[jbolen]

Hello everyone. New to the forum, obviously. I was hoping that someone could help me out with a computer problem. (Bet you haven’t heard that one before). Every time that I try to run my anti virus software it just closes the window. Same thing with IE. If I type the name of any major name virus scanning company it just shuts down the window. I can not even download or search for hi-jack-this (forgive the obvious misspelling just don’t want to take any chances). If I even go to the forum on this board labeled hi-jack-this then the window shuts down.

I know this is not normally the place to post this plea for help however since my window keeps shutting its self down I didn’t know what else to do. Hopefully someone can offer some advice on how I can fix the problem. Thank you all for your understanding and I look forward to your replies.

[Advertisements]

Hello, and welcome to GeeksToGo. You are correct that this normally is not the area to ask for help. However, in this circumstance, you did the right thing.

If I even go to the forum on this board labeled hi-jack-this then the window shuts down.

This is scary, eh? One of our Teachers (and Expert!) here, Rip Chain, is going to help you. We're going to leave your thread here for now, until he can get you clean enough to move you over to the Malware forum. Hopefully, this isn't some nasty new type of Malware.

NOTE TO ALL USERS

This thread is beyond "normal" introduction protocol. All other members... please do NOT respond to this thread with "hello's" and the like. Let's keep this only to the OP and Rip Chain please, so as not to confuse the user.

Jbolen: Please do NOT follow any advice by anyone other than Rip Chain, unless he tells you otherwise.

Good luck, and I'll be keeping an eye out on things.

[Kat]

Hello, and welcome to GeeksToGo. You are correct that this normally is not the area to ask for help. However, in this circumstance, you did the right thing.

If I even go to the forum on this board labeled hi-jack-this then the window shuts down.

This is scary, eh? One of our Teachers (and Expert!) here, Rip Chain, is going to help you. We're going to leave your thread here for now, until he can get you clean enough to move you over to the Malware forum. Hopefully, this isn't some nasty new type of Malware.

NOTE TO ALL USERS

This thread is beyond "normal" introduction protocol. All other members... please do NOT respond to this thread with "hello's" and the like. Let's keep this only to the OP and Rip Chain please, so as not to confuse the user.

Jbolen: Please do NOT follow any advice by anyone other than Rip Chain, unless he tells you otherwise.

Good luck, and I'll be keeping an eye out on things.

[RiP]

Hello jbolen,

Later on I'm going to ask you to boot into Safe Mode for these fixes/scans, and if one of the tools that I asked you to run does not work, please move on to the next one in the order that I asked you to run them.
Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Download gmer.zip and save to your desktop.
alternate download site 1
alternate download site 2

Boot into Safe Mode:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
5) Select your normal user account.

----------------------------------------------- Step 1

• Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
• Now click the Run Scan button on the toolbar.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

----------------------------------------------- Step 2

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

----------------------------------------------- Step 3

• Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
• When you have done this, disconnect from the Internet and close all running programs.
  There is a small chance this application may crash your computer so save any work you have open.
• Double-click on Gmer.exe to start the program.
• Allow the gmer.sys driver to load if asked.
• If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
• Click on "Settings", then check the first five settings:
  *System Protection and Tracing
  *Processes
  *Save created processes to the log
  *Drivers
  *Save loaded drivers to the log
• You will be prompted to restart your computer. Please do so.

Run Gmer again and click on the Rootkit tab.

• Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
• Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
• Click on the "Scan" and wait for the scan to finish.
  Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
• When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
• Note: If you have any problems, try running GMER in SAFE MODE"

Important! Please do not select the "Show all" checkbox during the scan..

----------------------------------------------- Step 4

Reboot your computer like you normally would into Windows, and paste the following reports: (Probably one report per reply.)

• The gmer.txt log.
• The Deckards System Scanner logs.
• the WinPFind3u log.

[jbolen]

Here is the step 1 log.

WinPFind3 logfile created on: 2/11/2008 8:57:57 AM
WinPFind3U by OldTimer - Version 1.0.44 Folder = C:\Documents and Settings\Owner\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.13)

1013.86 Mb Total Physical Memory | 825.26 Mb Available Physical Memory | 81.40% Memory free
2.38 Gb Paging File | 2.33 Gb Available in Paging File | 97.69% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 228.28 Gb Total Space | 212.49 Gb Free Space | 93.08% Space Free
Drive D: | 4.59 Gb Total Space | 2.71 Gb Free Space | 58.97% Space Free
Drive E: | 71.72 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free
Drive F: | 25.25 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free

Computer Name: HAL
Current User Name: Owner
Logged in as Administrator.
Cannot determine boot mode.


