[harrythook]

Ok Jdpowell,
We are going to get a bit more agressive with this, give me a bit to write something up for you.
H

[Advertisements]

Hi Jdpowell,
I would like you to run a different tool, in researching your logs I think this might give us a better direction to go in.
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

There is a possibility that you may not be able to start in safe mode, I am looking through those registry entries you exported for me. Give it a shot and report back please.

Harry

[harrythook]

Hi Jdpowell,
I would like you to run a different tool, in researching your logs I think this might give us a better direction to go in.
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

There is a possibility that you may not be able to start in safe mode, I am looking through those registry entries you exported for me. Give it a shot and report back please.

Harry

[Jdpowell]

Definitely made some progress today. Excellent!!!!!!!
Was finally able to boot into Safe Mode. Ran your file and downloaded Hijack this again and ran it. It worked this time.

Can I install an AV program now? Should I go ahead and load Norton 2008 or will the old Corporate Edition work? The Corporate Edition does not have a subscription (which I absolutely hate). Norton Internet Security has a firewall program, is it better than Windows Firewall?

I have downloaded and installed a bunch of programs since starting all this, what can I delete and what should I keep?

I really appreciate your help.



Here are the logs.


SDFix: Version 1.138

Run by Jody Powell on Thu 02/07/2008 at 09:08 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: F:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:



Could Not Remove F:\autorun.inf



Removing Temp Files...

ADS Check:



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 21:13:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------
F:\autorun.inf Found

File Backups: - F:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 3 Oct 2007 0 A.SH. --- "F:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 7 Feb 2008 857 ...HR --- "F:\Documents and Settings\Jody Powell\Application Data\SecuROM\UserData\securom_v7_01.bak"

Finished!







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:21:22 PM, on 2/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
F:\WINDOWS\System32\nvsvc32.exe
F:\Program Files\Cyberlink\Shared files\RichVideo.exe
F:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\system32\notepad.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
F:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
F:\WINDOWS\system32\devldr32.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - F:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - F:\WINDOWS\system32\TwcToolbarBho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - F:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - F:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Client Access Service] "c:\program files\client access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "c:\program files\client access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "c:\program files\client access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "c:\program files\client access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DW4] "F:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "F:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "F:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Customize Menu - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsout...oad/tgctlcm.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - F:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1191172309058
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1191173845356
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://mail.wmbird.com/dwa7W.cab
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - c:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - F:\WINDOWS\CWBRXD.EXE
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - F:\Program Files\Cyberlink\Shared files\RichVideo.exe

--
End of file - 10387 bytes

[harrythook]

Hey Jdpowell,
Sorry again for the delay in posting, I just walked in the door.
Let me review what we have so far, don't download or purchase anything yet.
I will work up the next step in the plan after I get some sleep ( I need about 3 days, but 5 or 6 hours will do it)

You are doing a great job, hang in there, the end is close

Harry

[harrythook]

Good morning Jdpowell,
The log from Hijackthis looks pretty good, only a couple of things to deal with.
First, run Combofix again, I need to see a log from that. Next, a different type of scan:

Please go HERE to run Panda's TotalScan

• Select the bubble for Full scan
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• Then the scan will begin
• When the scan completes, click the Save button on the right of Scan details
• Save it to a convenient location. Post the contents of the TotalScan report

This scan might take a bit of time, let it run and post up the results

As to some antivirus, lets get this loaded for now:
First download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

• Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
• Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
• On the main screen select the icon "Update" then select the "Update now" link.
  • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
• Under "Reports"
  • Select ""Do no automatically generate report""
  • Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

• Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
  IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
• Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
• Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
• AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Next select the "Reports" icon at the top.
• Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
• Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

Harry

Edited by harrythook, 09 February 2008 - 07:16 AM.

[Jdpowell]

Been a busy Saturday, hope you are having a great weekend.



