disabled)
SQL Server VSS Writer: "C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" (autostart)
System Restore Filter Driver: system32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Srv: system32\DRIVERS\srv.sys (manual start)
sscdbhk5: system32\drivers\sscdbhk5.sys (system)
SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
ssrtln: system32\drivers\ssrtln.sys (system)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{73E0F71F-2A9A-40F4-BBC8-EC953A4C6057} (manual start)
symc810: system32\DRIVERS\symc810.sys (disabled)
symc8xx: system32\DRIVERS\symc8xx.sys (system)
sym_hi: system32\DRIVERS\sym_hi.sys (system)
sym_u3: system32\DRIVERS\sym_u3.sys (system)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: system32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
tfsnboio: system32\dla\tfsnboio.sys (autostart)
tfsncofs: system32\dla\tfsncofs.sys (autostart)
tfsndrct: system32\dla\tfsndrct.sys (autostart)
tfsndres: system32\dla\tfsndres.sys (autostart)
tfsnifs: system32\dla\tfsnifs.sys (autostart)
tfsnopio: system32\dla\tfsnopio.sys (autostart)
tfsnpool: system32\dla\tfsnpool.sys (autostart)
tfsnudf: system32\dla\tfsnudf.sys (autostart)
tfsnudfa: system32\dla\tfsnudfa.sys (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TosIde: system32\DRIVERS\toside.sys (system)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
ultra: system32\DRIVERS\ultra.sys (system)
Microcode Update Driver: system32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: system32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: system32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: system32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: system32\DRIVERS\usbuhci.sys (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: system32\DRIVERS\viaagp.sys (system)
ViaIde: system32\DRIVERS\viaide.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
WAN Miniport (ATW): system32\DRIVERS\wanatw4.sys (manual start)
wasfsd: System32\drivers\wasfsd.sys (system)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
WinFax PRO: C:\WINDOWS\system32\WFXSVC.EXE (autostart)
winachsf: system32\DRIVERS\HSF_CNXT.sys (manual start)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
Windows Media Player Network Sharing Service: "C:\Program Files\Windows Media Player\WMPNetwk.exe" (autostart)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Windows Driver Foundation - User-mode Driver Framework Platform Driver: system32\DRIVERS\WudfPf.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework Reflector: system32\DRIVERS\wudfrd.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework: %SystemRoot%\system32\svchost.exe -k WudfServiceGroup (manual start)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
UPnPMonitor: C:\WINDOWS\system32\upnpui.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 38,964 bytes
Report generated in 0.469 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## beenthere7659 (Mar 29, 2008)

Sorry-- I submitted the Startuplist log earlier and failed to note that it was too long and was not posted. Above is the list divided into two parts.


----------



## Cookiegal (Aug 27, 2003)

Click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders".
Click "Apply" then "OK".

Then navigate to these folders and delete them:

c:\Program Files\*WinPCDoctor*
C:\Program Files\*Easy SpyRemover*
C:\Program Files\Common Files\*WinPCDoctor*
c:\Documents and Settings\All Users\Application Data\*winpcdoctor*
c:\Documents and Settings\All Users\Start Menu\Programs\*WinPCDoctor*
C:\Program Files\Common Files\*InternetAnonymizer*

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

*O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O4 - HKLM\..\Run: [strpmon] "C:\Program Files\Common Files\WinPCDoctor\strpmon.exe" dm=http://winpcdoctor.com ad=http://winpcdoctor.com sd=http://inspaid.winpcdoctor.com

O4 - HKLM\..\Run: [giw] "C:\PROGRA~1\COMMON~1\INTERN~1\giw.exe" -start

O4 - HKLM\..\Run: [Easy SpyRemover] C:\Program Files\Easy SpyRemover\EasySpyRemover.exe /smart*

Reboot and post a new HijackThis log please.


----------



## beenthere7659 (Mar 29, 2008)

NOTE--Removed and fixed files as directed. Thank you.
***
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:39:34 AM, on 4/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\USS\USS.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Express ClickYes\ClickYes.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\wasffNT.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.techguy.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [USS] "C:\Program Files\USS\USS.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Express ClickYes] C:\Program Files\Express ClickYes\ClickYes.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/229?8a09e4a47a0547df8b10dd5e5f202be5
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/230?8a09e4a47a0547df8b10dd5e5f202be5
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.67.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135186932531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1121183721218
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\Software\..\Telephony: DomainName = workgroup
O17 - HKLM\System\CCS\Services\Tcpip\..\{C14FE8EC-0A4B-454C-8108-C949F9DD1E46}: Domain = gilmores
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

--
End of file - 10625 bytes


----------



## Cookiegal (Aug 27, 2003)

Your *Java* is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of *Java* components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

*Upgrading Java*: 

Download the latest version of *Java Runtime Environment (JRE) 6 Update 5*.
Scroll down to where it says "* Java Runtime Environment (JRE) 6 Update 5. The Java SE Runtime Environment (JRE) allows end-users to run Java applications (the fourth one in the list).*".
Click the "*Download*" button to the right.
Check the box that says: "*Accept License Agreement*".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to *Start* - *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.

How are things with your system now?


----------



## beenthere7659 (Mar 29, 2008)

Cookiegal--

All went well through opening Add/remove.
Add/remove showed two Java programs (see screen shot)
I got the same dialog note upon trying to remove either (see other screen shot)

Updated Java JAVA "jre-6u5 wind ..." appears on my desktop.

What next please?


----------



## Cookiegal (Aug 27, 2003)

When attaching screen shots, please resize them first as they are way too large and cause display problems.

I need you to check a key in the registry. NOTE: We are not changing or deleting anything, we are just looking.

Go to *Start *- *Run *- type *Regedit *and then click OK to open the registry editor.

Click the following registry hive in the left pane so it's highlighted in blue:

*HKEY_CLASSES_ROOT*

Click on *Edit *in the toolbar across the top and then click *Permissions *in the drop down menu.

Click *SYSTEM *under *Group or user names* to highlight it in blue and tell me what boxes are checked under *Allow *please.


----------



## beenthere7659 (Mar 29, 2008)

Instructions followed up to--"System" was not an alternative - Only "everyne"
I read help under MS Paint. Did not find how to drag size but did change size specs. Did it work? 

BTW-- The only time I see the attachments is AFTER I have posted the message. Is there a way to know they are attached BEFORE posting?


----------



## Cookiegal (Aug 27, 2003)

The size of that screenshot seems fine.

There should be more than just "Everyone" listed there so it looks like something has altered or damaged the registry.

Follow the instructions in this article to repair it.

http://support.microsoft.com/kb/315353

But first, create a backup of the registry by doing the following:

Please go to *Start *- *Run *and copy and paste the following and then click OK:

*regedit /e c:\registrybackup.reg*

It won't appear to be doing anything and that's normal. Your mouse pointer may turn to an hour glass for a minute.

When it no longer has the hour glass, check in your C drive to be sure you have a file called* registrybackup.reg *before continuing. If you do not see that file, please let me know before doing anything else.

I also suggest that you back up any important data, photos, etc. before doing this as a precaution.


----------



## beenthere7659 (Mar 29, 2008)

Registry repair done as directed. 
Both boxes are checked under "ALLOW"


----------



## Cookiegal (Aug 27, 2003)

Can you post a screen shot for me please?


----------



## beenthere7659 (Mar 29, 2008)

Sorry-- We had guests


----------



## beenthere7659 (Mar 29, 2008)

Are my responses too slow or too klutzy?
Things appear to have improved, but the Free AVG keeps telling me I have virus indications. I keep setting it aside waiting for the next instructions from you.


----------



## Cookiegal (Aug 27, 2003)

Please tell me what files AVG is flagging as infected. Post the log if you can.


----------



## Cookiegal (Aug 27, 2003)

Also, please do this:

Log on to your computer as an the administrator. You will have to do this in safe mode as you cannot log in as administrator in normal mode.

Go back to the same MS article and carry out steps 1 - 5 only.

Then reboot the computer.


Then try to uninstall the older versions of Java again and let me know if you're successful please.


----------



## beenthere7659 (Mar 29, 2008)

I misread the label on the pesky popup in the lower right. NOT AVG rather AVSystem. The files is lists as spyware flash by too quickly. The last one is "Comet Systems". There appears to be no way to print our or copy a list. It appears to me AVS is trying to force me to buy their software.

Avter going through the MS steps as administrator I attempted to remove the old JAVA files in both safe and normal mode logged on as Administrator. No luck. Screenshot is attached.See next message

I ran a full scan using Free AVG and received a clean report, i.s. nothreats found.

Thus- It appears the only problems left are Old JAVA, and the "false"(?) AVSystems popup. "Add/remove Programs" doesn't show any "AVSystems". OH-- And the "MSN Search Toolbar" note in the tool tray that produces a pane I sent a picture of some time ago.


----------



## beenthere7659 (Mar 29, 2008)

Sorry used wrong message format to add attachments.


----------



## beenthere7659 (Mar 29, 2008)

I can't download MSN Toolbar?


----------



## Cookiegal (Aug 27, 2003)

Go to this link and follow method 2 to reinstall the Windows Installer:

http://support.microsoft.com/kb/315346

Let me know how it goes.


----------



## beenthere7659 (Mar 29, 2008)

This screen comes up when the popup is clicked on "block threats"


----------



## Cookiegal (Aug 27, 2003)

*Follow these steps to uninstall Combofix and tools used in the removal of malware*

 Click *START* then *RUN*
 Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









Please visit *Combofix Guide & Instructions * for instructions for downloading and running the latest version of ComboFix. Then scan and post the log please.


----------



## beenthere7659 (Mar 29, 2008)

Went to kb/315346
Renamed a bunch of files as directed
Appeared to install latest Windows Installer

Rebooted
Attempted to download toolbar and got what appears to be the same message. See screenshot.

I'll go on to uninstall combofix as directed.


----------



## beenthere7659 (Mar 29, 2008)

Followed instructions and got a note that combofix had expired. See screenshot
Ran a search for combofix and got (screenshot)
Followed previous uninstall instructions a 2nd time and Windows could not find combofix.


----------



## Cookiegal (Aug 27, 2003)

Go ahead and download a new copy of ComboFix please and run the scan.