[Processes - Non-Microsoft Only]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.44.0 | Size = 371200 bytes | Modified Date = 11/21/2007 9:19:46 AM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(Asset Management Daemon) Asset Management Daemon [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Gateway\EzTune\dtsslsrv.exe -> [Ver = | Size = 114688 bytes | Modified Date = 8/18/2005 3:56:26 PM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
(DTSRVC) Portrait Displays Display Tune Service [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Gateway\EzTune\DTSRVC.exe -> [Ver = | Size = 61440 bytes | Modified Date = 8/18/2005 3:54:04 PM | Attr = ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 2/6/2007 7:25:58 PM | Attr = ]
(LexBceS) LexBce Server [Win32_Own | Auto | Stopped] -> %System32%\LEXBCES.EXE -> Lexmark International, Inc. [Ver = 9.41 | Size = 311296 bytes | Modified Date = 1/13/2004 5:00:02 PM | Attr = ]
(McAfee AntiSpyware Service) McAfee AntiSpyware Service [Win32_Own | Auto | Stopped] -> %ProgramFiles%\McAfee\mcafee antispyware\MASSrv.exe -> McAfee, Inc. [Ver = 1.5.0.110 | Size = 876544 bytes | Modified Date = 1/6/2006 5:13:32 PM | Attr = ]
(McDetect.exe) McAfee WSC Integration [Win32_Own | Auto | Stopped] -> %ProgramFiles%\McAfee.com\Agent\Mcdetect.exe -> McAfee, Inc [Ver = 6, 0, 0, 19 | Size = 126976 bytes | Modified Date = 10/13/2005 9:56:16 PM | Attr = ]
(McShield) McAfee.com McShield [Win32_Own | Auto | Stopped] -> %ProgramFiles%\McAfee.com\VSO\McShield.exe -> McAfee Inc. [Ver = 11.0.0.151 | Size = 221184 bytes | Modified Date = 8/10/2005 12:22:02 PM | Attr = ]
(McTskshd.exe) McAfee Task Scheduler [Win32_Own | Auto | Stopped] -> %ProgramFiles%\McAfee.com\Agent\McTskshd.exe -> McAfee, Inc [Ver = 6, 0, 0, 13 | Size = 122368 bytes | Modified Date = 8/24/2005 6:01:04 PM | Attr = ]
(mcupdmgr.exe) McAfee SecurityCenter Update Manager [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\McAfee.com\Agent\mcupdmgr.exe -> McAfee, Inc [Ver = 6, 0, 0, 4 | Size = 245760 bytes | Modified Date = 7/1/2005 9:22:50 PM | Attr = ]
(PrismXL) PrismXL [Win32_Own | Auto | Stopped] -> %CommonProgramFiles%\New Boundary\PrismXL\PRISMXL.SYS -> New Boundary Technologies, Inc. [Ver = 6.0.1.22 | Size = 172032 bytes | Modified Date = 8/18/2005 8:57:22 PM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
-> -> File not found
_AntiSpyware -> %ProgramFiles%\McAfee\McAfee AntiSpyware\MASAlert.exe -> McAfee, Inc. [Ver = 1.5.0.110 | Size = 327680 bytes | Modified Date = 1/6/2006 5:14:20 PM | Attr = ]
Adobe Photo Downloader -> %ProgramFiles%\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe -> Adobe Systems Incorporated [Ver = 3.2.0.77764 | Size = 63712 bytes | Modified Date = 3/9/2007 10:09:58 AM | Attr = ]
Adobe Reader Speed Launcher -> %ProgramFiles%\Adobe\Reader 8.0\Reader\Reader_sl.exe -> Adobe Systems Incorporated [Ver = 8.0.0.0 | Size = 39792 bytes | Modified Date = 10/10/2007 7:51:56 PM | Attr = ]
AlcFDMonitor -> %SystemRoot%\ALCFDRTM.EXE -> Realtek Semiconductor Corp. [Ver = 1, 2, 0, 0 | Size = 73728 bytes | Modified Date = 10/30/2006 11:12:02 AM | Attr = ]
Alcmtr -> %SystemRoot%\ALCMTR.EXE -> Realtek Semiconductor Corp. [Ver = 1.6.0.2 | Size = 69632 bytes | Modified Date = 5/12/2005 3:00:30 PM | Attr = ]
AlcWzrd -> %SystemRoot%\ALCWZRD.EXE -> RealTek Semicoductor Corp. [Ver = 1.1.0.20 | Size = 2805248 bytes | Modified Date = 5/12/2005 3:00:34 PM | Attr = ]
CHotkey -> %SystemRoot%\zHotkey.exe -> [Ver = 3, 0, 0, 7 | Size = 543232 bytes | Modified Date = 5/3/2005 3:02:00 PM | Attr = ]
FaxCenterServer4_in_1 -> %ProgramFiles%\Lexmark 4200 Series\Fax\fm3032.exe -> [Ver = | Size = 151552 bytes | Modified Date = 1/22/2004 10:59:10 AM | Attr = ]
High Definition Audio Property Page Shortcut -> %System32%\HdAShCut.exe -> Windows ® Server 2003 DDK provider [Ver = 5.10.01.5013 built by: WinDDK | Size = 61952 bytes | Modified Date = 1/7/2005 6:07:16 PM | Attr = ]
HotKeysCmds -> %System32%\hkcmd.exe -> Intel Corporation [Ver = 3.0.0.3889 | Size = 118784 bytes | Modified Date = 8/20/2004 4:51:14 PM | Attr = ]
IgfxTray -> %System32%\igfxtray.exe -> Intel Corporation [Ver = 3.0.0.3889 | Size = 155648 bytes | Modified Date = 8/20/2004 4:55:14 PM | Attr = ]
Lexmark 4200 Series -> %ProgramFiles%\Lexmark 4200 Series\lxbmbmgr.exe -> Lexmark International, Inc. [Ver = 0.1.25.0 | Size = 57344 bytes | Modified Date = 1/16/2004 4:04:08 AM | Attr = ]
MCAgentExe -> %ProgramFiles%\McAfee.com\Agent\mcagent.exe -> McAfee, Inc [Ver = 6, 0, 0, 16 | Size = 303104 bytes | Modified Date = 9/22/2005 8:29:08 PM | Attr = ]
MCUpdateExe -> %ProgramFiles%\McAfee.com\Agent\mcupdate.exe -> McAfee, Inc [Ver = 6, 0, 0, 21 | Size = 212992 bytes | Modified Date = 1/11/2006 2:05:42 PM | Attr = ]
NeroFilterCheck -> %System32%\NeroCheck.exe -> Ahead Software Gmbh [Ver = 1, 0, 0, 2 | Size = 155648 bytes | Modified Date = 7/9/2001 12:50:42 PM | Attr = ]
OASClnt -> %ProgramFiles%\McAfee.com\VSO\oasclnt.exe -> McAfee, Inc. [Ver = 10, 0, 0, 24 | Size = 53248 bytes | Modified Date = 8/11/2005 11:02:44 PM | Attr = ]
PivotSoftware -> %ProgramFiles%\WinPortrait\wpctrl.exe -> [Ver = | Size = 698104 bytes | Modified Date = 1/26/2005 2:57:16 PM | Attr = ]
QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 6.5 | Size = 98304 bytes | Modified Date = 8/18/2005 9:00:20 PM | Attr = ]
Recguard -> %SystemRoot%\SMINST\Recguard.exe -> [Ver = 1, 0, 0, 1 | Size = 212992 bytes | Modified Date = 9/14/2002 12:42:26 AM | Attr = ]
RemoteControl -> %ProgramFiles%\CyberLink\PowerDVD\PDVDServ.exe -> Cyberlink Corp. [Ver = 6.00.1027 | Size = 32768 bytes | Modified Date = 11/2/2004 9:24:46 PM | Attr = ]
SoundMan -> %SystemRoot%\SoundMan.exe -> Realtek Semiconductor Corp. [Ver = 1, 0, 0, 17 | Size = 90112 bytes | Modified Date = 5/12/2005 3:00:54 PM | Attr = ]
SunKistEM -> %ProgramFiles%\Digital Media Reader\shwiconem.exe -> Alcor Micro, Corp. [Ver = 1, 4, 0, 8 | Size = 135168 bytes | Modified Date = 11/15/2004 4:04:32 PM | Attr = ]
VirusScan Online -> %ProgramFiles%\McAfee.com\VSO\mcvsshld.exe -> McAfee, Inc. [Ver = 10, 0, 0, 22 | Size = 163840 bytes | Modified Date = 8/10/2005 1:49:20 PM | Attr = ]
VSOCheckTask -> %ProgramFiles%\McAfee.com\VSO\mcmnhdlr.exe -> McAfee, Inc. [Ver = 10, 0, 0, 20 | Size = 151552 bytes | Modified Date = 7/8/2005 7:18:22 PM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
swg -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 7/1/2007 5:50:02 PM | Attr = ]
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersStartup%\BigFix.lnk -> %ProgramFiles%\BigFix\BigFix.exe -> BigFix Inc. [Ver = 1, 7, 6, 0 | Size = 1742384 bytes | Modified Date = 7/31/2002 11:22:26 AM | Attr = ]
%AllUsersStartup%\EzTune.lnk -> %ProgramFiles%\Gateway\EzTune\dthtml.exe -> Portrait Displays, Inc [Ver = 1.0.0.1 | Size = 260608 bytes | Modified Date = 8/18/2005 3:55:12 PM | Attr = ]
%AllUsersStartup%\Install Pending Files.LNK -> %ProgramFiles%\SIFXINST\SIFXINST.EXE -> New Boundary Technologies, Inc. [Ver = 5.0 | Size = 729088 bytes | Modified Date = 8/18/2005 8:58:28 PM | Attr = ]
%AllUsersStartup%\NETGEAR WPN111 Smart Wizard.lnk -> %ProgramFiles%\NETGEAR\WPN111\WPN111.exe -> NETGEAR [Ver = 1, 1, 0, 8 | Size = 884838 bytes | Modified Date = 1/26/2005 2:15:16 PM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
bfaeafefb -> %System32%\bfaeafefb.dll -> [Ver = | Size = 122385 bytes | Modified Date = 2/8/2008 9:14:26 AM | Attr = ]
igfxcui -> %System32%\igfxsrvc.dll -> Intel Corporation [Ver = 3.0.0.3889 | Size = 344064 bytes | Modified Date = 8/20/2004 4:50:54 PM | Attr = ]
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
< HOSTS File > (734 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1 localhost -> ->
< Internet Explorer Settings > -> ->
HKLM: Default_Page_URL -> http://go.microsoft....k/?LinkId=69157 ->
HKLM: Main\\Default_Search_URL -> http://go.microsoft....k/?LinkId=54896 ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://go.microsoft....k/?LinkId=54896 ->
HKLM: Start Page -> http://go.microsoft....k/?LinkId=69157 ->
HKLM: CustomizeSearch -> http://ie.search.msn...st/srchcust.htm ->
HKLM: Search\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: SearchAssistant -> http://www.google.com/ie ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Bar -> http://www.google.com/ie ->
HKCU: Search Page -> http://www.google.com ->
HKCU: Start Page -> http://www.yahoo.com/ ->
HKCU: SearchAssistant -> http://www.google.com/ie ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
msn.com [ - ] -> ->
< Trusted Sites > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
turbotax.com [https] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 8.0.0.2006102200 | Size = 62080 bytes | Modified Date = 10/22/2006 10:08:42 PM | Attr = ]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/19/2007 11:55:32 PM | Attr = R ]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKLM] -> %ProgramFiles%\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll [Google Toolbar Notifier BHO] -> Google Inc. [Ver = 2, 0, 1121, 2472 | Size = 323568 bytes | Modified Date = 2/1/2008 6:06:02 PM | Attr = ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/19/2007 11:55:32 PM | Attr = R ]
{BA52B914-B692-46c4-B683-905236F6F655} [HKLM] -> %ProgramFiles%\McAfee.com\VSO\mcvsshl.dll [McAfee VirusScan] -> McAfee, Inc. [Ver = 10, 0, 0, 19 | Size = 114688 bytes | Modified Date = 7/1/2005 9:44:30 PM | Attr = ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/19/2007 11:55:32 PM | Attr = R ]
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/19/2007 11:55:32 PM | Attr = R ]
WebBrowser\\{4982D40A-C53B-4615-B15B-B5B5E98D167C} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} -> %ProgramFiles%\ieSpell\iespell.dll\SPELLCHECK.HTM [ButtonText: ieSpell] -> File not found
{1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} [HKLM] -> Reg Data - Key not found [MenuText: ieSpell Options] -> File not found
{85d1f590-48f4-11d9-9669-0800200c9a66} [HKLM] -> Reg Data - Key not found [MenuText: Uninstall BitDefender Online Scanner v8] -> File not found
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -> Reg Data - Value does not exist [ButtonText: Research] -> File not found
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -> Reg Data - Value does not exist [ButtonText: Real.com] -> File not found
{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> Reg Data - Key not found [MenuText: @xpsp3res.dll,-20001] -> File not found
CmdMapping [HKLM] -> Reg Data - Key not found [MenuText: Reg Data - Value does not exist] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
&AOL Toolbar search -> Reg Data - Value does not exist -> File not found
&ieSpell Options -> %ProgramFiles%\ieSpell\iespell.dll\SPELLOPTION.HTM -> File not found
Check &Spelling -> %ProgramFiles%\ieSpell\iespell.dll\SPELLCHECK.HTM -> File not found
E&xport to Microsoft Excel -> -> File not found
Lookup on Merriam Webster -> %ProgramFiles%\ieSpell\Merriam Webster.HTM -> [Ver = | Size = 912 bytes | Modified Date = 10/31/2006 7:51:36 AM | Attr = ]
Lookup on Wikipedia -> %ProgramFiles%\ieSpell\wikipedia.HTM -> [Ver = | Size = 912 bytes | Modified Date = 10/30/2006 8:31:14 AM | Attr = ]
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{A7F003C7-E761-4BEF-A328-E13F53F0DE9D} -> (Marvell Yukon 88E8050 PCI-E ASF Gigabit Ethernet Controller) ->
{CC3746E6-4D79-4417-B581-58C77403E3B2} -> (1394 Net Adapter) ->
{D5F4B571-FDDD-4A9A-AC5E-457FC171A4A4} -> (NETGEAR RangeMax™ Wireless USB 2.0 Adapter WPN111) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{0E8D0700-75DF-11D3-8B4A-0008C7450C4A} -> DjVuCtl Class - CodeBase = http://downloadcente...trolLite_EN.cab ->
{166B1BCA-3F9C-11CF-8075-444553540000} -> Shockwave ActiveX Control - CodeBase = http://download.macr...director/sw.cab ->
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -> BDSCANONLINE Control - CodeBase = http://download.bitd...can8/oscan8.cab ->
{5ED80217-570B-4DA9-BF44-BE107C0EC166} -> Windows Live Safety Center Base Module - CodeBase = http://cdn.scan.onec...lscbase8300.cab ->
{67DABFBF-D0AB-41FA-9C46-CC0F21721616} -> DivXBrowserPlugin Object - CodeBase = http://download.divx...erInstaller.cab ->
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -> MUWebControl Class - CodeBase = http://update.micros...b?1172599282817 ->
{77E32299-629F-43C6-AB77-6A1E6D7663F6} -> Groove Control - CodeBase = http://atv.disney.go...y/OTOYAX29b.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://download.macr...ash/swflash.cab ->
{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -> PopCapLoader Object - CodeBase = http://www.popcap.co...aploader_v6.cab ->