---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 18:57 2008-02-09

+ Scan result:



:mozilla.142:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.185:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
F:\Documents and Settings\Jody Powell\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.127:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.128:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.118:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.119:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.120:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.121:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.122:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.123:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.388:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.154:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.159:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.160:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.100:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.102:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.103:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.104:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.97:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.98:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.99:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.750:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.751:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.752:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.39:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.157:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.158:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.300:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.386:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.387:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.237:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.238:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.239:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
F:\Documents and Settings\Jody Powell\Cookies\[email protected][1].txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.178:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.179:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.203:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.204:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.205:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.199:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.200:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.201:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.202:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.308:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Safer-networking : Cleaned.
:mozilla.181:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.182:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.183:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.184:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.191:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.208:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
:mozilla.209:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
:mozilla.165:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.166:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.167:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.168:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.169:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.170:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.155:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.156:F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000328.exe -> Trojan.Pakes.bwy : Cleaned.


::Report end



ComboFix 08-02.05.3 - Jody Powell 2008-02-09 16:34:03.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1595 [GMT -5:00]
Running from: F:\Documents and Settings\Jody Powell\Desktop\ComboFix(2).exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\WINDOWS\system32\drivers\down

.
((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-02-09 16:33 . 2008-02-09 16:35 <DIR> d-------- F:\ComboFix(2)
2008-02-09 16:33 . 2004-08-04 02:56 388,608 --a------ F:\WINDOWS\system32\kmd.exe
2008-02-07 21:21 . 2008-02-07 21:21 <DIR> d-------- F:\Program Files\Trend Micro
2008-02-07 21:06 . 2008-02-07 21:07 <DIR> d-------- F:\WINDOWS\ERUNT
2008-02-07 21:00 . 2008-02-07 21:15 <DIR> d-------- F:\SDFix
2008-02-05 18:38 . 2008-02-09 16:34 <DIR> d-------- F:\WINDOWS\TEMP
2008-02-05 18:35 . 2004-08-04 02:56 388,608 --a------ F:\kmd.exe
2008-02-05 18:35 . 2000-08-31 08:00 98,816 --a------ F:\WINDOWS\system32\sed.exe
2008-02-05 18:35 . 2000-08-31 08:00 80,412 --a------ F:\WINDOWS\system32\grep.exe
2008-02-05 18:35 . 2000-08-31 08:00 73,728 --a------ F:\WINDOWS\system32\fdsv.exe
2008-02-05 18:35 . 2000-08-31 08:00 68,096 --a------ F:\WINDOWS\system32\zip.exe
2008-02-04 18:15 . 2004-08-03 23:00 260,272 --a------ F:\cmldr
2008-02-04 18:15 . 2007-09-30 13:18 210 --a------ F:\Boot.bak
2008-02-03 19:27 . 2008-02-03 19:27 <DIR> d-------- F:\Deckard
2008-02-03 12:20 . 2008-02-09 16:35 <DIR> d-------- F:\QooBox
2008-02-03 12:20 . 2000-08-31 08:00 212,480 --a------ F:\WINDOWS\system32\swxcacls.exe
2008-02-03 12:20 . 2000-08-31 08:00 161,792 --a------ F:\WINDOWS\system32\swreg.exe
2008-02-03 12:20 . 2000-08-31 08:00 136,704 --a------ F:\WINDOWS\system32\swsc.exe
2008-02-03 12:20 . 2000-08-31 08:00 51,200 --a------ F:\WINDOWS\Nircmd.exe
2008-02-03 12:20 . 2000-08-31 08:00 49,152 --a------ F:\WINDOWS\system32\VFind.exe
2008-02-02 19:55 . 2008-02-03 02:49 <DIR> d-------- F:\WINDOWS\system32\ActiveScan
2008-02-02 19:55 . 2006-08-02 12:39 73,728 --a------ F:\WINDOWS\system32\asuninst.exe
2008-02-02 19:55 . 2008-02-02 19:55 30,590 --a------ F:\WINDOWS\system32\pavas.ico
2008-02-02 19:55 . 2003-03-25 18:53 11,776 --a------ F:\WINDOWS\system32\ZPORT4AS.dll