----------



## beenthere7659 (Mar 29, 2008)

ComboFix 08-04-14.2 - Ben Gilmore 2008-04-15 11:41:30.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.251 [GMT -7:00]
Running from: C:\Documents and Settings\Ben Gilmore\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-13 10:37 . 2008-04-13 10:37	80,481,722	--a------	C:\registrybackup.reg
2008-04-12 13:49 . 2008-04-12 13:49 d--------	C:\Program Files\MSECache
2008-04-08 09:51 . 2008-04-08 09:51 d--------	C:\Program Files\Malwarebytes' Anti-Malware
2008-04-08 09:51 . 2008-04-08 09:51 d--------	C:\Documents and Settings\Ben Gilmore\Application Data\Malwarebytes
2008-04-08 09:51 . 2008-04-08 09:51 d--------	C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-06 11:55 . 2008-04-06 11:55	3,122	--a------	C:\WINDOWS\SYSTEM32\tmp.reg
2008-04-06 11:54 . 2007-09-05 23:22	289,144	--a------	C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-04-06 11:54 . 2006-04-27 16:49	288,417	--a------	C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-04-06 11:54 . 2008-03-28 23:19	86,528	--a------	C:\WINDOWS\SYSTEM32\VACFix.exe
2008-04-06 11:54 . 2008-03-26 08:50	82,432	--a------	C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-04-06 11:54 . 2003-06-05 20:13	53,248	--a------	C:\WINDOWS\SYSTEM32\Process.exe
2008-04-06 11:54 . 2004-07-31 17:50	51,200	--a------	C:\WINDOWS\SYSTEM32\dumphive.exe
2008-04-06 11:54 . 2007-10-03 23:36	25,600	--a------	C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-04-05 10:06 . 2008-04-05 10:06 d--------	C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-05 10:06 . 2008-04-15 08:00 d--------	C:\Documents and Settings\Ben Gilmore\Application Data\AVG7
2008-04-05 10:05 . 2008-04-05 10:05 d--------	C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-05 10:05 . 2008-04-05 12:28 d--------	C:\Documents and Settings\All Users\Application Data\avg7
2008-04-02 08:55 . 2008-04-14 17:45 d--------	C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-02 08:15 . 2008-04-02 08:16 d--------	C:\Program Files\USS
2008-04-02 08:15 . 2006-11-09 14:48	11,776	--a------	C:\WINDOWS\SYSTEM32\DRIVERS\wasfsd.sys
2008-03-31 16:22 . 2008-03-31 16:22 d--------	C:\Program Files\Computer stuff
2008-03-31 15:56 . 2008-03-31 15:56 d--------	C:\Program Files\Trend Micro
2008-03-29 15:07 . 2008-03-29 15:07 d--------	C:\Documents and Settings\Ben Gilmore\Application Data\Uniblue
2008-03-28 20:36 . 2008-03-28 20:36 d--------	C:\Program Files\Common Files\InternetAnonymizer
2008-03-28 20:36 . 2008-03-28 20:36 d--------	C:\Documents and Settings\Ben Gilmore\Application Data\InternetAnonymizer
2008-03-28 20:36 . 2008-03-28 20:36 d--------	C:\Documents and Settings\All Users\Application Data\InternetAnonymizer
2008-03-19 17:26 . 2008-03-19 17:27 d--------	C:\Program Files\The Weather Channel FW

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 21:24	---------	d-----w	C:\Program Files\ACT
2008-03-31 23:24	14,265	----a-w	C:\Program Files\3-31-08 4-24pm hijackthis.log
2008-03-28 18:21	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-22 07:04	---------	d-----w	C:\Documents and Settings\Ben Gilmore\Application Data\TheScruffs
2008-02-22 02:42	---------	d-----w	C:\Program Files\MSN Games
2008-02-17 07:36	104,768	----a-w	C:\Documents and Settings\Ben Gilmore\Application Data\GDIPFONTCACHEV1.DAT
2008-02-16 20:13	---------	d-----w	C:\Program Files\Microsoft Small Business
2008-02-16 20:07	---------	d-----w	C:\Program Files\Microsoft SQL Server
2008-02-16 20:03	---------	d-----w	C:\Program Files\Microsoft.NET
2008-02-16 20:02	---------	d-----w	C:\Program Files\MSXML 6.0
2008-02-16 19:15	---------	d-----w	C:\Program Files\Microsoft Silverlight
2006-05-17 20:21	630,784	------w	C:\Documents and Settings\Ben Gilmore\chatlnk.exe
.

((((((((((((((((((((((((((((( [email protected]_15.22.42.82 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-15 16:41:06	2,048	--s-a-w	C:\WINDOWS\BOOTSTAT.DAT
- 2000-08-31 15:00:00	163,328	----a-w	C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2005-10-21 03:02:28	163,328	----a-w	C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2000-08-31 15:00:00	73,728	----a-w	C:\WINDOWS\fdsv.exe
+ 2000-08-31 15:00:00	80,412	----a-w	C:\WINDOWS\grep.exe
+ 2008-03-12 10:06:05	2,560	----a-r	C:\WINDOWS\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2000-08-31 15:00:00	98,816	----a-w	C:\WINDOWS\sed.exe
+ 2005-12-21 17:23:51	2,684	------w	C:\WINDOWS\SoftwareDistribution\EventCache\{1D551155-A0EC-41CC-A7AF-D8287256948C}.bin
+ 2000-08-31 15:00:00	161,792	----a-w	C:\WINDOWS\swreg.exe
+ 2000-08-31 15:00:00	136,704	----a-w	C:\WINDOWS\swsc.exe
+ 2000-08-31 15:00:00	212,480	----a-w	C:\WINDOWS\swxcacls.exe
+ 2004-08-04 11:00:00	2,000	------w	C:\WINDOWS\SYSTEM\KEYBOARD.DRV
+ 2004-08-04 11:00:00	2,032	------w	C:\WINDOWS\SYSTEM\MOUSE.DRV
+ 2004-08-04 11:00:00	1,744	------w	C:\WINDOWS\SYSTEM\SOUND.DRV
+ 2004-08-04 11:00:00	2,176	------w	C:\WINDOWS\SYSTEM\VGA.DRV
+ 2004-08-12 13:56:48	1,788	------w	C:\WINDOWS\SYSTEM32\Dcache.bin
+ 2004-11-16 09:05:00	2,239	------w	C:\WINDOWS\SYSTEM32\dla\tfsndres.sys
+ 2004-08-12 13:58:39	2,000	-c----w	C:\WINDOWS\SYSTEM32\DLLCACHE\keyboard.drv
+ 2004-08-12 13:59:09	2,560	-c----w	C:\WINDOWS\SYSTEM32\DLLCACHE\lz32.dll
+ 2004-08-12 14:00:01	2,032	-c----w	C:\WINDOWS\SYSTEM32\DLLCACHE\mouse.drv
+ 2004-08-12 14:02:43	2,944	-c----w	C:\WINDOWS\SYSTEM32\DLLCACHE\null.sys
+ 2004-08-12 14:05:57	1,744	-c----w	C:\WINDOWS\SYSTEM32\DLLCACHE\sound.drv
+ 2004-08-12 14:08:22	2,176	-c----w	C:\WINDOWS\SYSTEM32\DLLCACHE\vga.drv
+ 2004-08-12 14:09:38	2,864	-c----w	C:\WINDOWS\SYSTEM32\DLLCACHE\winsock.dll
+ 2004-08-12 14:09:39	2,112	-c----w	C:\WINDOWS\SYSTEM32\DLLCACHE\winspool.exe
+ 2004-08-12 14:10:22	2,736	-c----w	C:\WINDOWS\SYSTEM32\DLLCACHE\wowdeb.exe
+ 2008-04-05 17:05:46	821,856	----a-w	C:\WINDOWS\SYSTEM32\DRIVERS\avg7core.sys
+ 2008-04-05 17:05:50	4,224	----a-w	C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsw.sys
+ 2008-04-05 17:05:51	27,776	----a-w	C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsxp.sys
+ 2008-04-05 17:05:58	10,760	----a-w	C:\WINDOWS\SYSTEM32\DRIVERS\avgclean.sys
+ 2008-04-05 17:05:58	26,952	----a-w	C:\WINDOWS\SYSTEM32\DRIVERS\avgmfx86.sys
+ 2004-08-12 14:06:15	2,944	------w	C:\WINDOWS\SYSTEM32\DRIVERS\drmkaud.sys
+ 2004-08-12 14:02:43	2,944	------w	C:\WINDOWS\SYSTEM32\DRIVERS\null.sys
+ 2004-08-12 13:58:39	2,000	------w	C:\WINDOWS\SYSTEM32\keyboard.drv
+ 2004-08-12 13:59:09	2,560	------w	C:\WINDOWS\SYSTEM32\lz32.dll
+ 2004-08-12 14:00:01	2,032	------w	C:\WINDOWS\SYSTEM32\mouse.drv
+ 2004-08-12 14:05:57	1,744	------w	C:\WINDOWS\SYSTEM32\sound.drv
+ 2005-03-03 19:00:00	2,693	------w	C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_FAIFACA.DAT
+ 2005-03-03 19:00:00	2,693	------w	C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\epsonstylus_cx380080bf\E_FAIFACA.DAT
+ 2004-08-12 14:08:22	2,176	------w	C:\WINDOWS\SYSTEM32\vga.drv
+ 2004-08-12 14:09:38	2,864	------w	C:\WINDOWS\SYSTEM32\winsock.dll
+ 2004-08-12 14:09:39	2,112	------w	C:\WINDOWS\SYSTEM32\winspool.exe
+ 2004-08-12 14:10:22	2,736	------w	C:\WINDOWS\SYSTEM32\wowdeb.exe
+ 2000-08-31 15:00:00	49,152	----a-w	C:\WINDOWS\VFind.exe
+ 2000-08-31 15:00:00	68,096	----a-w	C:\WINDOWS\zip.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"Express ClickYes"="C:\Program Files\Express ClickYes\ClickYes.exe" [2005-07-27 01:39 32256]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 06:56 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"DW4"="" []
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 12:33 1388544]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-11-16 02:05 127035]
"WinFaxAppPortStarter"="wfxsnt40.exe" [1998-07-27 04:54 43008 C:\WINDOWS\SYSTEM32\WFXSNT40.EXE]
"EPSON Stylus CX3800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe" [2005-02-07 12:00 98304]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-12-22 12:16 98304]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-10-15 11:40 190464]
"WD Button Manager"="WDBtnMgr.exe" [2007-12-31 16:15 364544 C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"USS"="C:\Program Files\USS\USS.exe" [2008-02-08 13:37 143360]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 05:47 579584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-05 10:05 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Controller.LNK - C:\Program Files\Symantec\WinFax\WFXCTL32.EXE [2005-05-14 12:32:22 503808]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 22:01:04 83360]
WD Backup Monitor.lnk - C:\Program Files\My Book\WD Backup\uBBMonitor.exe [2007-12-31 16:18:45 98304]
Windows Desktop Search.lnk - C:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe [2005-06-02 19:36:14 231936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\SYSTEM32\\MMC.EXE"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\ACT\\ActUpdt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009

R0 wasfsd;wasfsd;C:\WINDOWS\system32\drivers\wasfsd.sys [2006-11-09 14:48]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ []
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 06:29]
R2 wfxsvc;WinFax PRO;C:\WINDOWS\system32\WFXSVC.EXE [1998-07-27 04:54]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-12 01:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (BEN-Ben Gilmore).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-04-15 18:50:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{78505AA2-5AFB-43D2-88F8-B35E9479A7C6}.job"
- C:\WINDOWS\system32\msfeedssync.exe
"2005-11-23 00:34:43 C:\WINDOWS\Tasks\WTR.job"
- C:\Program Files\BulletProofSoft.com\WinTrace Remover\44B367EE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 11:48:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-04-15 11:55:46
ComboFix-quarantined-files.txt 2008-04-15 18:54:43
ComboFix2.txt 2008-04-04 03:04:28
ComboFix3.txt 2008-04-04 02:56:55
ComboFix4.txt 2008-04-04 02:14:29
ComboFix5.txt 2008-04-01 22:23:08

Pre-Run: 37,267,447,808 bytes free
Post-Run: 37,302,849,536 bytes free
.
2008-03-12 10:06:09	--- E O F ---