[Files/Folders - Created Within 30 days]
$NtServicePackUninstallIDNMitigationAPIs$ -> %SystemRoot%\$NtServicePackUninstallIDNMitigationAPIs$ -> [Folder | Created Date = 1/16/2008 8:18:13 PM | Attr = H ]
$NtServicePackUninstallNLSDownlevelMapping$ -> %SystemRoot%\$NtServicePackUninstallNLSDownlevelMapping$ -> [Folder | Created Date = 1/16/2008 8:17:49 PM | Attr = H ]
$NtUninstallKB904942$ -> %SystemRoot%\$NtUninstallKB904942$ -> [Folder | Created Date = 1/16/2008 8:15:46 PM | Attr = H ]
$NtUninstallKB914440$ -> %SystemRoot%\$NtUninstallKB914440$ -> [Folder | Created Date = 1/16/2008 8:15:59 PM | Attr = H ]
$NtUninstallKB915865$ -> %SystemRoot%\$NtUninstallKB915865$ -> [Folder | Created Date = 1/16/2008 8:17:10 PM | Attr = H ]
BDOSCAN8 -> %SystemRoot%\BDOSCAN8 -> [Folder | Created Date = 2/3/2008 11:29:32 AM | Attr = ]
ftpcache -> %SystemRoot%\ftpcache -> [Folder | Created Date = 1/22/2008 4:01:04 PM | Attr = HS]
ie7 -> %SystemRoot%\ie7 -> [Folder | Created Date = 1/16/2008 8:18:26 PM | Attr = H ]
ie7updates -> %SystemRoot%\ie7updates -> [Folder | Created Date = 1/16/2008 8:20:35 PM | Attr = ]
network diagnostic -> %SystemRoot%\network diagnostic -> [Folder | Created Date = 1/16/2008 8:16:00 PM | Attr = ]
WBEM -> %SystemRoot%\WBEM -> [Folder | Created Date = 1/16/2008 8:19:30 PM | Attr = ]
11aa744e9177e4b875fdd4b614d32aac.TMP -> %System32%\11aa744e9177e4b875fdd4b614d32aac.TMP -> Analog Devices [Ver = 1, 5, 4, 1 | Size = 122385 bytes | Created Date = 2/3/2008 6:25:45 PM | Attr = ]
bfaeafefb.dll -> %System32%\bfaeafefb.dll -> [Ver = | Size = 122385 bytes | Created Date = 2/2/2008 3:34:23 PM | Attr = ]
en-US -> %System32%\en-US -> [Folder | Created Date = 1/16/2008 8:19:28 PM | Attr = ]
mcs.rma -> %System32%\mcs.rma -> [Ver = | Size = 870128 bytes | Created Date = 2/2/2008 10:21:01 AM | Attr = ]
mcstrm.sys -> %System32%\drivers\mcstrm.sys -> RealNetworks, Inc. [Ver = 5.0.2195.8 | Size = 8413 bytes | Created Date = 2/2/2008 10:13:31 AM | Attr = ]
Msft_User_WpdMtpDr_01_00_00.Wdf -> %System32%\drivers\UMDF\Msft_User_WpdMtpDr_01_00_00.Wdf -> [Ver = | Size = 0 bytes | Created Date = 2/1/2008 7:45:01 PM | Attr = H ]

