1. I will post the log below include the start up list if that will be helpfull.
2. the screen show a waring that replaced the background picture. I think this might be related to spy sheriff because I read others had this problem as well.
Logfile of HijackThis v1.99.1
Scan saved at 2:50:21 PM, on 6/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\All Users\Documents\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://portal.fitsvc...sp?UserID=18494R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://portal.fitsvc...sp?UserID=18494R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
http://portal.fitsvc...sp?UserID=18494R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
http://portal.fitsvc...sp?UserID=18494R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.41.123.38:80
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) -
http://webmail4.fitsvcs.com/iNotes.cabO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...all/xscan53.cabO16 - DPF: {7BDCFF75-074F-11D6-92EE-00A0C9119E92} (Project1.AxleLoadCtl) -
http://tis.toyota.co...AxleLoadCtl.cabO16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} (Lernout & Hauspie TruVoice American English TTS Engine) -
http://tis.toyota.co...ads/tv_enua.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
StartupList report, 6/27/2005, 11:08:09 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\All Users\Documents\hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\mc-58-12-0000093.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\All Users\Documents\hijackthis\HijackThis.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
MicrosoftAntiSpywareCleaner = C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows installer = C:\winstall.exe
DNS = C:\Program Files\Common Files\mc-58-12-0000093.exe
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssmypics.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\PROGRA~1\SPYBOT~2\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
--------------------------------------------------
Enumerating Download Program Files:
[Microsoft Office Template and Media Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\IEAWSDC.DLL
CODEBASE =
http://office.micros...tes/ieawsdc.cab[iNotes Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\inotes.dll
CODEBASE =
http://webmail4.fitsvcs.com/iNotes.cab[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE =
http://office.micros...ontent/opuc.cab[OPUCatalog Class]
InProcServer32 = C:\WINDOWS\System32\opuc.dll
CODEBASE =
http://office.micros...ontent/opuc.cab[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE =
http://a840.g.akamai...all/xscan53.cab[Project1.AxleLoadCtl]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\AxleLoadCtl.ocx
CODEBASE =
http://tis.toyota.co...AxleLoadCtl.cab[Lernout & Hauspie TruVoice American English TTS Engine]
InProcServer32 = C:\WINDOWS\lhsp\tv\tvenuax.dll
CODEBASE =
http://tis.toyota.co...ads/tv_enua.exe[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\macromed\flash\Flash.ocx
CODEBASE =
http://fpdownload.ma...ash/swflash.cab--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: c:\windows\isrvs\desktop.exe||c:\windows\isrvs\ffisearch.exe||C:\WINDOWS\isrvs\edmond.exe||c:\windows\isrvs\sysupd.dll||C:\WINDOWS\isrvs\mfiltis.dll||C:\WINDOWS\isrvs\msdbhk.dll||c:\windows\isrvs\desktop.exe||c:\windows\isrvs\ffisearch.exe||c:\windows\isrvs\isearch.xpi||c:\windows\isrvs\sysupd.dll||C:\WINDOWS\SYSTEM32\DRIVERS\delprot.sys||C:\WINDOWS\isrvs\edmond.exe||C:\WINDOWS\isrvs\mfiltis.dll||C:\WINDOWS\isrvs\msdbhk.dll||c:\windows\isrvs\desktop.exe||c:\windows\isrvs\edmond.exe||c:\windows\isrvs\ffisearch.exe||c:\windows\isrvs\isearch.xpi||c:\windows\isrvs\mfiltis.dll||c:\windows\isrvs\msdbhk.dll||c:\windows\isrvs\sysupd.dll
--------------------------------------------------
End of report, 5,599 bytes
Report generated in 0.031 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only