----------



## beenthere7659 (Mar 29, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:18 PM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\USS\USS.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Express ClickYes\ClickYes.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\wasffNT.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.techguy.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [USS] "C:\Program Files\USS\USS.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Express ClickYes] C:\Program Files\Express ClickYes\ClickYes.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/229?8a09e4a47a0547df8b10dd5e5f202be5
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/230?8a09e4a47a0547df8b10dd5e5f202be5
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.67.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135186932531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1121183721218
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\Software\..\Telephony: DomainName = workgroup
O17 - HKLM\System\CCS\Services\Tcpip\..\{C14FE8EC-0A4B-454C-8108-C949F9DD1E46}: Domain = gilmores
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

--
End of file - 10407 bytes


----------



## Cookiegal (Aug 27, 2003)

Open Notepad and copy and paste the text in the code box below into it:


```
File::
C:\WINDOWS\SYSTEM32\DRIVERS\wasfsd.sys

Folder::
C:\Documents and Settings\Ben Gilmore\Application Data\InternetAnonymizer
C:\Documents and Settings\All Users\Application Data\InternetAnonymizer

DirLook::
C:\Program Files\USS

Driver::
wasfsd

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW4"=-
```
Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


----------



## beenthere7659 (Mar 29, 2008)

ComboFix 08-04-14.2 - Ben Gilmore 2008-04-15 15:58:24.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.244 [GMT -7:00]
Running from: C:\Documents and Settings\Ben Gilmore\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ben Gilmore\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\SYSTEM32\DRIVERS\wasfsd.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\InternetAnonymizer
C:\Documents and Settings\All Users\Application Data\InternetAnonymizer\Data\Abbr
C:\Documents and Settings\All Users\Application Data\InternetAnonymizer\Data\customeremail
C:\Documents and Settings\All Users\Application Data\InternetAnonymizer\Data\customername
C:\Documents and Settings\All Users\Application Data\InternetAnonymizer\Data\customerpassword
C:\Documents and Settings\All Users\Application Data\InternetAnonymizer\Data\oid
C:\Documents and Settings\All Users\Application Data\InternetAnonymizer\Data\PCID
C:\Documents and Settings\All Users\Application Data\InternetAnonymizer\Data\ProductCode
C:\Documents and Settings\All Users\Application Data\InternetAnonymizer\Data\Suspicious
C:\Documents and Settings\Ben Gilmore\Application Data\InternetAnonymizer
C:\Documents and Settings\Ben Gilmore\Application Data\InternetAnonymizer\Logs\update.log
C:\WINDOWS\SYSTEM32\DRIVERS\wasfsd.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WASFSD
-------\Service_wasfsd

((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-13 10:37 . 2008-04-13 10:37	80,481,722	--a------	C:\registrybackup.reg
2008-04-12 13:49 . 2008-04-12 13:49 d--------	C:\Program Files\MSECache
2008-04-08 09:51 . 2008-04-08 09:51 d--------	C:\Program Files\Malwarebytes' Anti-Malware
2008-04-08 09:51 . 2008-04-08 09:51 d--------	C:\Documents and Settings\Ben Gilmore\Application Data\Malwarebytes
2008-04-08 09:51 . 2008-04-08 09:51 d--------	C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-06 11:55 . 2008-04-06 11:55	3,122	--a------	C:\WINDOWS\SYSTEM32\tmp.reg
2008-04-06 11:54 . 2007-09-05 23:22	289,144	--a------	C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-04-06 11:54 . 2006-04-27 16:49	288,417	--a------	C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-04-06 11:54 . 2008-03-28 23:19	86,528	--a------	C:\WINDOWS\SYSTEM32\VACFix.exe
2008-04-06 11:54 . 2008-03-26 08:50	82,432	--a------	C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-04-06 11:54 . 2003-06-05 20:13	53,248	--a------	C:\WINDOWS\SYSTEM32\Process.exe
2008-04-06 11:54 . 2004-07-31 17:50	51,200	--a------	C:\WINDOWS\SYSTEM32\dumphive.exe
2008-04-06 11:54 . 2007-10-03 23:36	25,600	--a------	C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-04-05 10:06 . 2008-04-05 10:06 d--------	C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-05 10:06 . 2008-04-15 08:00 d--------	C:\Documents and Settings\Ben Gilmore\Application Data\AVG7
2008-04-05 10:05 . 2008-04-05 10:05 d--------	C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-05 10:05 . 2008-04-05 12:28 d--------	C:\Documents and Settings\All Users\Application Data\avg7
2008-04-02 08:55 . 2008-04-14 17:45 d--------	C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-02 08:15 . 2008-04-02 08:16 d--------	C:\Program Files\USS
2008-03-31 16:22 . 2008-03-31 16:22 d--------	C:\Program Files\Computer stuff
2008-03-31 15:56 . 2008-03-31 15:56 d--------	C:\Program Files\Trend Micro
2008-03-29 15:07 . 2008-03-29 15:07 d--------	C:\Documents and Settings\Ben Gilmore\Application Data\Uniblue
2008-03-28 20:36 . 2008-03-28 20:36 d--------	C:\Program Files\Common Files\InternetAnonymizer
2008-03-19 17:26 . 2008-03-19 17:27 d--------	C:\Program Files\The Weather Channel FW

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 21:24	---------	d-----w	C:\Program Files\ACT
2008-03-31 23:24	14,265	----a-w	C:\Program Files\3-31-08 4-24pm hijackthis.log
2008-03-28 18:21	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-22 07:04	---------	d-----w	C:\Documents and Settings\Ben Gilmore\Application Data\TheScruffs
2008-02-22 02:42	---------	d-----w	C:\Program Files\MSN Games
2008-02-17 07:36	104,768	----a-w	C:\Documents and Settings\Ben Gilmore\Application Data\GDIPFONTCACHEV1.DAT
2008-02-16 20:13	---------	d-----w	C:\Program Files\Microsoft Small Business
2008-02-16 20:07	---------	d-----w	C:\Program Files\Microsoft SQL Server
2008-02-16 20:03	---------	d-----w	C:\Program Files\Microsoft.NET
2008-02-16 20:02	---------	d-----w	C:\Program Files\MSXML 6.0
2008-02-16 19:15	---------	d-----w	C:\Program Files\Microsoft Silverlight
2006-05-17 20:21	630,784	------w	C:\Documents and Settings\Ben Gilmore\chatlnk.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\USS ----

2008-04-02 08:16	5849	--a------	C:\Program Files\USS\unins000.dat 
2008-04-02 08:16	4	--a------	C:\Program Files\USS\#agents\53\#startup 
2008-04-02 08:15	9664	--a------	C:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\unins000.dat 
2008-04-02 08:15	692569	--a------	C:\Program Files\USS\unins000.exe 
2008-04-02 08:15	692569	--a------	C:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\unins000.exe 
2008-03-06 18:03	86165	--a------	C:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\AMPlugin.xml 
2008-02-08 13:37	143360	--a------	C:\Program Files\USS\USS.exe 
2008-02-07 18:13	2142208	--a------	C:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\AMPlugin.dll 
2007-04-19 17:14	22941	--a------	C:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\AsAgents.xml 
2007-04-12 14:26	61440	--a------	C:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\wasffNT.exe 
2006-11-09 20:27	398336	--a------	C:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\AsAgents.dll

((((((((((((((((((((((((((((( snapshot_2008-04-15_11.53.54.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-15 16:41:06	2,048	--s-a-w	C:\WINDOWS\BOOTSTAT.DAT
+ 2008-04-15 23:06:18	2,048	--s-a-w	C:\WINDOWS\BOOTSTAT.DAT
- 2000-08-31 15:00:00	163,328	----a-w	C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2005-10-21 03:02:28	163,328	----a-w	C:\WINDOWS\erdnt\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"Express ClickYes"="C:\Program Files\Express ClickYes\ClickYes.exe" [2005-07-27 01:39 32256]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 06:56 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 12:33 1388544]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-11-16 02:05 127035]
"WinFaxAppPortStarter"="wfxsnt40.exe" [1998-07-27 04:54 43008 C:\WINDOWS\SYSTEM32\WFXSNT40.EXE]
"EPSON Stylus CX3800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.exe" [2005-02-07 12:00 98304]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-12-22 12:16 98304]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-10-15 11:40 190464]
"WD Button Manager"="WDBtnMgr.exe" [2007-12-31 16:15 364544 C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"USS"="C:\Program Files\USS\USS.exe" [2008-02-08 13:37 143360]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 05:47 579584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-05 10:05 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Controller.LNK - C:\Program Files\Symantec\WinFax\WFXCTL32.EXE [2005-05-14 12:32:22 503808]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 22:01:04 83360]
WD Backup Monitor.lnk - C:\Program Files\My Book\WD Backup\uBBMonitor.exe [2007-12-31 16:18:45 98304]
Windows Desktop Search.lnk - C:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe [2005-06-02 19:36:14 231936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\SYSTEM32\\MMC.EXE"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\ACT\\ActUpdt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009

R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ []
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 06:29]
R2 wfxsvc;WinFax PRO;C:\WINDOWS\system32\WFXSVC.EXE [1998-07-27 04:54]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-12 01:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (BEN-Ben Gilmore).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-04-15 23:20:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{78505AA2-5AFB-43D2-88F8-B35E9479A7C6}.job"
- C:\WINDOWS\system32\msfeedssync.exe
"2005-11-23 00:34:43 C:\WINDOWS\Tasks\WTR.job"
- C:\Program Files\BulletProofSoft.com\WinTrace Remover\44B367EE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 16:07:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2008-04-15 16:20:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-15 23:20:23
ComboFix2.txt 2008-04-15 18:55:47
ComboFix3.txt 2008-04-04 03:04:28
ComboFix4.txt 2008-04-04 02:56:55
ComboFix5.txt 2008-04-04 02:14:29

Pre-Run: 37,502,468,096 bytes free
Post-Run: 37,489,102,848 bytes free
.
2008-03-12 10:06:09	--- E O F ---


----------



## beenthere7659 (Mar 29, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:24:46 PM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\USS\USS.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Express ClickYes\ClickYes.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.techguy.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [USS] "C:\Program Files\USS\USS.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Express ClickYes] C:\Program Files\Express ClickYes\ClickYes.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/229?8a09e4a47a0547df8b10dd5e5f202be5
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/230?8a09e4a47a0547df8b10dd5e5f202be5
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.67.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135186932531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1121183721218
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\Software\..\Telephony: DomainName = workgroup
O17 - HKLM\System\CCS\Services\Tcpip\..\{C14FE8EC-0A4B-454C-8108-C949F9DD1E46}: Domain = gilmores
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

--
End of file - 10427 bytes


----------



## Cookiegal (Aug 27, 2003)

Did you just install this?

*C:\Program Files\ACT*

Please delete this entire folder. If you can't delete it in normal mode then boot to safe mode to delete it:

C:\Program Files\*USS *

Reboot and post a new HijackThis log please.


----------



## beenthere7659 (Mar 29, 2008)

"Delete C:\Program Files\ACT"

ACT is a contact management file in which I have data on 8000 contacts with notes. It is my bread and butter-- I live and die by ACT.

The software was originally from Symantec, now Sage Software.
What prompted your recommendation?

"Delete C:\Program Files\USS"
I don't recognize anything in this area. I've opened it for you (screenshot)

Please reconfirm your instructions before I delete them.


----------



## Cookiegal (Aug 27, 2003)

I didn't tell you to delete the ACT folder.