[Files/Folders - Modified Within 30 days]
Documents and Settings -> %SystemDrive%\Documents and Settings -> [Folder | Modified Date = 2/10/2008 9:03:06 PM | Attr = ]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 2/3/2008 11:12:58 AM | Attr = R ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 2/10/2008 9:00:52 PM | Attr = ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 1/17/2008 7:18:38 AM | Attr = H ]
$NtServicePackUninstallIDNMitigationAPIs$ -> %SystemRoot%\$NtServicePackUninstallIDNMitigationAPIs$ -> [Folder | Modified Date = 1/16/2008 8:18:14 PM | Attr = H ]
$NtServicePackUninstallNLSDownlevelMapping$ -> %SystemRoot%\$NtServicePackUninstallNLSDownlevelMapping$ -> [Folder | Modified Date = 1/16/2008 8:17:50 PM | Attr = H ]
$NtUninstallKB904942$ -> %SystemRoot%\$NtUninstallKB904942$ -> [Folder | Modified Date = 1/16/2008 8:15:48 PM | Attr = H ]
$NtUninstallKB914440$ -> %SystemRoot%\$NtUninstallKB914440$ -> [Folder | Modified Date = 1/16/2008 8:16:02 PM | Attr = H ]
$NtUninstallKB915865$ -> %SystemRoot%\$NtUninstallKB915865$ -> [Folder | Modified Date = 1/16/2008 8:17:12 PM | Attr = H ]
ALCFDRTM.VER -> %SystemRoot%\ALCFDRTM.VER -> Realtek Semiconductor Corp. [Ver = 1, 2, 0, 0 | Size = 73728 bytes | Modified Date = 1/16/2008 10:42:44 PM | Attr = ]
assembly -> %SystemRoot%\assembly -> [Folder | Modified Date = 1/23/2008 11:54:14 AM | Attr = R S]
BDOSCAN8 -> %SystemRoot%\BDOSCAN8 -> [Folder | Modified Date = 2/3/2008 12:28:22 PM | Attr = ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 2/11/2008 8:53:56 AM | Attr = S]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 2/3/2008 11:29:36 AM | Attr = S]
ftpcache -> %SystemRoot%\ftpcache -> [Folder | Modified Date = 1/22/2008 4:01:06 PM | Attr = HS]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 1/16/2008 10:29:32 PM | Attr = ]
ie7 -> %SystemRoot%\ie7 -> [Folder | Modified Date = 1/16/2008 8:19:14 PM | Attr = H ]
ie7updates -> %SystemRoot%\ie7updates -> [Folder | Modified Date = 1/16/2008 8:20:36 PM | Attr = ]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1374 bytes | Modified Date = 1/16/2008 8:20:54 PM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 2/3/2008 11:29:34 AM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 2/2/2008 10:26:38 AM | Attr = HS]
lexstat.ini -> %SystemRoot%\lexstat.ini -> [Ver = | Size = 600 bytes | Modified Date = 2/11/2008 7:55:54 AM | Attr = ]
Media -> %SystemRoot%\Media -> [Folder | Modified Date = 1/16/2008 8:19:24 PM | Attr = ]
Microsoft.NET -> %SystemRoot%\Microsoft.NET -> [Folder | Modified Date = 1/23/2008 11:53:22 AM | Attr = ]
network diagnostic -> %SystemRoot%\network diagnostic -> [Folder | Modified Date = 1/16/2008 8:16:02 PM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 2/11/2008 7:58:26 AM | Attr = ]
setupapi.log.1.old -> %SystemRoot%\setupapi.log.1.old -> [Ver = | Size = 1032037 bytes | Modified Date = 1/16/2008 8:18:18 PM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 2/8/2008 9:15:16 AM | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 2/10/2008 8:38:02 PM | Attr = S]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 2/11/2008 8:51:46 AM | Attr = ]
WBEM -> %SystemRoot%\WBEM -> [Folder | Modified Date = 1/16/2008 8:19:32 PM | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 649 bytes | Modified Date = 2/11/2008 8:51:58 AM | Attr = ]
WinSxS -> %SystemRoot%\WinSxS -> [Folder | Modified Date = 1/23/2008 11:21:10 AM | Attr = ]
mcafee antispyware.job -> %SystemRoot%\tasks\mcafee antispyware.job -> [Ver = | Size = 362 bytes | Modified Date = 2/8/2008 9:00:02 PM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 2/11/2008 8:52:22 AM | Attr = H ]
11aa744e9177e4b875fdd4b614d32aac.TMP -> %System32%\11aa744e9177e4b875fdd4b614d32aac.TMP -> Analog Devices [Ver = 1, 5, 4, 1 | Size = 122385 bytes | Modified Date = 2/3/2008 6:25:46 PM | Attr = ]
bfaeafefb.dll -> %System32%\bfaeafefb.dll -> [Ver = | Size = 122385 bytes | Modified Date = 2/8/2008 9:14:26 AM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 2/9/2008 7:27:48 AM | Attr = ]
config -> %System32%\config -> [Folder | Modified Date = 1/16/2008 8:19:38 PM | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 2/9/2008 7:28:12 AM | Attr = RHS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 2/2/2008 10:13:32 AM | Attr = ]
en-US -> %System32%\en-US -> [Folder | Modified Date = 1/16/2008 8:20:46 PM | Attr = ]
mcs.rma -> %System32%\mcs.rma -> [Ver = | Size = 870128 bytes | Modified Date = 2/5/2008 5:22:18 PM | Attr = ]
perfc009.dat -> %System32%\perfc009.dat -> [Ver = | Size = 62344 bytes | Modified Date = 1/23/2008 11:23:02 AM | Attr = ]
perfh009.dat -> %System32%\perfh009.dat -> [Ver = | Size = 401064 bytes | Modified Date = 1/23/2008 11:23:02 AM | Attr = ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI -> [Ver = | Size = 468826 bytes | Modified Date = 1/23/2008 11:23:02 AM | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 1170 bytes | Modified Date = 2/11/2008 8:51:42 AM | Attr = ]
mcstrm.sys -> %System32%\drivers\mcstrm.sys -> RealNetworks, Inc. [Ver = 5.0.2195.8 | Size = 8413 bytes | Modified Date = 2/2/2008 10:13:32 AM | Attr = ]
UMDF -> %System32%\drivers\UMDF -> [Folder | Modified Date = 2/1/2008 7:45:02 PM | Attr = ]
Msft_User_WpdMtpDr_01_00_00.Wdf -> %System32%\drivers\UMDF\Msft_User_WpdMtpDr_01_00_00.Wdf -> [Ver = | Size = 0 bytes | Modified Date = 2/1/2008 7:45:02 PM | Attr = H ]

[File String Scan - Non-Microsoft Only]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]
PEC2 , PECompact2 , -> %System32%\DivX.dll -> DivX, Inc. [Ver = 6.6.1.1 | Size = 740442 bytes | Modified Date = 5/10/2007 10:37:16 PM | Attr = ]
PEC2 , -> %System32%\Dwapilib.tlb -> [Ver = | Size = 197171 bytes | Modified Date = 2/14/1997 11:24:14 PM | Attr = ]
PTech , -> %System32%\igfxhcsy.lhp -> [Ver = | Size = 59914 bytes | Modified Date = 8/20/2004 4:56:24 PM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 8/4/2004 1:00:00 PM | Attr = ]

< End of report >

[jbolen]

here is step 2 main log.