2008-02-02 19:55 . 2008-02-02 19:55 2,550 --a------ F:\WINDOWS\system32\Uninstall.ico
2008-02-02 19:55 . 2008-02-02 19:55 1,406 --a------ F:\WINDOWS\system32\Help.ico
2008-02-02 17:14 . 2008-02-03 10:14 <DIR> d-------- F:\Program Files\SUPERAntiSpyware
2008-02-02 17:14 . 2008-02-02 17:14 <DIR> d-------- F:\Documents and Settings\Jody Powell\Application Data\SUPERAntiSpyware.com
2008-02-02 17:14 . 2008-02-02 17:14 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-02 17:01 . 2008-02-02 17:01 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-02 17:01 . 2007-05-30 07:10 10,872 --a------ F:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-02 11:02 . 2008-02-07 23:47 123,952 --a------ F:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-02 11:02 . 2008-02-07 23:47 60,808 --a------ F:\WINDOWS\system32\S32EVNT1.DLL
2008-02-02 11:02 . 2008-02-07 23:47 10,652 --a------ F:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-02-02 11:02 . 2008-02-07 23:47 806 --a------ F:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-02-02 10:22 . 2008-02-09 16:09 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Symantec
2008-02-01 18:14 . 2008-02-01 18:14 <DIR> d-------- F:\Program Files\New Folder
2008-01-30 21:08 . 2004-10-15 18:32 83,096 --a------ F:\WINDOWS\system32\SSSensor.dll
2008-01-30 19:12 . 2008-01-30 19:12 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-30 19:11 . 2008-02-02 17:13 <DIR> d-------- F:\Program Files\Common Files\Wise Installation Wizard
2008-01-29 21:45 . 2008-02-09 16:26 <DIR> d-------- F:\Config.Msi
2008-01-28 20:34 . 2004-08-04 02:08 25,600 --a------ F:\WINDOWS\system32\drivers\usbser.sys
2008-01-28 20:34 . 2004-08-04 02:08 25,600 --a--c--- F:\WINDOWS\system32\dllcache\usbser.sys
2008-01-28 20:34 . 2001-08-17 13:57 16,128 --a------ F:\WINDOWS\system32\drivers\MODEMCSA.sys
2008-01-28 20:34 . 2001-08-17 13:57 16,128 --a--c--- F:\WINDOWS\system32\dllcache\modemcsa.sys
2008-01-28 20:27 . 2008-01-28 20:27 26,768 --a------ F:\WINDOWS\CTL3D.DLL
2008-01-28 20:27 . 2008-01-28 20:27 800 --a------ F:\WINDOWS\01winver.ini
2008-01-28 20:25 . 2008-01-28 20:34 <DIR> d-------- F:\Program Files\CONEXANT
2008-01-28 20:25 . 2007-03-22 00:34 212,992 --a------ F:\WINDOWS\system32\UCI32C19.dll
2008-01-28 20:25 . 2007-04-03 07:00 147,456 --a------ F:\WINDOWS\system32\TAP32C03.dll
2008-01-28 20:25 . 2007-03-15 05:52 94,208 --a------ F:\WINDOWS\system32\ACFSDK32.dll
2008-01-28 20:25 . 2007-06-29 06:39 86,656 --a------ F:\WINDOWS\system32\drivers\ACFVA32.sys
2008-01-28 20:25 . 2007-07-10 04:14 28,928 --a------ F:\WINDOWS\system32\drivers\ACFDCP32.sys
2008-01-28 20:25 . 2007-03-15 05:52 12,672 --a------ F:\WINDOWS\system32\drivers\ACFSDK32.sys
2008-01-26 12:07 . 2008-01-26 12:07 <DIR> d-------- F:\Program Files\Insight
2008-01-11 18:49 . 2008-01-11 18:49 <DIR> d-------- F:\WINDOWS\system32\URTTEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-09 21:30 --------- d-----w F:\Program Files\Common Files
2008-02-09 21:28 --------- d-----w F:\Program Files\Mozilla Firefox
2008-02-09 21:26 1,610,612,736 --sha-w F:\pagefile.sys
2008-02-09 06:14 --------- d-----w F:\Documents and Settings\All Users\Application Data\Google Updater
2008-02-03 06:33 --------- d-----w F:\Program Files\Internet Explorer
2008-02-03 06:32 --------- d-----w F:\Program Files\Google
2008-02-01 23:12 --------- d-----w F:\Program Files\Common Files\Microsoft Shared
2008-01-26 22:52 --------- d-----w F:\Documents and Settings\Jody Powell\Application Data\AdobeUM
2008-01-14 03:16 --------- d--h--w F:\Program Files\InstallShield Installation Information
2008-01-05 20:14 --------- d-----w F:\Program Files\Common Files\SWF Studio
2008-01-05 20:09 --------- d-----w F:\Program Files\The Weather Channel FW
2008-01-02 18:21 17,642,616 ----a-w F:\WINDOWS\system32\MRT.exe
2007-12-14 16:32 12,632 ----a-w F:\WINDOWS\system32\lsdelete.exe
2007-11-26 23:14 18,312 ----a-w F:\Documents and Settings\Jody Powell\Application Data\GDIPFONTCACHEV1.DAT
2007-11-16 23:59 6,656 ----a-w F:\WINDOWS\system32\pndx5016.dll
2007-11-16 23:59 5,632 ----a-w F:\WINDOWS\system32\pndx5032.dll
2007-11-16 23:59 278,528 ----a-w F:\WINDOWS\system32\pncrt.dll
2007-11-16 23:59 185,944 ----a-w F:\WINDOWS\system32\rmoc3260.dll
2007-11-13 11:31 60,416 ------w F:\WINDOWS\system32\tzchange.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2006-01-25 05:02 705002]
"DW4"="F:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-03-16 06:51 715888]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"SUPERAntiSpyware"="F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="F:\WINDOWS\System32\NvCpl.dll" [2007-09-17 00:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 00:07 1626112 F:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="F:\WINDOWS\System32\NvMcTray.dll" [2007-09-17 00:07 81920]
"Adobe Reader Speed Launcher"="F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"TkBellExe"="F:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-16 18:59 185896]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57 30208]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 11:09 49152]
"Client Access Service"="c:\program files\client access\cwbsvstr.exe" [2002-08-06 05:20 20530]
"Client Access Help Update"="c:\program files\client access\cwbinhlp.exe" [2002-08-06 05:20 24576]
"Client Access Check Version"="c:\program files\client access\cwbckver.exe" [2002-08-06 05:20 45106]
"Client Access Express Welcome"="c:\program files\client access\cwbwlwiz.exe" [2002-08-06 05:20 20480]
"ccApp"="F:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="F:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 23:37:56 217194]
Microsoft Office.lnk - F:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= F:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
F:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 F:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)