You should only delete the one that follows:

C:\Program Files\*USS *


----------



## beenthere7659 (Mar 29, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:01:01 PM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Express ClickYes\ClickYes.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.techguy.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [USS] "C:\Program Files\USS\USS.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Express ClickYes] C:\Program Files\Express ClickYes\ClickYes.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/229?8a09e4a47a0547df8b10dd5e5f202be5
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/230?8a09e4a47a0547df8b10dd5e5f202be5
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.67.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135186932531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1121183721218
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\Software\..\Telephony: DomainName = workgroup
O17 - HKLM\System\CCS\Services\Tcpip\..\{C14FE8EC-0A4B-454C-8108-C949F9DD1E46}: Domain = gilmores
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

--
End of file - 10489 bytes


----------



## Cookiegal (Aug 27, 2003)

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

*O4 - HKLM\..\Run: [USS] "C:\Program Files\USS\USS.exe*

How are things now?


----------



## beenthere7659 (Mar 29, 2008)

The AVSystems popup seems to have gone away.

I'll attach two screen shots about MSN Search toolbar. See tray and what follows clisking it.

When I reboot I have to choose normal or recovery before Windows opens.

Again-- Thanks for your grace and patience.
Going for the hijack drill now---


----------



## beenthere7659 (Mar 29, 2008)

sorry


----------



## Cookiegal (Aug 27, 2003)

> When I reboot I have to choose normal or recovery before Windows opens


This is normal because you have the recovery console installed. You need to select Windows each time. The recovery console can help you recover your system if there is a major problem and it becomes unbootable.

Please try to uninstall the MSN Toolbar and reinstall it.


----------



## beenthere7659 (Mar 29, 2008)

Cookiegal--

Tried to uninstall MSN Toolbar - unsuccessful in both normal and safe mode.

It tells me toolbar version = 02.01.0000.2214 go to Toolnar.msn.com

I go there and try to download--
I get Windows Suite not installed
Code: 0X80070641 Windows Installer not installed.

Are you able to sort all this out and help me?


----------



## beenthere7659 (Mar 29, 2008)

Am I safe now in downloading automatic updates? See screenshot


----------



## Cookiegal (Aug 27, 2003)

Before running the updates, let's try running this Windows Installer Cleanup utility that may repair the installer.

http://support.microsoft.com/default.aspx?scid=kb;en-us;290301

See if the MSN toolbar gets properly uninstalled with that and then reboot the computer and try downloading it again.


----------



## beenthere7659 (Mar 29, 2008)

Am I safe using this?

"Warning The Windows Installer CleanUp Utility is provided "as is" to help resolve installation problems for programs that use Microsoft Windows Installer. If you use this utility, you may have to reinstall other programs. Caution is advised. We recommend that you do not use this utility with 2007 Office system products."

I believe I'm using 2007 products.


----------



## Cookiegal (Aug 27, 2003)

Then you'd better not run it.

Can you post a new HijackThis uninstall list log please.


----------



## beenthere7659 (Mar 29, 2008)

I'm assuming 2007 since I've been using Windows for years. Is that too paranoid?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:39:20 PM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Express ClickYes\ClickYes.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ACT\act.exe
C:\PROGRA~1\MICROS~4\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\PROGRA~1\ACT\ActEmail.exe
C:\PROGRA~1\ACT\DrvWd6.wpi
C:\PROGRA~1\ACT\actwp.wpi
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.techguy.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Express ClickYes] C:\Program Files\Express ClickYes\ClickYes.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/229?8a09e4a47a0547df8b10dd5e5f202be5
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/230?8a09e4a47a0547df8b10dd5e5f202be5
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.67.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135186932531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1121183721218
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\Software\..\Telephony: DomainName = workgroup
O17 - HKLM\System\CCS\Services\Tcpip\..\{C14FE8EC-0A4B-454C-8108-C949F9DD1E46}: Domain = gilmores
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

--
End of file - 10555 bytes


----------



## beenthere7659 (Mar 29, 2008)

I'll be out of my office all day Thursday. 
See you Friday?
Thanks in advance.


----------



## Cookiegal (Aug 27, 2003)

It was the uninstall list that I asked for.

Open HijackThis and click on "Config" and then on the "Misc Tools" button. If you're viewing HijackThis from the Main Menu then click on "Open the Misc Tools Section". Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here please.


----------



## beenthere7659 (Mar 29, 2008)

ACT!
Adobe Flash Player ActiveX
Adobe PDF IFilter 6.0
Adobe Reader 7.0.9
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
ArcSoft PhotoImpression 5
Attachment Migration
AVG 7.5
Banctec Service Agreement
Conexant D850 56K V.9x DFVc Modem
Dell Driver Reset Tool
Dell Media Experience
Dell Picture Studio v3.0
Dell Support 5.0.0 (630)
Digital Line Detect
EarthLink setup files
EPSON CX 3800 Guide
EPSON PhotoCenter
EPSON Printer Software
EPSON Scan
EPSON Web-To-Page
Express ClickYes 1.2
Galactic Civilizations II
Get High Speed Internet!
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_06
Learn2 Player (Uninstall Only)
LiveUpdate
Luxor
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Accounting 2008
Microsoft Office Accounting 2008
Microsoft Office Accounting 2008 Equifax Addin
Microsoft Office Accounting 2008 Fixed Asset Manager
Microsoft Office Accounting 2008 PayPal Addin
Microsoft Office Accounting ADP Payroll Addin
Microsoft Office Small Business Connectivity Components
Microsoft Office XP Professional with FrontPage
Microsoft Office XP SBS Files
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Journal Viewer
Modem Helper
MSN
MSN Search Toolbar
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Musicmatch for Windows Media Player
Musicmatch® Jukebox
NetWaiting
NetZeroInstallers
Quicken 2007
QuickTime
RealPlayer
SecondLife (remove only)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
SoundMAX
Stardock Central
Sweetopia
The Print Shop® 6.0 Deluxe
The Scruffs
The Ultimate Troubleshooter
The Weather Channel Desktop
Update for Windows XP (KB894391)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
URGE
USS_USSPlugin 2.0.17.0
USS_USSPlugin 2.0.17.0
Virtual Earth 3D (Beta)
WD Backup
WD Diagnostics
WD Firewire HID Driver
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinFax PRO
WordPerfect Office 12
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger Explorer Bar
Yahoo! Toolbar


----------



## Cookiegal (Aug 27, 2003)

*Click here* to download Silent Runners.
Save (do not choose open) it to the desktop.
Run SilentRunners by double clicking the "SilentRunners" icon on your desktop.
You will see a text file appear on the desktop - *it's not done, let it run (it won't appear to be doing anything!)*
Once you receive the prompt *All Done!*, open the text file on the desktop, copy that entire log, and paste it here.
**NOTE* If you receive any warning message about scripts, please choose to allow the script to run.*


----------



## beenthere7659 (Mar 29, 2008)

"Silent Runners.vbs", revision 56, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"Express ClickYes" = "C:\Program Files\Express ClickYes\ClickYes.exe" ["ContextMagic.com"]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"WMPNSCFG" = "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [MS]
"Uniblue RegistryBooster 2" = "C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMAXPnP" = "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" ["Analog Devices, Inc."]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
"WinFaxAppPortStarter" = "wfxsnt40.exe" [MS]
"EPSON Stylus CX3800 Series" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"" ["SEIKO EPSON CORPORATION"]
"igfxpers" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Google Desktop Search" = ""C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup" ["Google"]
"WD Button Manager" = "WDBtnMgr.exe" ["Western Digital Technologies, Inc."]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Companion BHO"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = (no title provided)
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "MSN Search Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll" [MS]
{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}\(Default) = (no title provided)
-> {HKLM...CLSID} = "EpsonToolBandKicker Class"
\InProcServer32\(Default) = "C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll" ["SEIKO EPSON CORPORATION"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {HKLM...CLSID} = "RecordNow! SendToExt"
\InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow!\shlext.dll" [null data]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {HKLM...CLSID} = "Universal Plug and Play Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{13E7F612-F261-4391-BEA2-39DF4F3FA311}" = "Windows Desktop Search"
-> {HKLM...CLSID} = "Windows Desktop Search"
\InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\EXT\02.01.0000.2214\en-us\msnlExt.dll" [MS]
"{97090E2F-3062-4459-855B-014F0D3CDBB1}" = "MSN Deskbar"
-> {HKLM...CLSID} = "MSN Search Deskbar"
\InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\DB\02.01.0000.2214\en-us\deskbar.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes"]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes"]

Default executables:
--------------------

<<!>> HKCU\Software\Classes\.exe\(Default) = "exefile"

<<!>> HKCU\Software\Classes\.hta\(Default) = "htafile"

Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\dell.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\dell.bmp"

Startup items in "Ben Gilmore" & "All Users" startup folders:
-------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Controller" -> shortcut to: "C:\Program Files\Symantec\WinFax\WFXCTL32.EXE" [null data]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"WD Backup Monitor" -> shortcut to: "C:\Program Files\My Book\WD Backup\uBBMonitor.exe" ["ArcSoft, Inc."]
"Windows Desktop Search" -> shortcut to: "C:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe /startup" [MS]

Enabled Scheduled Tasks:
------------------------

"McAfee.com Scan for Viruses - My Computer (BEN-Ben Gilmore)" -> launches: "c:\program files\mcafee.com\vso\mcmnhdlr.exe /runtask:0" [file not found]
"User_Feed_Synchronization-{78505AA2-5AFB-43D2-88F8-B35E9479A7C6}" -> launches: "C:\WINDOWS\system32\msfeedssync.exe sync" [MS]
"WTR" -> launches: "C:\Program Files\BulletProofSoft.com\WinTrace Remover\44B367EE" [file not found]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "MSN Search Toolbar"
\InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll" [MS]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll" ["Yahoo! Inc."]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "MSN Search Toolbar"
\InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll" [MS]
"{EE5D279F-081B-4404-994D-C6B60AAEBA6D}"
-> {HKLM...CLSID} = "EPSON Web-To-Page"
\InProcServer32\(Default) = "C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll" ["SEIKO EPSON CORPORATION"]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll" ["Yahoo! Inc."]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = (no title provided)
-> {HKLM...CLSID} = "MSN Search Toolbar"
\InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll" [MS]
"{EE5D279F-081B-4404-994D-C6B60AAEBA6D}" = (no title provided)
-> {HKLM...CLSID} = "EPSON Web-To-Page"
\InProcServer32\(Default) = "C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll" ["SEIKO EPSON CORPORATION"]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."]
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_04"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]

{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{D81CA86B-EF63-42AF-BEE3-4502D9A03C2D}\
"ButtonText" = "MUSICMATCH MX Web Player"
"Script" = "http://wwws.musicmatch.com/mmz/openWebRadio.html" [file not found]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AOL Connectivity Service, AOL ACS, "C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe" ["America Online, Inc."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
SQL Server (MSSMLBIZ), MSSQL$MSSMLBIZ, ""C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ" [MS]
SQL Server VSS Writer, SQLWriter, ""C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"" [MS]
Windows Media Player Network Sharing Service, WMPNetworkSvc, ""C:\Program Files\Windows Media Player\WMPNetwk.exe"" [MS]
WinFax PRO, wfxsvc, "C:\WINDOWS\system32\WFXSVC.EXE" ["Symantec Corporation"]

Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
EPSON Stylus CX3800 Series 2KMonitor5A\Driver = "E_FLMACA.DLL" ["SEIKO EPSON CORPORATION"]
Lexmark Network Port\Driver = "LEXLMPM.DLL" [file not found]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
WinFax Ports\Driver = "WFXMNT40.DLL" [MS]

---------- (launch time: 2008-04-18 13:31:58)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 84 seconds, including 18 seconds for message boxes)


----------



## Cookiegal (Aug 27, 2003)

Nothing there.