Deckard's System Scanner v20071014.68
Run by Owner on 2008-02-11 09:06:41
Computer is in Safe Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; computer is in safe mode.


-- Last 5 Restore Point(s) --
89: 2008-02-11 02:33:50 UTC - RP534 - System Checkpoint
88: 2008-02-10 01:56:49 UTC - RP533 - System Checkpoint
87: 2008-02-09 01:14:12 UTC - RP532 - System Checkpoint
86: 2008-02-08 00:21:07 UTC - RP531 - System Checkpoint
85: 2008-02-06 14:42:21 UTC - RP530 - System Checkpoint


-- First Restore Point --
1: 2007-11-13 17:03:25 UTC - RP446 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-02-11 09:09:39
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\Program Files\McAfee.com\VSO\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar3.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [AlcFDMonitor] C:\WINDOWS\ALCFDRTM.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: EzTune.lnk = ?
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = C:\Program Files\NETGEAR\WPN111\wpn111.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - CmdMapping - (file missing)
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://turbotax.com (HKCU)
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcente...trolLite_EN.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...erInstaller.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1172599282817
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go...y/OTOYAX29b.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: bfaeafefb - C:\WINDOWS\system32\bfaeafefb.dll
O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Gateway\EzTune\dtsslsrv.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Gateway\EzTune\DTSRVC.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\MASSrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - C:\Program Files\McAfee.com\Agent\Mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - C:\Program Files\McAfee.com\VSO\McShield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - C:\Program Files\McAfee.com\Agent\McTskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\Program Files\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS


--
End of file - 9984 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 SunkFilt (Alcor Micro Corp Reader) - c:\windows\system32\drivers\sunkfilt.sys <Not Verified; Alcor Micro Corp.; SunkFilt>

S1 pivot - c:\windows\system32\drivers\pivot.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
S2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
S2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
S3 BVRPMPR5 (BVRPMPR5 NDIS Protocol Driver) - c:\windows\system32\drivers\bvrpmpr5.sys <Not Verified; BVRP Software; BVRPNDIS Rawether for Windows>
S3 DNINDIS5 (DNINDIS5 NDIS Protocol Driver) - c:\windows\system32\dnindis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 pdiddcci (DDC/CI monitor) - c:\windows\system32\drivers\pdiddcci.sys <Not Verified; Portrait Displays, Inc.; Portrait Displays DDC/CI Monitor Device Driver>
S3 PdiPorts (Portrait Displays low level device driver) - c:\windows\system32\drivers\pdiports.sys <Not Verified; Portrait Displays, Inc.; PDI Kernel Ports Driver>
S3 pivotmou (Pivot Mouse/Pointers Filter Driver) - c:\windows\system32\drivers\pivotmou.sys <Not Verified; Windows ® 2000 DDK provider; Pivot ® Software ®>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 Asset Management Daemon - c:\program files\gateway\eztune\dtsslsrv.exe
S2 DTSRVC (Portrait Displays Display Tune Service) - c:\program files\gateway\eztune\dtsrvc.exe
S2 McAfee AntiSpyware Service - "c:\progra~1\mcafee\mcafee antispyware\massrv.exe" <Not Verified; McAfee, Inc.; McAfee AntiSpyware>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-02-08 21:00:00 362 --a------ C:\WINDOWS\Tasks\mcafee antispyware.job
2005-11-27 19:51:08 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 3.job
2005-11-27 19:51:07 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 2.job
2005-11-27 19:51:07 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 1.job


-- Files created between 2008-01-11 and 2008-02-11 -----------------------------

2008-02-10 21:03:05 0 d-------- C:\Documents and Settings\Administrator.HAL\WINDOWS
2008-02-10 21:03:05 0 d--h----- C:\Documents and Settings\Administrator.HAL\Templates
2008-02-10 21:03:05 0 dr------- C:\Documents and Settings\Administrator.HAL\Start Menu
2008-02-10 21:03:05 0 dr-h----- C:\Documents and Settings\Administrator.HAL\SendTo
2008-02-10 21:03:05 0 dr-h----- C:\Documents and Settings\Administrator.HAL\Recent
2008-02-10 21:03:05 0 d--h----- C:\Documents and Settings\Administrator.HAL\PrintHood
2008-02-10 21:03:05 0 d--h----- C:\Documents and Settings\Administrator.HAL\NetHood
2008-02-10 21:03:05 0 dr------- C:\Documents and Settings\Administrator.HAL\My Documents
2008-02-10 21:03:05 0 d--h----- C:\Documents and Settings\Administrator.HAL\Local Settings
2008-02-10 21:03:05 0 dr------- C:\Documents and Settings\Administrator.HAL\Favorites
2008-02-10 21:03:05 0 d-------- C:\Documents and Settings\Administrator.HAL\Desktop
2008-02-10 21:03:05 0 d--hs---- C:\Documents and Settings\Administrator.HAL\Cookies
2008-02-10 21:03:05 0 dr-h----- C:\Documents and Settings\Administrator.HAL\Application Data
2008-02-10 21:03:05 0 d-------- C:\Documents and Settings\Administrator.HAL\Application Data\You've Got Pictures Screensaver
2008-02-10 21:03:05 0 d-------- C:\Documents and Settings\Administrator.HAL\Application Data\SampleView
2008-02-10 21:03:05 0 d---s---- C:\Documents and Settings\Administrator.HAL\Application Data\Microsoft
2008-02-10 21:03:05 0 d-------- C:\Documents and Settings\Administrator.HAL\Application Data\Identities
2008-02-10 21:03:04 786432 --ah----- C:\Documents and Settings\Administrator.HAL\NTUSER.DAT
2008-02-03 11:29:32 0 d-------- C:\WINDOWS\BDOSCAN8
2008-02-03 10:41:45 0 d-------- C:\Program Files\PCPitstop
2008-02-03 10:41:45 0 d-------- C:\Program Files\Common Files\Scanner
2008-02-02 15:34:23 122385 --a------ C:\WINDOWS\system32\bfaeafefb.dll
2008-02-02 10:21:02 4 --a------ C:\WINDOWS\system32\9E7619
2008-02-02 10:13:31 8413 --a------ C:\WINDOWS\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
2008-02-02 10:11:34 0 d-------- C:\Program Files\Best Buy Rhapsody
2008-02-02 10:10:48 0 d-------- C:\Documents and Settings\Owner\Application Data\Real
2008-01-22 16:01:04 0 d--hs---- C:\WINDOWS\ftpcache
2008-01-16 20:16:00 0 d-------- C:\WINDOWS\network diagnostic