R2 SQLWriter;SQL Server VSS Writer;"F:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 04:29]
R3 acfva;acfva;F:\WINDOWS\system32\DRIVERS\ACFVA32.sys [2007-06-29 06:39]
R3 dgcfltr;DGC Filter Driver;F:\WINDOWS\system32\DRIVERS\ACFDCP32.sys [2007-07-10 04:14]
S3 SymIM;Symantec Network Security Intermediate Filter Service;F:\WINDOWS\system32\DRIVERS\SymIM.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 16:35:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: F:\WINDOWS\system32\winlogon.exe
-> F:\WINDOWS\system32\NavLogon.dll
.

[harrythook]

Hey Jdpowell,
We still have a friend hiding in there

Did you load this:

F:\Program Files\CONEXANT

or anything else from the date 2008-01-02 ( the beginning of the year)????

Let me know...........

Harry

[Jdpowell]

Its for the USB Modem I have.

Edited by Jdpowell, 10 February 2008 - 10:10 AM.

[harrythook]

Ok Jdpowell,
I am looking at the dates associated to files that have been loaded on your machine, thats why I questioned it.
Did you run the Pandascan? I would like to see the results please.

Been a busy Saturday, hope you are having a great weekend.

So far a great weekend, but the wife did not let me buy the new boat at the Atlantic City boat show

Post up the Panda results please.

harry

[Jdpowell]

Buy the boat anyway. It's easier to get forgiveness than it is to get permission.