Your uninstall list shows you're running this version of Office:

Microsoft Office XP Professional with FrontPage

Since it's not Office 2007, you can go ahead and run the Windows Installer Cleanup Utility.


----------



## beenthere7659 (Mar 29, 2008)

Downloaded Windows Installer Cleanup to desk top.
Attempted to run it. Would not load (see screen shot)


----------



## Cookiegal (Aug 27, 2003)

Please go to *Start *- *Run *- type in *eventvwr.msc* to open the event viewer. Look under both "Application" and "System" for recent (the last 48 hours or so) errors (shown in red) and if found, do this for each one.

Double-click the error to open it up and then click on the icon that looks like two pieces of paper. This will copy the full error. Then "paste" the error into Notepad. Do this for each one until you have them all listed in Notepad and then copy and paste the list in a reply here please.


----------



## beenthere7659 (Mar 29, 2008)

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 4/20/2008
Time: 7:52:03 PM
User: N/A
Computer:	DELL3000
Description:
The mrtRate service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	DCOM
Event Category:	None
Event ID:	10010
Date: 4/19/2008
Time: 9:42:48 AM
User: DELL3000\Ben Gilmore
Computer:	DELL3000
Description:
The server {000C101C-0000-0000-C000-000000000046} did not register with DCOM within the required timeout.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	DCOM
Event Category:	None
Event ID:	10010
Date: 4/19/2008
Time: 9:41:35 AM
User: DELL3000\Ben Gilmore
Computer:	DELL3000
Description:
The server {000C101C-0000-0000-C000-000000000046} did not register with DCOM within the required timeout.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 4/19/2008
Time: 9:13:48 AM
User: N/A
Computer:	DELL3000
Description:
The mrtRate service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------



## Cookiegal (Aug 27, 2003)

Do you have Quicken installed? If not, did you have it before and uninstalled it?


----------



## beenthere7659 (Mar 29, 2008)

Yes, Quicken appears to be installed. I have yet to use it.
That is a future project. 
Why do you ask?


----------



## Cookiegal (Aug 27, 2003)

Because one of those errors is related to Quicken's atomatic update service.

You can disable it:

Start Quicken.

In the Edit menu point to Options and select *Internet Options*.

Select *Don't use Background Downloading *and click OK.

Reboot after doing that and then wait about 24 hours and then check the event viewer log again and post any new errors that occur during that 24 hour time period.


----------



## beenthere7659 (Mar 29, 2008)

Cookiegal--

Again, I am awed by your patience and expertice.

Regarding Quicken-- I was unable to locate the means to follow your directions. Since I do not fear that software and intend to (eventually) get around to using it, I proceded to wait 24 hours then post the recent listed errors.

Event Type:	Error
Event Source:	Application Hang
Event Category:	(101)
Event ID:	1002
Date: 4/22/2008
Time: 2:58:49 PM
User: N/A
Computer:	DELL3000
Description:
Hanging application ActEmail.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 41 63 74 45 6d 61 ActEma
0018: 69 6c 2e 65 78 65 20 30 il.exe 0
0020: 2e 30 2e 30 2e 30 20 69 .0.0.0 i
0028: 6e 20 68 75 6e 67 61 70 n hungap
0030: 70 20 30 2e 30 2e 30 2e p 0.0.0.
0038: 30 20 61 74 20 6f 66 66 0 at off
0040: 73 65 74 20 30 30 30 30 set 0000
0048: 30 30 30 30 0000

Event Type:	Error
Event Source:	crypt32
Event Category:	None
Event ID:	8
Date: 4/21/2008
Time: 10:34:34 AM
User: N/A
Computer:	DELL3000
Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	crypt32
Event Category:	None
Event ID:	8
Date: 4/21/2008
Time: 10:34:34 AM
User: N/A
Computer:	DELL3000
Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	crypt32
Event Category:	None
Event ID:	8
Date: 4/21/2008
Time: 10:34:34 AM
User: N/A
Computer:	DELL3000
Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Beginning System Errors

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 4/25/2008
Time: 8:59:36 AM
User: N/A
Computer:	DELL3000
Description:
The mrtRate service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 4/22/2008
Time: 9:18:04 AM
User: N/A
Computer:	DELL3000
Description:
The mrtRate service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7000
Date: 4/22/2008
Time: 9:10:54 AM
User: N/A
Computer:	DELL3000
Description:
The mrtRate service failed to start due to the following error: 
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------



## Cookiegal (Aug 27, 2003)

There seems to be a problem with Windows updates.

Lets try this Automated Windows Update Fix.

Download *WUFix.zip* and unzip to your desktop.
Double-Click WUFix.bat to run fix.
You will see a window open and commands processing. When the window closes the fix will have completed.
Restart the computer.
This fix will clear the proxy cache, places Windows Update sites in the Trusted Zone, places Windows Update sites in the exception list of IE Popup Blocker, starts all dependent services, registers required DLLS, empties the Windows Update temporary folder (with backup), renames the catroot2 folder, retains update history and Event log, and deletes BITS pending download queue.

Once done, go back to the *Windows Update Website* (You must use the Microsoft Internet Explorer to do this). Check your history to see if the update is already installed.


----------



## beenthere7659 (Mar 29, 2008)

I followed steps 1-4 as directed. History screenshot is attached. Looks like update is not installed?


----------



## Cookiegal (Aug 27, 2003)

Try resetting IE7 per these instructions:

http://blogs.msdn.com/ie/archive/2006/06/12/628499.aspx


----------



## beenthere7659 (Mar 29, 2008)

Cookiegal--
I followed instructions for RIES.
On restarting IE numerous attempts I got a stall out. See screen shot.

I attempted MS live toolbar install per tool tray prompt. It errored. See screenshot.

So not I don't have an IE homepage.


----------



## Cookiegal (Aug 27, 2003)

Can you not reset your home page?


----------



## beenthere7659 (Mar 29, 2008)

Yes, ma'am--
I have reset my home page to techguy.org.
When I open IE is still get "Welcome to IE, please set settings and it stall out on setting.


----------



## Cookiegal (Aug 27, 2003)

Then I suggest you roll back to IE6 and then reinstall IE7.


----------



## beenthere7659 (Mar 29, 2008)

Every now and then a box appears labeled "Wndows Installer" saying "Preparing to install."
It goes away and nothing happens.


----------



## beenthere7659 (Mar 29, 2008)

How do I do that?


----------



## Cookiegal (Aug 27, 2003)

Did you ever run the Windows Installer Cleanup Utility?

To roll back to IE6 you have to uninstal IE7 in the Control Panel.


----------



## beenthere7659 (Mar 29, 2008)

Cookiegal-

There was an ominous warning pane when I prepared to uninstall IE7 - screenshot.

I tried again to run Windows installer clean up utility - screenshot

This thing seems to be getting deeper and deeper into a mess, even with clean virus rating.

Is there, perhaps, a safe way to go back to ground zero without messing up and having to redo my LAN?


----------



## Cookiegal (Aug 27, 2003)

I'm going to ask someone else to take a look and see if he can help.


----------



## Rollin' Rog (Dec 9, 2000)

Run *regedit* and check the location below to see if there is a policy restriction for the installer. I've seen the "can't be accessed" message produced by one before:

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer]

>> Try running the Windows Installer Cleanup utility or anything which involves running the instaler in "Clean Boot" mode. Use the Cleanup utility ONLY to remove programs you want uninstalled when ADD/Remove programs has failed to do the job.

CLEAN BOOT TROUBLESHOOTING technique XP

Run *msconfig* and select the "Services" tab. *Check "Hide Microsoft Services"* and then disable the rest. Also uncheck "load startup group" on the general page.

See this link for detailed information:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;310353
http://support.microsoft.com/kb/929135 << for Vista, but applies equally to XP, and better written.

Now restart and test the issue at hand

If no problems, run *msconfig* and recheck half the disabled items on the Services tab. Test again. If the problem recurs, UNcheck half the items you just checked to narrow down the culprit.

If the problem didn't occur, check the other half, so all the Services are enabled -- proceed to do this on the startup tab as well.

Get the idea? You want to isolate the problem to a specific startup if possible.

Note: if you already have items unchecked under msconfig > startups and are in "selective" startup mode - you should note what these are before beginning. They will need to be de-selected again.


----------



## Cookiegal (Aug 27, 2003)

Thanks Rog.


----------



## Rollin' Rog (Dec 9, 2000)

:up:


----------



## beenthere7659 (Mar 29, 2008)

Thanks for passing along the advice.
Should I try to wade through that or will you be able to guide me through it?

With much gratitude for what has been accomplished--
BWG


----------



## beenthere7659 (Mar 29, 2008)

This box is popping up every few minutes and stopping other progress . It says "Preparing to install" I click the close button and it changes to "cancelling", goes away for a bit then cycles again.


----------



## Rollin' Rog (Dec 9, 2000)

Can you tell what it is that is trying to be installed?

Also, just let me know what part of the "clean booting" instructions you might be hung up on.

I tried to make it pretty simple, the Vista link is also quite basic. The idea is to test what ever you are having problems with in normal mode, in a clean boot and see what happens there. This should rule out conflicts with most startups such as antivirus or other security programs which can sometimes be problematic.

>> Have you run *regedit* to see if there is any policy key with restrictions for the installer?

Also, do this, run *%temp%*

With the temp folder open do a search for:

*msi*.log*

See if you can zip up and upload the last dated log here as an attachment.


----------



## Rollin' Rog (Dec 9, 2000)

Also, if you are having problems installing the latest version of the installer -- try this "stand alone" version:

http://www.softpedia.com/get/Authoring-tools/Setup-creators/Microsoft-Windows-Installer.shtml


----------



## beenthere7659 (Mar 29, 2008)

Rog-
The box that keeps popping up is labeled "Windows Installer". I believe I posted a screenshot of it a while back.

Frequency of popup varries. Just before I shut down it was continuous cycle. I could click on empty screen and put it into the background, but it would not go away.

Since booting just now, no sign of it so far.
***
I'm not using Vista, rather, XP.

Clean booting makes sense to me. I'll re-read your instructions for questions before trying.
***
I'll also reread regedit instructions for questions
***
Just now I ran %temp%, then opened start->search-> for files and folders-> all files & folders-> msi*.log Search found nothing.
***
I
ll check instructions (above) and continue or query you next. P.S. Still no Windows Installer popup. Hmmm


----------



## beenthere7659 (Mar 29, 2008)

Rog--

The last message was posted after---
booting going directly to IE->Techguy.org and no popups.
After posting I opened MS Outlook and immediantly started back to back cycles of the Installer popup. 

Came back here to tell you about that and the popup continues here with somewhat less frequency. Also here I can cancel and click blank area to subordinate "canceling" phase until recycle.

I'll try regedit now.


----------



## beenthere7659 (Mar 29, 2008)

START-> run->regedit

Got a long list of extensions to start with followd by a list of file names. No HKEY files on the list?

Next I clicked on the MSCUU2.exe icon Cookiegal had me download (clean up utility). It stalls out on the problem popup, "preparing to install".

I'll try the msconfig procedure next.