-- Find3M Report ---------------------------------------------------------------

2008-02-03 10:41:45 0 d-------- C:\Program Files\Common Files
2008-02-02 10:12:14 0 d-------- C:\Program Files\Real
2008-02-01 10:19:58 0 d-------- C:\Documents and Settings\Owner\Application Data\Move Networks
2008-01-23 11:29:26 0 d-------- C:\Documents and Settings\Owner\Application Data\Intuit
2008-01-23 11:25:38 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-01-23 11:25:36 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-23 11:13:39 0 d-------- C:\Program Files\TurboTax
2008-01-09 15:01:48 53248 --a------ C:\WINDOWS\bdoscandel.exe
2008-01-05 02:52:04 0 d-------- C:\Documents and Settings\Owner\Application Data\ieSpell
2008-01-05 02:51:54 0 d-------- C:\Program Files\ieSpell
2007-12-17 20:24:16 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 12:50 PM]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [11/15/2004 04:04 PM]
"@"="" []
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [08/20/2004 04:55 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [08/20/2004 04:51 PM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/02/2004 09:24 PM]
"CHotkey"="zHotkey.exe" [05/03/2005 03:02 PM C:\WINDOWS\zHotkey.exe]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [01/07/2005 06:07 PM C:\WINDOWS\system32\HdAShCut.exe]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [07/08/2005 07:18 PM]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [08/10/2005 01:49 PM]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [09/22/2005 08:29 PM]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [01/11/2006 02:05 PM]
"_AntiSpyware"="c:\progra~1\mcafee\MCAFEE~1\masalert.exe" [01/06/2006 05:14 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08/18/2005 09:00 PM]
"PivotSoftware"="C:\Program Files\WinPortrait\wpctrl.exe" [01/26/2005 02:57 PM]
"AlcFDMonitor"="C:\WINDOWS\ALCFDRTM.EXE" [10/30/2006 11:12 AM]
"SoundMan"="SOUNDMAN.EXE" [05/12/2005 03:00 PM C:\WINDOWS\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [05/12/2005 03:00 PM C:\WINDOWS\ALCWZRD.EXE]
"Alcmtr"="ALCMTR.EXE" [05/12/2005 03:00 PM C:\WINDOWS\ALCMTR.EXE]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [08/11/2005 11:02 PM]
"Lexmark 4200 Series"="C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe" [01/16/2004 04:04 AM]
"FaxCenterServer4_in_1"="C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" [01/22/2004 10:59 AM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [03/09/2007 10:09 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 10:24 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/01/2007 05:50 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:00 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [8/18/2005 8:55:20 PM]
EzTune.lnk - C:\Program Files\Gateway\EzTune\dthtml.exe [1/28/2006 4:06:06 PM]
Install Pending Files.LNK - C:\Program Files\SIFXINST\SIFXINST.EXE [8/18/2005 8:58:27 PM]
NETGEAR WPN111 Smart Wizard.lnk - C:\Program Files\NETGEAR\WPN111\wpn111.exe [9/13/2007 11:04:51 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bfaeafefb]
C:\WINDOWS\system32\bfaeafefb.dll 02/08/2008 09:14 AM 122385 C:\WINDOWS\system32\bfaeafefb.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e197751-197b-11da-9f5a-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480




-- End of Deckard's System Scanner: finished at 2008-02-11 09:10:50 ------------

[jbolen]

here is step 2 extra log.

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 23%
Physical Memory (total/avail): 1013.86 MiB / 776.88 MiB
Pagefile Memory (total/avail): 2441.02 MiB / 2349.11 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1933.48 MiB

C: is Fixed (NTFS) - 228.28 GiB total, 212.46 GiB free.
D: is Fixed (FAT32) - 4.59 GiB total, 2.71 GiB free.
E: is CDROM (CDFS)
F: is CDROM (CDFS)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD2500JS-22MHB0 - 232.88 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 228.28 GiB - C:
\PARTITION1 - Unknown - 4.6 GiB - D:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1124420374\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1124420374\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\TurboTax\\Deluxe Deduction Maximizer 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe Deduction Maximizer 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe Deduction Maximizer 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe Deduction Maximizer 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HAL
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\HAL
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0403
ProgramFiles=C:\Program Files
PROMPT=$P$G
SAFEBOOT_OPTION=MINIMAL
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=HAL
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator.HAL (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 5.0 Sprint Plus --> MsiExec.exe /X{D1696920-9794-4BBC-8A30-7A88763DE5A2}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe® Photoshop® Album Starter Edition 3.2 --> MsiExec.exe /I{A654A805-41D9-40C7-AA46-4AF04F044D61}
AnswerWorks 4.0 Runtime - English --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}\setup.exe" -l0x9 -removeonly
AOL Coach Version 2.0(Build:20041026.5 en) --> C:\Program Files\Common Files\AolCoach\en_en\AolCInUn.exe -lang=en_en -ext=UDP
AOL You've Got Pictures Screensaver --> C:\Program Files\Common Files\AOL\Screensaver\uninst_ygpss.exe
Best Buy Digital Music Store --> C:\PROGRA~1\BESTBU~1\Unwise32.exe /A C:\PROGRA~1\BESTBU~1\install.log
BigFix --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\BigFix\Uninst.isu" -c"C:\Program Files\BigFix\Lib\UninstallHelper.dll"
Citrix Web Client --> C:\WINDOWS\system32\ctxsetup.exe /uninst C:\PROGRA~1\Citrix\icaweb32\uninst.inf
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Diablo II --> C:\WINDOWS\DIIUnin.exe C:\WINDOWS\DIIUnin.dat
Diablo II --> C:\WINDOWS\DIIUnin.exe C:\WINDOWS\DIIUnin.dat
Digital Media Reader --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{81EED1A1-AE78-4B11-BE47-C6AE9F5E87F1}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
EzTune --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{84288B51-B162-47FB-A74E-25C6D67E44BB}\setup.exe" -l0x9 -removeonly
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
ieSpell --> "C:\Program Files\ieSpell\uninst.exe"
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2782 PCI\VEN_8086&DEV_2582
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
Lexmark 4200 Series --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBMUN5C.EXE -dLexmark 4200 Series
Lexmark 4200 Series Fax Solutions --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\8\INTEL3~1\IDriver.exe /M{C439D065-5B64-4563-A6B9-1AA202633E13} /l1033 /z/U
McAfee AntiSpyware --> c:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /uninstall=1 /appid=mas /interact=1 /script_proactive=0 /start=c:\PROGRA~1\mcafee.com\agent\uninst\masrem.ui::uninstall.htm
McAfee SecurityCenter --> c:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /uninstall=1 /appid=msc /interact=1 /script_proactive=0 /start=c:\PROGRA~1\mcafee.com\agent\uninst\screm.ui::uninstall.htm
McAfee VirusScan --> c:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /uninstall=1 /appid=vso /interact=1 /script_proactive=0 /start=c:\PROGRA~1\mcafee.com\agent\uninst\vsoremui.dll::uninstall.htm
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Digital Image Starter Edition 2006 --> "C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=TRIAL VERSION=11
Microsoft Money 2005 --> C:\Program Files\Microsoft Money 2005\MNYCoreFiles\Setup\uninst.exe /s:120
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91E30409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\Owner\Application Data\Move Networks\ie_bin\Uninst.exe
Multimedia Keyboard Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6E66ECBD-FCA7-4AE1-A8C5-1CA78BEEB057}\Setup.exe" -l0x9
Napster --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBBCAE4B-B416-4182-A6F2-438180894A81}\setup.exe" -l0x9
Napster Burn Engine --> MsiExec.exe /I{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}
Nero BurnRights --> C:\WINDOWS\UNNeroBurnRights.exe /UNINSTALL
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NETGEAR RangeMax™ Wireless USB 2.0 Adapter WPN111 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{582E9125-32B6-4CBA-AB48-3E33CE3DB389}\Setup.exe"
OTOY --> RunDll32 C:\WINDOWS\DOWNLO~1\OTOYAX.dll,_RemoveGroove@16
PC Pitstop Exterminate 1.0 --> "C:\Program Files\PCPitstop\Exterminate\unins000.exe"
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" REMOVE
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Security Update for Step By Step Interactive Training (KB898458) -->
SoftV92 Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1\HXFSETUP.EXE -U -IURSLST5K.inf
TurboTax Deluxe 2007 --> C:\Program Files\TurboTax\Deluxe 2007\TaxUnst.EXE "C:\Program Files\TurboTax\Deluxe 2007\Uninstall.log" -NoGui
TurboTax Deluxe Deduction Maximizer 2006 --> C:\Program Files\TurboTax\Deluxe Deduction Maximizer 2006\TaxUnst.EXE "C:\Program Files\TurboTax\Deluxe Deduction Maximizer 2006\Uninstall.log" -NoGui
TurboTax ItsDeductible 2006 --> MsiExec.exe /X{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
WexTech AnswerWorks --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}\SETUP.EXE" -l0x9 -eliminate
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type1600 / Error
Event Submitted/Written: 02/10/2008 09:51:22 PM
Event ID/Source: 8193 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