;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-02-10 15:04:59
PROTECTIONS: 0
MALWARE: 28
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.casalemedia.com/]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.doubleclick.net/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.atdmt.com/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Cookies\jody_powell@atdmt[1].txt
00139535 Application/Processor HackTools No 0 Yes No F:\SDFix\apps\Process.exe
00139535 Application/Processor HackTools No 0 No No F:\Documents and Settings\Jody Powell\Desktop\SDFix.exe[SDFix\apps\Process.exe]
00139535 Application/Processor HackTools No 0 No No G:\temp\SDFix.exe[SDFix\apps\Process.exe]
00142289 Trj/Multidropper.EG Virus/Trojan No 0 Yes No G:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000355.exe
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.tribalfusion.com/]
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.mediaplex.com/]
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.mediaplex.com/]
00148914 Cookie/Tucows TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.tucows.com/]
00148914 Cookie/Tucows TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.tucows.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.com.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[ad.yieldmanager.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Cookies\jody_powell@apmebf[1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.burstnet.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.advertising.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Cookies\[email protected][1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.questionmarket.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.zedo.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.adrevolver.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.go.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.target.com/]
00215240 Bck/Sub7.2.2 Virus/Trojan No 0 Yes No G:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000356.exe
00262020 Cookie/Atwola TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.atwola.com/]
00366244 Application/NirCmd.A HackTools No 0 No No G:\temp\Flash_Disinfector.exe[nircmd.exe]
01185375 Application/Psexec.A HackTools No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP6\A0001449.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP7\A0001461.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP8\A0001505.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP4\A0001297.EXE
01262593 Application/NirCmd.A HackTools No 0 No No G:\temp\Combo-Fix.exe[327882R2FWJFW\nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 No No G:\temp\Combo-Fix.exe[327882R2FWJFW\nircmd.com]
01262593 Application/NirCmd.A HackTools No 0 No No F:\Documents and Settings\Jody Powell\Desktop\ComboFix(2).exe[327882R2FWJFW\nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 No No F:\Documents and Settings\Jody Powell\Desktop\ComboFix(2).exe[327882R2FWJFW\nircmd.com]
01262593 Application/NirCmd.A HackTools No 0 Yes No F:\WINDOWS\Nircmd.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP8\A0001528.com
01262593 Application/NirCmd.A HackTools No 0 No No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP8\A0001510.exe[327882R2FWJFW\nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 No No G:\temp\ComboFix(2).exe[327882R2FWJFW\nircmd.com]
01262593 Application/NirCmd.A HackTools No 0 No No G:\temp\ComboFix(2).exe[327882R2FWJFW\nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP7\A0001499.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No F:\ComboFix(2)\nircmd.com
01262593 Application/NirCmd.A HackTools No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP16\A0002085.com
01262593 Application/NirCmd.A HackTools No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP16\A0002101.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP7\A0001482.com
01262593 Application/NirCmd.A HackTools No 0 No No G:\temp\ComboFix.exe[327882R2FWJFW\nircmd.com]
01262593 Application/NirCmd.A HackTools No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP6\A0001452.exe
01262593 Application/NirCmd.A HackTools No 0 No No G:\temp\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP6\A0001401.com
01262593 Application/NirCmd.A HackTools No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP4\A0001327.com
01262593 Application/NirCmd.A HackTools No 0 No No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP8\A0001510.exe[327882R2FWJFW\nircmd.com]
01262593 Application/NirCmd.A HackTools No 0 Yes No F:\ComboFix(2)\nircmd.cfexe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP4\A0001295.sys
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No F:\QooBox\Quarantine\F\WINDOWS\system32\drivers\down\29180018.exe.vir
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No F:\QooBox\Quarantine\F\WINDOWS\system32\drivers\down\43727256.exe.vir
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No F:\QooBox\Quarantine\F\WINDOWS\system32\drivers\down\158027.exe.vir
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000338.exe
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000289.exe
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP4\A0001145.exe
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP4\A0001074.exe
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000292.exe
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP4\A0000852.exe
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000294.exe
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000295.exe
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000352.exe
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000297.exe
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000298.exe
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000351.exe
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000350.exe
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000301.exe
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000347.exe
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000345.exe
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000344.exe
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000339.exe
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000305.exe
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000337.exe
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000332.exe
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000330.exe
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000326.exe
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000325.exe
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000324.exe
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000322.exe
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000320.exe
02893167 W32/Bagle.RC.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000316.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000315.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000317.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000318.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000319.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000314.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000321.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000313.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000323.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000312.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000311.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000310.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000327.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000329.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000309.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000331.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000308.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000333.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000334.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000335.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000336.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000307.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000306.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000170.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000340.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000341.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000342.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000343.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000304.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000303.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000346.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000302.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000348.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000349.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000300.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000299.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000296.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\QooBox\Quarantine\catchme2008-02-03_124634.98.zip[wintems.exe]
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000368.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000369.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP4\A0000569.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000293.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP4\A0000902.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP4\A0001070.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000291.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP4\A0001076.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP4\A0001140.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000290.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP4\A0001146.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\QooBox\Quarantine\catchme2008-02-03_124634.98.zip[mdelk.exe]
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP4\A0001288.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP4\A0001289.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000288.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\QooBox\Quarantine\F\WINDOWS\system32\mdelk.exe.vir
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP2\A0000046.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP2\A0000045.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\QooBox\Quarantine\F\WINDOWS\system32\wintems.exe.vir
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP2\A0000026.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP2\A0000025.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\QooBox\Quarantine\F\WINDOWS\system32\drivers\down\124248.exe.vir
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\QooBox\Quarantine\F\WINDOWS\system32\drivers\down\43731001.exe.vir
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000287.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\QooBox\Quarantine\F\WINDOWS\system32\drivers\down\43717021.exe.vir
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\QooBox\Quarantine\F\WINDOWS\system32\drivers\down\29185456.exe.vir
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000286.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\QooBox\Quarantine\F\WINDOWS\system32\drivers\down\29172638.exe.vir
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\QooBox\Quarantine\F\WINDOWS\system32\drivers\down\170905.exe.vir
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000285.exe
02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000171.exe
02898935 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP2\A0000044.sys
02898935 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000169.sys
02898935 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP4\A0001287.sys
02898935 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP3\A0000367.sys
02898935 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\QooBox\Quarantine\catchme2008-02-03_124634.98.zip[srosa.sys]
02898935 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\QooBox\Quarantine\F\WINDOWS\system32\drivers\srosa.sys.vir
02898935 W32/Bagle.RP.worm Virus/Worm No 0 Yes No F:\System Volume Information\_restore{7E69122E-5246-4A50-9191-EEE1A30F5624}\RP2\A0000023.sys
;===============================================================================
=================================================================================
===================
SUSPECTS
Location
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================