----------



## beenthere7659 (Mar 29, 2008)

Rog--

Followed instructions. All went well.

The Windows Installer popup started cycling the moment I opened Outlook.

I was unable to write you until reverting to normal startup.

Now I'm in normal startup again and writing. I went directly from boot to IE and no popup -- so far.

The clean boot instructions had nothing to say about a restart with the problem still there??
Is there a next step or ???

I'll wait for your answer


----------



## Rollin' Rog (Dec 9, 2000)

If things are copacetic in a complete clean boot, but return in normal startup -- you need to try to isolate the program or service causing a problem.

This is done by following the "disable by halves" method and testing each configuration.

However, please explain clearly for me the current issue.

Are there any errors being generated by the Windows Installer? Is it just that the installer itself runs on reboot in normal startup and never finishes anything or leaves an error message?

If the problem occurs with Outlook only, you may need to do a repair of Outlook if possible -- or uninstall and reinstall it. After uninstalling it, use the Installer Cleanup Utility to remove any remnants and then reinstall it. This is usually caused by the installer looking for something and not finding it, often this can occur after trying to update Outlook through Windows update.

>>> Have you tried updating the Windows Installer by downloading and running the latest Beta version I gave a link to? >> http://www.softpedia.com/get/Authoring-tools/Setup-creators/Microsoft-Windows-Installer.shtml. Install this in "clean boot" mode.

With respect to *regedit* I don't know why you would get what you report -- make sure you spelled it correctly and if necessary run it as regedit.exe


----------



## beenthere7659 (Mar 29, 2008)

A pane occasionally asks if I want to report an error to MS. I usually reply, yes.
I received a link from MS (attached screenshot).
*What is your recommendation?* If I try and it fails to install I have added more unfinished stuff to a mess. If it works the ???


----------



## beenthere7659 (Mar 29, 2008)

Screenshot did not load?


----------



## Cookiegal (Aug 27, 2003)

I think the regedit problem may be due to file associations. Please save the following xp_regfile.zip to your desktop. Unzipt it and double-click on the xp_regfile.reg file and allow it to enter into the registry.

http://www.dougknox.com/xp/fileassoc/xp_regfile.zip

After doing that, try opening the registry editor again by *Start *- *Run *- type in *regedit *and click OK.


----------



## Cookiegal (Aug 27, 2003)

No, your screenshot did not attach.


----------



## beenthere7659 (Mar 29, 2008)

Thanks for continuing to help-

My computor was freshly rebooted. Recall the Windows pop up doesn't appear to begin until I have opended Outlook.

So, I loaded xp_regfe.zip -- see screenshot
Then I opened it -- see screenshot before opening Outlook for the first time.
then I opened Outlook and the pop ups started.
Then I opened it again,-- see screenshot after opening Outlook

I have no idea if that made any difference and hope I have followed your instructions properly.


----------



## Cookiegal (Aug 27, 2003)

I deleted the screenshots as they were way too big with huge white spaces. Please resize your screenshots before uploading them.

This had nothing to do with Outlook.

It looks like you tried to run the regfix file from the zipped file without unzipping it. You need to unzip the file to your desktop and then double-click the file with the .reg extension.

This was to enable you to open *regedit* (the registry editor).


----------



## beenthere7659 (Mar 29, 2008)

I am virgin in this area. Please suggest appropriate sizing.


----------



## Cookiegal (Aug 27, 2003)

A standard photo size of around 640 x 480 or smaller is good.


----------



## beenthere7659 (Mar 29, 2008)

xp_regfile.zip I have this icon on my desk top.
I dbl click it and get xp_regfile.reg
That brings up a file download security warning-- I click RUN
And get Reg Editor, "Are you sure you want to add the information... I click YES
And get, "Information in C:... ... has been successfully entered into the registry
I click OK and the string ends.

I go back to the desktop and right click the xp_regfile.zip
It brings up a menu with nothing about unzipping.

What am I doing wrong?


----------



## beenthere7659 (Mar 29, 2008)

How's this?


----------



## Rollin' Rog (Dec 9, 2000)

I'm not sure what we are troubleshooting here.

Installer problems?

Have you tried updating to the latest "standalone" version I linked to before?

MS errors will be reflected in the Event Viewer, either the System or Applications log depending on whether it was an Applications or driver error.

>>> for Outlook issues -- what installlation media was originally used? It may need to be reinstalled. My suspicion is that you have gotten an update from Windows update that is failing to install.

>> as for this "Information in C:... ... has been successfully entered into the registry" that should mean the action completed successfully.

You should now be able to run regedit.


----------



## beenthere7659 (Mar 29, 2008)

I ran regedit just now. Screenshot attached. What am I looking for?
***
Regarding cleanboot and stand alone install. Your instructions (reference #137 4/27) covered "if no problems occur"... The problem DID occur. Is there something to gain from that?
*** 
Further discussion about the problem---

After booting, the "Windows Installer "Preparing to install" pane does not begin cycling until I open Outlook. Once I open Outlook the pane pops up whereever I am. (4 times as I have typed this paragraph.)

If you have the patience, I'll follow your best judgement, but I need you to hold my hand and guide step by step. Cookiegal appears to have successfully guided me through to eliminate the virus problem. I'll be satisfied if I can get Outlook to behave.

Thanks in advance-- Beenthere 7659


----------



## Rollin' Rog (Dec 9, 2000)

First, running *regedit* let's see if there are any installer policies present:

Navigate to:

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer]

Make sure that you do not have this key value present in the right pane of the installer key

Name:* DisableMSI*
Type: REG_DWORD (DWORD Value)
Value: (0 = default, 1 = admin only, 2 = disabled)

>> If you do, right click on it and delete it.

Next, let's create our own logging policy.

Download and unzip the attached file. To unzip it, RIGHT click on it and select "extract" from the context menu.

Once it is extracted, run it and confirm the merge to the registry. You should get the "successful" message as before.

Now do something you may need to try more than once that invokes the installer.

After that does its thing, whatever it does, run *%temp%* to open the temporary directory.

Now search again for *msi*.log* and see if any are found.

Upload the last one here as an attachment.


----------



## beenthere7659 (Mar 29, 2008)

I opened the link you suggested and got (see screenshot). Saw nothing on right of screen thqat looked like "Disable..." but was not sure how to proceed????


----------



## Cookiegal (Aug 27, 2003)

You've entered the registry key into a search engine. Rog is asking you to look in your registry of your computer.

I think we'd better create a back-up of the registry first in case you make a mistake.

Please go to *Start *- *Run *and copy and paste the following and then click OK:

*regedit /e c:\registrybackup.reg*

It won't appear to be doing anything and that's normal. Your mouse pointer may turn to an hour glass for a minute.

When it no longer has the hour glass, check in your C drive to be sure you have a file called* registrybackup.reg *before continuing. If you do not see that file, please let me know.

You can still go ahead an do the following, even if you can't find the registry backup as it will just export a key and not make any changes.

Please go to *Start *- *Run *and copy and paste the following and then click OK:

*regedit /e C:\look.txt "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer"*

Now go to C: and look for the C:\look.txt file. Open it with Notepad and copy and paste the entire contents here.


----------



## beenthere7659 (Mar 29, 2008)

Registrybackup.reg was found.

C:\look.txt..... pasted below
***

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer]
"AlwaysInstallElevated"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated]
@=dword:00000001


----------



## Rollin' Rog (Dec 9, 2000)

The policies are default.

Can we proceed to part 2 of my suggestions and create a policy for "verbose" installer logging -- and then after you have the problem with the installer launching and quitting -- see if you can find an "msi" log for it?

Once the registry file is entered correctly your Installer key should look like the attached shot.


----------



## beenthere7659 (Mar 29, 2008)

=== Verbose logging started: 5/6/2008 10:22:37 Build type: SHIP UNICODE 3.01.4000.4039 Calling process: C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE ===
MSI (c) (34:44) [10:22:37:156]: Resetting cached policy values
MSI (c) (34:44) [10:22:37:156]: Machine policy value 'Debug' is 0
MSI (c) (34:44) [10:22:37:156]: ******* RunEngine:
******* Product: {90280409-6000-11D3-8CFE-0050048383C9}
******* Action: 
******* CommandLine: **********
MSI (c) (34:44) [10:22:37:203]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (34:44) [10:22:37:203]: Grabbed execution mutex.
MSI (c) (34:44) [10:23:07:687]: Failed to connect to server. Error: 0x80080005

MSI (c) (34:44) [10:23:07:687]: Failed to connect to server.
MSI (c) (34:44) [10:23:07:687]: MainEngineThread is returning 1601
=== Verbose logging stopped: 5/6/2008 10:23:07 ===

******* Two Logs had same time and date ****************

=== Verbose logging started: 5/6/2008 10:23:07 Build type: SHIP UNICODE 3.01.4000.4039 Calling process: C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE ===
MSI (c) (34:54) [10:23:07:796]: Resetting cached policy values
MSI (c) (34:54) [10:23:07:796]: Machine policy value 'Debug' is 0
MSI (c) (34:54) [10:23:07:796]: ******* RunEngine:
******* Product: {90280409-6000-11D3-8CFE-0050048383C9}
******* Action: 
******* CommandLine: **********
MSI (c) (34:54) [10:23:07:796]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (34:54) [10:23:07:796]: Grabbed execution mutex.
MSI (c) (34:54) [10:23:37:875]: Failed to connect to server. Error: 0x80080005

MSI (c) (34:54) [10:23:37:875]: Failed to connect to server.
MSI (c) (34:54) [10:23:37:890]: MainEngineThread is returning 1601
=== Verbose logging stopped: 5/6/2008 10:23:37 ===


----------



## Rollin' Rog (Dec 9, 2000)

Most likely the installer service is corrupted; that is what I would conclude from the combination of these two "errors":



> MSI (c) (34:44) [10:23:07:687]: Failed to connect to server. Error: 0x80080005
> 
> MSI (c) (34:44) [10:23:07:687]: Failed to connect to server.
> MSI (c) (34:44) [10:23:07:687]: MainEngineThread is returning 1601


So let's get back to the task of finding a method to reinstall it.

Download the setup available here to a convenient location on your hard drive:

http://www.softpedia.com/get/Authoring-tools/Setup-creators/Microsoft-Windows-Installer.shtml

Once it has downloaded follow my previous "Clean boot" instructions and boot in that mode. DO NOT disable any Microsoft services!!.

Run the installer setup and if there are any errors, note them.

If it completes successfully reboot and see if the previous installer issue continues to occur.


----------



## beenthere7659 (Mar 29, 2008)

Rog--
I'm sorry friend, but you give me too much credit.

I open the URL you gave me. It presents me with numerous alternatives. None of which I understand. I pick the most likely one and it loops me back to the start without (apparently) downloading anything.

I fear creating more garbage in the system. Would you care to give me more explicit directions for downloading the installer?


----------



## Rollin' Rog (Dec 9, 2000)

Sorry I guess that can be a bit confusing to the uniitiated.

Here is a direct link to the XP 32 bit version of the package:

http://download1us.softpedia.com/dl...uthoring/WindowsInstaller-KB893803-v2-x86.exe

I'm hoping that it will install, but since it uses the Windows installer itself, I'm not so sure. The Vista versions have their own "stand-alone" package.