Event Record #/Type1599 / Error
Event Submitted/Written: 02/10/2008 09:51:22 PM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706BA from line 44 of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type1573 / Error
Event Submitted/Written: 02/08/2008 09:24:56 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3156, faulting module unknown, version 0.0.0.0, fault address 0x100042d0.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type1571 / Error
Event Submitted/Written: 02/08/2008 09:20:26 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3156, faulting module unknown, version 0.0.0.0, fault address 0x030827c1.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type1540 / Error
Event Submitted/Written: 02/03/2008 06:22:08 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3156, faulting module unknown, version 0.0.0.0, fault address 0x015f42d0.
Processing media-specific event for [explorer.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type27768 / Error
Event Submitted/Written: 02/11/2008 09:04:24 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type27767 / Error
Event Submitted/Written: 02/11/2008 08:56:52 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type27766 / Error
Event Submitted/Written: 02/11/2008 08:56:37 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type27765 / Error
Event Submitted/Written: 02/11/2008 08:56:06 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type27764 / Error
Event Submitted/Written: 02/11/2008 08:55:39 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}



-- End of Deckard's System Scanner: finished at 2008-02-11 09:10:50 ------------

[jbolen]

here is step 3 log.

GMER 1.0.14.14116 - http://www.gmer.net
Rootkit scan 2008-02-11 10:00:40
Windows 5.1.2600 Service Pack 2


---- User code sections - GMER 1.0.14 ----

.text c:\progra~1\mcafee.com\vso\mcvsftsn.exe[260] WS2_32.dll!connect 71AB406A 5 Bytes JMP 01193E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text C:\WINDOWS\Explorer.EXE[472] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text C:\Program Files\Digital Media Reader\shwiconem.exe[2088] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text C:\WINDOWS\system32\igfxtray.exe[2108] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00BF3E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text C:\WINDOWS\system32\hkcmd.exe[2152] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00BD3E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2172] WS2_32.dll!connect 71AB406A 5 Bytes JMP 008F3E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text C:\WINDOWS\zHotkey.exe[2296] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10003E00 c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/McAfee, Inc.)
.text ...

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs naiavf5x.sys (Anti-Virus File System Filter Driver/McAfee Inc.)
AttachedDevice \FileSystem\Fastfat \Fat naiavf5x.sys (Anti-Virus File System Filter Driver/McAfee Inc.)

---- EOF - GMER 1.0.14 ----

[jbolen]

I just wanted to say thank you rip_chain for your help, and thank you to you too Kat.

RIP - There was a move log that was created with step 2. I did not post it since you did not ask for it. if you want it please let me know. Also when I ran step 3 I was still in safe mode and it said that nothing was found. Then I rebooted in normal mode and ran gmer.exe again and this time it found stuff. I just wanted you to know all the steps and any little problems I found along the way. Thanks again for the help.

Jbolen

[RiP]

Hello jbolen

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

I'm glad to see those scans were able to run without error, I see a couple of suspicous items in your log that I want to take a closer look at.

Please Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please go here:
The Spy Killer Forum

• Click on "New Topic"
• Put your name, e-mail address, and this as the title: "New Malware File for RiP"
• Put a link to this Geeks to Go topic in the description box.
• Then next to the file box, at the bottom, click the browse button, then navigate to this file:
  
• C:\WINDOWS\system32\bfaeafefb.dll
  
• Click Open.
• Then click the browse button again, and navigate to this file:
  
• C:\WINDOWS\system32\9E7619
• Click Open.
• Click Post.

[jbolen]

RiP, quick question. When I looked at the post a while ago, and printed it out, there was a step about puting some code in note pad. when I last looked at the post, when I could actualy get some stuff done, that step was not there. I have not done that part because that was removed. I have posted that part on the spy killer site but just let me know what to do next. Thanks.

[RiP]

Hello jbolen

I did change my post around a little bit, but it looks like you were too fast for me. I've written up some new instructions for you

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Please upload another file to SpyKiller, as well.

Please go here:
The Spy Killer Forum

• Click on "New Topic"
• Put your name, e-mail address, and this as the title: "Another file for RiP"
• Put a link to this Geeks to Go topic in the description box.
• Then next to the file box, at the bottom, click the browse button, then navigate to this file:
  
• C:\WINDOWS\system32\9E7619
  
• Click Open.
• Then click the browse button again, and navigate to this file:
• Click Post.

----------------------------------------------- Step 2

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  C:\WINDOWS\system32\bfaeafefb.dll
  C:\WINDOWS\system32\9E7619
  
  
• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

----------------------------------------------- Step 3

• Please close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will create main.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt in your next reply.

In your next reply please include the following:

• A new Deckards System Scanner log.
• The OTMoveIt log.

[jbolen]

Here is the DSS.exe log.

Deckard's System Scanner v20071014.68
Run by Owner on 2008-02-11 20:36:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-02-11 20:37:00
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Gateway\EzTune\dtsslsrv.exe
C:\Program Files\Gateway\EzTune\DTSRVC.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MASSrv.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\Program Files\McAfee.com\VSO\McShield.exe
C:\Program Files\McAfee.com\Agent\McTskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Digital Media Reader\shwiconEM.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\McVSEscn.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MASAlert.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\WinPortrait\wpctrl.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\WINDOWS\SoundMan.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Gateway\EzTune\dthtml.exe
C:\Program Files\McAfee.com\VSO\mcvsftsn.exe
C:\Program Files\NETGEAR\WPN111\WPN111.exe
C:\Program Files\WinPortrait\floater.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\Program Files\McAfee.com\VSO\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar3.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [AlcFDMonitor] C:\WINDOWS\ALCFDRTM.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: EzTune.lnk = ?
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = C:\Program Files\NETGEAR\WPN111\wpn111.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - CmdMapping - (file missing)
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://turbotax.com (HKCU)
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcente...trolLite_EN.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...erInstaller.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1172599282817
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go...y/OTOYAX29b.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: bfaeafefb - C:\WINDOWS\system32\bfaeafefb.dll
O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Gateway\EzTune\dtsslsrv.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Gateway\EzTune\DTSRVC.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\MASSrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - C:\Program Files\McAfee.com\Agent\Mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - C:\Program Files\McAfee.com\VSO\McShield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - C:\Program Files\McAfee.com\Agent\McTskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\Program Files\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS


--
End of file - 11717 bytes

-- Files created between 2008-01-11 and 2008-02-11 -----------------------------

2008-02-10 21:03:05 0 d-------- C:\Documents and Settings\Administrator.HAL\WINDOWS
2008-02-10 21:03:05 0 d--h----- C:\Documents and Settings\Administrator.HAL\Templates
2008-02-10 21:03:05 0 dr------- C:\Documents and Settings\Administrator.HAL\Start Menu
2008-02-10 21:03:05 0 dr-h----- C:\Documents and Settings\Administrator.HAL\SendTo
2008-02-10 21:03:05 0 dr-h----- C:\Documents and Settings\Administrator.HAL\Recent
2008-02-10 21:03:05 0 d--h----- C:\Documents and Settings\Administrator.HAL\PrintHood
2008-02-10 21:03:05 0 d--h----- C:\Documents and Settings\Administrator.HAL\NetHood
2008-02-10 21:03:05 0 dr------- C:\Documents and Settings\Administrator.HAL\My Documents
2008-02-10 21:03:05 0 d--h----- C:\Documents and Settings\Administrator.HAL\Local Settings
2008-02-10 21:03:05 0 dr------- C:\Documents and Settings\Administrator.HAL\Favorites
2008-02-10 21:03:05 0 d-------- C:\Documents and Settings\Administrator.HAL\Desktop
2008-02-10 21:03:05 0 d--hs---- C:\Documents and Settings\Administrator.HAL\Cookies
2008-02-10 21:03:05 0 dr-h----- C:\Documents and Settings\Administrator.HAL\Application Data
2008-02-10 21:03:05 0 d-------- C:\Documents and Settings\Administrator.HAL\Application Data\You've Got Pictures Screensaver
2008-02-10 21:03:05 0 d-------- C:\Documents and Settings\Administrator.HAL\Application Data\SampleView
2008-02-10 21:03:05 0 d---s---- C:\Documents and Settings\Administrator.HAL\Application Data\Microsoft
2008-02-10 21:03:05 0 d-------- C:\Documents and Settings\Administrator.HAL\Application Data\Identities
2008-02-10 21:03:04 786432 --ah----- C:\Documents and Settings\Administrator.HAL\NTUSER.DAT
2008-02-03 11:29:32 0 d-------- C:\WINDOWS\BDOSCAN8
2008-02-03 10:41:45 0 d-------- C:\Program Files\PCPitstop
2008-02-03 10:41:45 0 d-------- C:\Program Files\Common Files\Scanner
2008-02-02 15:34:23 122385 --a------ C:\WINDOWS\system32\bfaeafefb.dll
2008-02-02 10:13:31 8413 --a------ C:\WINDOWS\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
2008-02-02 10:11:34 0 d-------- C:\Program Files\Best Buy Rhapsody
2008-02-02 10:10:48 0 d-------- C:\Documents and Settings\Owner\Application Data\Real
2008-01-22 16:01:04 0 d--hs---- C:\WINDOWS\ftpcache
2008-01-16 20:16:00 0 d-------- C:\WINDOWS\network diagnostic


-- Find3M Report ---------------------------------------------------------------

2008-02-03 10:41:45 0 d-------- C:\Program Files\Common Files
2008-02-02 10:12:14 0 d-------- C:\Program Files\Real
2008-02-01 10:19:58 0 d-------- C:\Documents and Settings\Owner\Application Data\Move Networks
2008-01-23 11:29:26 0 d-------- C:\Documents and Settings\Owner\Application Data\Intuit
2008-01-23 11:25:38 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-01-23 11:25:36 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-23 11:13:39 0 d-------- C:\Program Files\TurboTax
2008-01-09 15:01:48 53248 --a------ C:\WINDOWS\bdoscandel.exe
2008-01-05 02:52:04 0 d-------- C:\Documents and Settings\Owner\Application Data\ieSpell
2008-01-05 02:51:54 0 d-------- C:\Program Files\ieSpell
2007-12-17 20:24:16 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 12:50 PM]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [11/15/2004 04:04 PM]
"@"="" []
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [08/20/2004 04:55 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [08/20/2004 04:51 PM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [11/02/2004 09:24 PM]
"CHotkey"="zHotkey.exe" [05/03/2005 03:02 PM C:\WINDOWS\zHotkey.exe]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [01/07/2005 06:07 PM C:\WINDOWS\system32\HdAShCut.exe]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [07/08/2005 07:18 PM]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [08/10/2005 01:49 PM]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [09/22/2005 08:29 PM]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [01/11/2006 02:05 PM]
"_AntiSpyware"="c:\progra~1\mcafee\MCAFEE~1\masalert.exe" [01/06/2006 05:14 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08/18/2005 09:00 PM]
"PivotSoftware"="C:\Program Files\WinPortrait\wpctrl.exe" [01/26/2005 02:57 PM]
"AlcFDMonitor"="C:\WINDOWS\ALCFDRTM.EXE" [10/30/2006 11:12 AM]
"SoundMan"="SOUNDMAN.EXE" [05/12/2005 03:00 PM C:\WINDOWS\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [05/12/2005 03:00 PM C:\WINDOWS\ALCWZRD.EXE]
"Alcmtr"="ALCMTR.EXE" [05/12/2005 03:00 PM C:\WINDOWS\ALCMTR.EXE]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [08/11/2005 11:02 PM]
"Lexmark 4200 Series"="C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe" [01/16/2004 04:04 AM]
"FaxCenterServer4_in_1"="C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" [01/22/2004 10:59 AM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [03/09/2007 10:09 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 10:24 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/01/2007 05:50 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:00 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [8/18/2005 8:55:20 PM]
EzTune.lnk - C:\Program Files\Gateway\EzTune\dthtml.exe [1/28/2006 4:06:06 PM]
Install Pending Files.LNK - C:\Program Files\SIFXINST\SIFXINST.EXE [8/18/2005 8:58:27 PM]
NETGEAR WPN111 Smart Wizard.lnk - C:\Program Files\NETGEAR\WPN111\wpn111.exe [9/13/2007 11:04:51 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bfaeafefb]
C:\WINDOWS\system32\bfaeafefb.dll 02/08/2008 09:14 AM 122385 C:\WINDOWS\system32\bfaeafefb.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2749d343-2028-11da-b0a9-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2749d344-2028-11da-b0a9-806d6172696f}]
AutoRun\command- E:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2749d345-2028-11da-b0a9-806d6172696f}]
AutoRun\command- F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e197751-197b-11da-9f5a-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480




-- End of Deckard's System Scanner: finished at 2008-02-11 20:37:27 ------------

[jbolen]

here is the moveit log.

LoadLibrary failed for C:\WINDOWS\system32\bfaeafefb.dll
C:\WINDOWS\system32\bfaeafefb.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\bfaeafefb.dll scheduled to be moved on reboot.
C:\WINDOWS\system32\9E7619 moved successfully.

OTMoveIt2 v1.0.19 log created on 02112008_203138

[jbolen]

I just got word, and I can hear, we just got a severe thunderstorm warning. If it comes closer then I have to shut down the computer tonight. If not then I will keep checking. Once again thank you for your help.

Jbolen

[RiP]

Hello jbolen,

A real quick question for you, did you create a new Administrator account named "HAL" recently?