----------



## beenthere7659 (Mar 29, 2008)

I did a clean boot as instructed- Did not hide MS services and did uncheck "load startup group". I was not permitted to uncheck:
DCOM Server Process Launcher
Remote Procedure Call (RPC) Launcher 
Remote Procedure Call (RPC)
"Because Windows would not function w/o them"

I rebooted in clean mode.
I got a "successfully Installed" for Windows Installer.

I rebooted in "Normal Mode".
The only thing in the tool tray was "MSN Search Toolbar" -- I clicked it.
Was informed thatI should reinstall using toolbar.msn.com
I tried (see screenshot)

Then I opened Outlook where the problem usually begins.
Rather than click to make the "starting installer" note, I let it run its course (See error message screenshot)

Thanks in advance-- I wish you could log onto my machine and sort through all this stuff.


----------



## beenthere7659 (Mar 29, 2008)

They appear not to have loaded


----------



## beenthere7659 (Mar 29, 2008)

Somehow the other did not load


----------



## Rollin' Rog (Dec 9, 2000)

> I did a clean boot as instructed- Did not hide MS services and did uncheck "load startup group". I was not permitted to uncheck:
> DCOM Server Process Launcher
> Remote Procedure Call (RPC) Launcher
> Remote Procedure Call (RPC)
> "Because Windows would not function w/o them"


My instructions were:


> DO NOT *disable* any Microsoft services!


 To follow that you HIDE the Microsoft services before disabling anything remaining.

You disabled Microsoft services -- probably the installer service.

I'm surprised that the installer setup even completed.

Have you re-enabled all that you disabled on the Services tab?

Just enable everything there.


----------



## beenthere7659 (Mar 29, 2008)

Rog--

I misread your note of 6 May 11:16.

Reboot in "Normal" mode appears to have put everything back in order. All boxes on Services tab are checked.

If you will lead, I will follow explicitly!


----------



## beenthere7659 (Mar 29, 2008)

Rog--

Since the installer problem appears to be tied to Outlook.
And
Since there was a security update (screenshot) aboutthe time the problem started.
Could they be related?


----------



## Rollin' Rog (Dec 9, 2000)

Well It shows installed -- so I don't really know.

I don't think the error reported in post 132 is really a show stopper; it is probably related to the specific site being accessed.

Can you verify that the installer error with Outlook still happens?

>> If you run *regedit* and navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer

In the right pane is the "image path" >>

*c:\windows\system32\msiexec.exe /V*

>> If you use Windows Explorer to navigate to

c:\windows\system32\msiexex.exe

and Right click on it and select Properties > Version, what is the version number?


----------



## beenthere7659 (Mar 29, 2008)

The problem remains
Version #1.0.0.9 (Screenshot)


----------



## Rollin' Rog (Dec 9, 2000)

Lol, what is that about?

You searched for some Epson printer drivers?


----------



## beenthere7659 (Mar 29, 2008)

Davigated as directed (see screenshot)
No (?) Properties.. Version??


----------



## Rollin' Rog (Dec 9, 2000)

You searched in the registry editor, not Explorer.

But let's assume the Windows Installer is properly installed since you reported the message "sucessful".

What I'd like to test is a manual install of any pending update, not necessarily a "critical" one -- but an "optional", non- driver, update from Windows Update.

What I'd like you to do is visit Windows Update and see what updates are still available.

Just copy the ID of one or two and let me know what they are; I will see if I can find a manual update version for you to try.

I want to know if this "installer" error is occuring on all setups that use the Windows Installer or just something in particular.

Alternately if you have a program you want to test installing -- you can try that.

By the way if you really want to bite the bullet -- XP SP3 is available.

I installed it without issue -- but I'm not sure I can heartily recommend this to you -- but it might be a last resort option.


----------



## beenthere7659 (Mar 29, 2008)

In order to use MS updates I must... Screenshot


----------



## beenthere7659 (Mar 29, 2008)

To open Updates I must install--- Screenshot
It showed Installation complete.
Now I'll search for some updates to suggest.
I searched update history (It is what came up)-- 

Update for Windows Media Format 11 SDK for Windows XP (KB929399) Cancelled

Windows Internet Explorer 7.0 for Windows XP Cancelled

Windows Genuine Advantage Notification (KB905474) Failed

Security Update for Windows XP (KB913446) Failed

Now I'll try to find a list of available updates---

This is what I found--- Is there anything in this mess with which you can work?
*****
More high-priority updates are available
Your computer might be at risk until you install them. Check for the remaining updates and install them now.

Express 

Restart now to finish installing updates
Your computer will not be up to date until you restart it. Please save any open files, photos or documents and restart now. 



Installation Summary

Successful: 0 
Failed: 1 
Remaining: 1 


--------------------------------------------------------------------------------

Successful Updates 


--------------------------------------------------------------------------------


Failed Updates
For help installing an update successfully, see the solution under each problem description.


Problem: End User License Agreement (EULA) Not Accepted
Solution: Check for updates again and wait while you install updates. You will be asked to accept the EULA before any updates with a EULA can be installed.

Problem: Not Enough Disk Space
Solution: To make more space available, run the Disk Cleanup tool or uninstall any programs that you dont use. For directions, see Help and Support on your computer.

Problem: Automatic Updates is currently installing updates
Solution: Please wait until Automatic Updates is complete and then check your update history. At that time, if the update has failed to install, you can try installing it from the website. 
Note: To view Automatic Updates progress, click the updating icon in your System Tray. 

Problem: Please check your update history for a description.

Problem: A problem on your computer is preventing updates from being downloaded or installed 
Solution: To fix the problem, try installing the updates again. If that doesn't work, use the Troubleshooter to try solve the problem.

Microsoft Windows XP
Windows XP Service Pack 3 (KB936929)


--------------------------------------------------------------------------------


Remaining High-Priority Updates
Your computer might be at risk until you install all high-priority updates. These updates help protect against security threats and performance problems.


Microsoft Office 2007
Microsoft Office Accounting 2008 US Service Pack 1 (KB949426)


----------



## Rollin' Rog (Dec 9, 2000)

I think I found something relevant to your problem, so I want you to first try the "fix" described below. The article seems right on the money for your "verbose" logging errors.

http://support.microsoft.com/kb/321497

1.	Click Start, and then click Run.
2.	In the Open box, type *msiexec /unreg*, and then click OK.
3.	When this process is complete, click Start, and then click Run.
4.	In the Open box, type *msiexec /regserver*, and then click OK.
5.	When this process is complete, reinstall the update.

>> Also let me know how much disk space you have available.


----------



## beenthere7659 (Mar 29, 2008)

Rog-
I ran both those. It did not appear to do anything.
I have 37 gigs free HD space.

Suggest something for me to install please.

Windows Installer "Preparing to install" is still with me.


----------



## Rollin' Rog (Dec 9, 2000)

Is this the Office 2007 Security update that remains pending >>

http://www.microsoft.com/downloads/...71-9098-4125-ae91-7d4c83ea58ad&displaylang=en



> Remaining High-Priority Updates
> Your computer might be at risk until you install all high-priority updates. These updates help protect against security threats and performance problems.
> 
> *Microsoft Office 2007*
> Microsoft Office Accounting 2008 US Service Pack 1 (KB949426)


----------



## beenthere7659 (Mar 29, 2008)

I suppose so--

I pasted what it reported.


----------



## Rollin' Rog (Dec 9, 2000)

Well try saving the setup to your hard drive from the download option on that link.

Then run the setup and see how it goes. If you get an error, upload or copy the "msi" log for it as you did before so I can have a gander.


----------



## beenthere7659 (Mar 29, 2008)

Attempted sp 3 See screenshots.

What are my next steps?


----------



## Rollin' Rog (Dec 9, 2000)

Right click on the Start button -- do you see "open All Users" as an option there?

This is an indication of whether you are logged on with Administrative rights; if it isn't there you are not.

>>> Also, please do this, search for c:\windows\*svcpack.log*

Right click on it and select "copy"

Save the file to the desktop, then right click again and select Send To "compressed (zip) folder"

Upload that here as an attachment.

>>> Do the same for:*c:\windows\setupapi.log*


----------



## beenthere7659 (Mar 29, 2008)

I am logged on as Admin.
Here are the zip files


----------



## Rollin' Rog (Dec 9, 2000)

There are a humongous number of "access is denied" errors in the "setupapi" log.

Many of them seem to reference combofix for some reason and I cannot tell whether they actually refer to the SP3 install. I don't know why combofix should be involved.

Would you navigate to c:\windows\setupapi.log, right click on it and rename it "setupapiold.log"

Then run the SP3 setup again and after you get the error zip and upload the newly created setupapi.log

>> Also has chkdsk /r been run on this drive since these problems began?

>> Finally I'd like you to download the attached "secedit" file and unzip it and copy the enclosed files to

c:\windows\system32

But don't do anything with them at this time. We may wish to try the resetting of security settings per the MS article here:

http://support.microsoft.com/?kbid=313222

But these files are not a part of MS HOME; if you have XP Professional then you do not need to download and copy the attached.


----------



## beenthere7659 (Mar 29, 2008)

Rog--
I restarted SP3 install and it almost finished before "Access Denied" (screenshot).
Then it started cleaning up and replaced a big bunch of files.
I then sdid a new setupapi.log zip (attached) as directed.

I do not recall running chkdsk /r since problem.

BTW-- it was while working with Cookiegal that I was directed to download Combofix.

I hesitate to bite off too many chunks at a time.

I'll stop here and await your next suggestions.


----------



## Rollin' Rog (Dec 9, 2000)

We may have to wait on this; I am currently unable to download any uncorrupted zipped attachment.

I believe the problem is site related and involves the attachments server but must wait for others to confirm.


----------



## Rollin' Rog (Dec 9, 2000)

Ok, it looks like attachments are working again.

I still see too many "access is denied" errors in that log for it to be practical to deal with them one by one.Some mention "combofix" for some reason.

So let's try to use a method of resetting security permissions using a command line tool.

1 > Download and unzip the previously attached "secedit.zip" file.

2 > Copy the files to c:\windows\system32

3 > Reboot the computer

4 > Go to Start, run and enter *cmd*

5 > At the command prompt enter (or copy/paste) >

*secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose*

It would be best to copy/paste that line rather than type it;

I have never run this command, so I don't know exactly what to expect from it. It may take some time to finish -- perhaps 15 minutes or more.

Note any error messages.

Reboot the computer after it completes and attempt any install which was previously giving errors.

If this doesn't work, there is another, slightly more complicated method we can try.


----------



## beenthere7659 (Mar 29, 2008)

Came across this at WXPNEWS-- Could it be pertinent to my situation?
***
News, Hints, Tips and Tricks

The XP SP3 vicious reboot cycle

SP3 is finally out, but some folks are reporting that after installing it on some computers, the system goes into continuous reboot mode. This happens because something in SP3 (on some hardware configurations) causes the computer to crash during the boot process and the OS is set to automatically reboot after a crash. This recently happened to Jesper Johansson, a fellow Enterprise Security MVP, and his blog contains an excellent discussion of what the problem (s) might be and what to do about it: 
http://www.wxpnews.com/Q7QJE3/080513-SP3-Reboot

Warning: you can't roll back to IE 6 after installing SP3

If you're running IE7 on your XP computer and you install Service Pack 3, it appears you won't be able to go back to IE6 afterward. At least that's the word from Jane Maliouta on the MSDN web site. Same thing applies if you've installed a beta of IE8 - there'll be no going back to IE7 after installing the service pack. So if you want to roll back your browser, you need to do it before installation of SP3. Read more here: 
http://www.wxpnews.com/Q7QJE3/080513-Rollback-Browser

Office 2007 SP1 coming to automatic update near you

Service Pack 1 for Office 2007 has been available for download for months, but if you don't want to install it for some reason, be aware that it's to be released to Automatic Update in June, so you'll need to take steps to prevent it from being installed automatically (such as setting your computer to download updates but not install them until you give permission). 
http://www.wxpnews.com/Q7QJE3/080513-Office-2007-SP1

To download SP1 now, go to 
http://www.wxpnews.com/Q7QJE3/080513-Office-2007-SP1-Download

XP SP3 Support Site

Microsoft is providing unlimited installation and compatibility support for XP SP3, valid until April 2009. You can get support via email, live chat or telephone. To find out more, see the support web site at http://support.microsoft.com/oas/default.aspx?ln=en-us&prid=11273&gprid


----------



## beenthere7659 (Mar 29, 2008)

Rog--

I'm ready to follow your instructions - but - I'm too uninformed to come up with an application to install. I have concluded that I want to wait on installing SP3 until the dust settles. I was previously unable to uninstall IE7 and go back to IE6 so those are out. I'm looking for a suggestion of some sort of harmless program to use for this test. It appears that any program will not install so anything should be useful for this, but I'm to uninformed to know what is available.
May I have a suggestion please?


----------



## Rollin' Rog (Dec 9, 2000)

Go ahead and follow the instructions anyway.

Then try to install the pending "office" updates from Windows Update.

Or download one manually (probably best), such as this if you don't have it >>

http://www.microsoft.com/downloads/...71-9098-4125-ae91-7d4c83ea58ad&displaylang=en


----------



## beenthere7659 (Mar 29, 2008)

My delay in responding--

I successfully installed MS Office Accounting 2008 SP1 KB949426
Plus two additional reccomended downloads. 
I do not intend to download SP# for a while until others are recommending it. 
Then--
The MSN Live that had been popping up in the tray successfully downloaded and installed. Finally-- The popup Installer error that plagued Outlook has not appeared in two days.

I don't know what was accomplished, but the problems appear to have left my computer. You and CookieGal may as well take credit for it!

My last Question--
Given all that, am I safe in deinstalling the tools you two have had me put on my Desktop:
Hijackthis
Easy Spy Remover
Smitfraud
mbam-setup.exe
Malwarebytes' Anti-malware
Combofix
SetupAPI

Thank you both for your patience and instruction.
Beenthere7659


----------



## Rollin' Rog (Dec 9, 2000)

That's great -- what was the last "fix" or attempt at resolution you ran -- just so we might have some clue as to what might have worked?

I'll let Cookiegal have the final word -- but there is nothing I have had you install that you need to keep.

HijackThis is always good to have around -- but i wouldn't keep it on the desktop if that's where you are running it from.


----------



## Cookiegal (Aug 27, 2003)

I'm glad to hear you guys got this sorted out. :up:

I certainly didn't have you install Easy Spy Remover as that's a rogue program so definitely remove it from your desktop.


Please post a new HijackThis log so I can be sure all is well.


----------



## beenthere7659 (Mar 29, 2008)

Came across this at WXPNews---
Sounds a lot like my problem WAS. Haven't replied until now to see that all appears to be running properly. I have "Easy Spy remover.exe on my desk top but it is NOT listed in my add/remove list. I'll run hijack this and send in the next message-------------

QUESTION:
I use IE7 on my XP Pro machine. Recently something went wrong with the program and tabbed browsing does not work. If I try to open a second tab, it says "Connecting ...", and there it stops. Explorer won't close. I tried to uninstall IE7, but there is no such option. What should I do? - Jaco T.

ANSWER:
This seems to be a common problem and usually the cause is an IE add-on. But first, make sure you aren't running XP in classic mode. If you're running XP Pro, it's possible (although unlikely if you haven't been editing Group Policy) that a policy is forcing Windows to run in Classic view. To check that, run gpedit.msc to open the Group Policy Editor (note that this does not work in XP Home). Navigate to User Configuration | Administrative Templates | Windows Components | Windows Explorer | Force Classical View. Ensure that this policy is disabled.

Next we'll consider that an add-on may be doing it. Not all add-ons have this effect, but computer users have reported that it happens with some of them. The first thing I would do is go to Tools | Manage Add-ons and select Enable or Disable Add-ons. This will show you a list of all the add-ons that are loaded in IE. You may be surprised at how many there are. You can click the name of an add-on and click the option button to disable it, without uninstalling it. This will let you test, one at a time, to see if it's an add-on that's causing your problem.

If that's not the culprit, you might have a damaged IE installation. There are two files that need to be in the System 32 folder: xmllite.dll and ieui.dll. If these are missing, you need to restore them. You can down an update package for xmllite at 
http://www.wxpnews.com/Q7QJE3/080603-IE7-Tabbed-Browsing

If all else fails, you should be able uninstall IE 7 (so you can reinstall it) by using the Add or Remove Programs applet in Control Panel or by running Spuninst.exe. For more info on how to use both methods, see KB article 927177 at 
http://www.wxpnews.com/Q7QJE3/080603-Re-install-IE7


----------



## beenthere7659 (Mar 29, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:30:31 PM, on 6/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wfxsnt40.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Express ClickYes\ClickYes.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\ACT\act.exe
C:\PROGRA~1\MICROS~4\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.techguy.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Express ClickYes] C:\Program Files\Express ClickYes\ClickYes.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.67.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135186932531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1121183721218
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\Software\..\Telephony: DomainName = workgroup
O17 - HKLM\System\CCS\Services\Tcpip\..\{C14FE8EC-0A4B-454C-8108-C949F9DD1E46}: Domain = gilmores
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = workgroup
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = gilmores,belkin
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

--
End of file - 9996 bytes


----------



## Cookiegal (Aug 27, 2003)

I trust you've removed EasySpy Remover from your desktop.

Your *Java* is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of *Java* components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

*Upgrading Java*:


Download the latest version of *Java Runtime Environment (JRE) 6 Update 6*.
Scroll down to where it says * Java Runtime Environment (JRE) 6 Update 6. The Java SE Runtime Environment (JRE) allows end-users to run Java applications* (the fifth one in the list).
Click the "*Download*" button to the right. A new page will open.
Select your platform and check the box that says: *I agree to the Java SE Runtime Environment 6 License Agreement*.
Click *Continue*.
Click on the link under *Windows Offline Installation* (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager.
Go to *Start* - *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Close any programs you may have running - especially your web browser.
Then from your desktop double-click on the download to install the newest version.

Here are some final instructions for you.

The following program will remove the tools we've used and their associated files and backups and then it will delete itself.

Please download *OTMoveIt2 by OldTimer*.

*Save* it to your *desktop*.
Make sure you have an Internet Connection.
Double-click *OTMoveIt.exe* to run it. (Vista users, please right-click on *OTMoveIt2.exe* and select "Run as an *Administrator*")
Click on the *CleanUp!* button
A list of tool components used in the cleanup of malware will be downloaded.
If your firewall or real-time protection attempts to block OTMoveIt2 to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application which will delete itself.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose *Yes.*

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start* - *All Programs* - *Accessories* - *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

Delete Temporary Files:

Go to *Start* - *Run* and type in *cleanmgr* and click OK. 
Let it scan your system for files to remove. 
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked. 
Press OK to remove them.


----------



## beenthere7659 (Mar 29, 2008)

You wrote, "I trust you've removed EasySpy Remover from your desktop." I have not. It shows, "Eastspyremover_setup.exe" on my desktop, but I found no such program in my ContolPanel Add/Remove list. I searhed for the file and the only listing is on my desktop. It is not listed as a "short cut". Will I be rid of it by just deleting the desktop icon? -- Or going to the search results and deleting the file listed there?


----------



## beenthere7659 (Mar 29, 2008)

Firewall query-- I have a 2-station LAN. Previous techies (a year ago) recommended not using a firewall because it often hampers communications. I have purchased and installed AVG and that install program encouraged me strongly to install their firewall. I did not. What is your suggestion and comment please.


----------



## Cookiegal (Aug 27, 2003)

You already uninstalled it via Add/Remove programs early on in this thread. Drag the file from your desktop to the recycle bin and then delete this folder if it still exists:

C:\Program Files\*Easy SpyRemover*

Then empty the recycle bin.


----------



## Cookiegal (Aug 27, 2003)

If you're using a router then you would be fine with just the XP firewall which should not interfere. Otherwise, you should have a third party firewall. If configured properly a firewall should not be a problem.


----------



## beenthere7659 (Mar 29, 2008)

"Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on Start &#8211; All Programs &#8211; Accessories &#8211; System Tools and then select System Restore.

In the System Restore wizard, select Create a restore point and click the Next button.

Type a name for your new restore point then click on Create."

All went well. System restore shows "off" after reboot.
--BUT --
I can find no "Start &#8211; All Programs &#8211; Accessories &#8211; System Tools " to click?


----------



## Cookiegal (Aug 27, 2003)

You don't have a Start menu?


----------



## beenthere7659 (Mar 29, 2008)

Opening START -> ? no "All Programs"
Opening START -> Programs -> ? no "All..."
Shoiuld I do something to each item in "Programs"?
If so, where sill I find System Restore?
also
I found no "Start..." on "My Computer-> System Restore tab?


----------



## Cookiegal (Aug 27, 2003)

Can you get to Accessories?


----------



## beenthere7659 (Mar 29, 2008)

All suggestions on msg #204 sucessfuly completed. Thanks for your patience!
Last little desktop clean up queries--
HijackThis and HJT setup.exe icons are both on desktop. Which should I remove?
When will I use this tool in the future?
Microsoft Word Icon has a (3) below it. Have I downloaded 3 duplicate copies?
mbam-setup.exe icon is still there. Delete it it?
Malwarebytes icon is still there?
jre-6u5-windows-j586-p.exe icon still there?
Fileformatconverters.exe still there?
Installer.zip still there?
Installer.reg still there?
Windows Installer Update package still there?
Setupapi.log still there?
Windows Installer Live Executable icon still there?
I've listed icons I wonder if should be shown on desktop. Can you help?


----------



## Cookiegal (Aug 27, 2003)

Uninstall these programs via the Control Panel - Add/Remove programs:
*
HijackThis 
MalwareBytes Anti-Malware*

Delete the following files from your desktop:
jre-6u5-windows-j586-p.exe
Fileformatconverters.exe
Installer.zip
Installer.reg
Setupapi.log

I'm not sure about these (whether they are the actual program or installers. What are the actual file names?
Windows Installer Update package
Windows Installer Live Executable icon


----------



## beenthere7659 (Mar 29, 2008)

Keep or delete icons left on my desktop -----------------
WindowsInstaller-KB893803-v2-x86.exe
WLinstaller.exe
msicuu2.exe
Malwarebytes' Anti-Malware
mbam-setup.exe
HJTsetup.exe
HijackThis (short cut)


----------



## Cookiegal (Aug 27, 2003)

WindowsInstaller-KB893803-v2-x86.exe --->Delete
WLinstaller.exe ---> Delete
msicuu2.exe ---> Delete

If you removed MalwareBytes Anti-Malware and HijackThis properly through the Control Panel then the set up files should be removed. If not you can delete these:

mbam-setup.exe
HJTsetup.exe
HijackThis (short cut)


----------