[harrythook]

Hey Jd, lets clean some stuff up and run that scan again:

Time for some housekeeping

• Click START then RUN
• Now type Combofix /u in the runbox and click OK Note the space between the X and the U, it needs to be there.
  
  
  
  • 
  
  
• When shown the disclaimer, Select "2"

The above procedure will:

• Delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:\Deckard folder, if present
  • The C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Run the Panda scan once more, fresh HJT log and a report on how its running there.
PS, Boat

Harry

[Jdpowell]

Looks a little better.


;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-02-10 20:31:56
PROTECTIONS: 0
MALWARE: 21
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.casalemedia.com/]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.doubleclick.net/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.atdmt.com/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Cookies\jody_powell@atdmt[1].txt
00139535 Application/Processor HackTools No 0 No No G:\temp\SDFix.exe[SDFix\apps\Process.exe]
00139535 Application/Processor HackTools No 0 No No F:\Documents and Settings\Jody Powell\Desktop\SDFix.exe[SDFix\apps\Process.exe]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.tribalfusion.com/]
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.mediaplex.com/]
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.mediaplex.com/]
00148914 Cookie/Tucows TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.tucows.com/]
00148914 Cookie/Tucows TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.tucows.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.com.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[ad.yieldmanager.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Cookies\jody_powell@apmebf[1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.burstnet.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.advertising.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Cookies\[email protected][1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.questionmarket.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.zedo.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.adrevolver.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.go.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.target.com/]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No F:\Documents and Settings\Jody Powell\Application Data\Mozilla\Firefox\Profiles\nlfsa4s2.default\cookies.txt[.atwola.com/]
00366244 Application/NirCmd.A HackTools No 0 No No G:\temp\Flash_Disinfector.exe[nircmd.exe]
01262593 Application/NirCmd.A HackTools No 0 No No G:\temp\Combo-Fix.exe[327882R2FWJFW\nircmd.com]
01262593 Application/NirCmd.A HackTools No 0 No No G:\temp\ComboFix.exe[327882R2FWJFW\nircmd.com]
01262593 Application/NirCmd.A HackTools No 0 No No G:\temp\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 No No G:\temp\ComboFix(2).exe[327882R2FWJFW\nircmd.com]
01262593 Application/NirCmd.A HackTools No 0 No No G:\temp\ComboFix(2).exe[327882R2FWJFW\nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 No No G:\temp\Combo-Fix.exe[327882R2FWJFW\nircmd.cfexe]
;===============================================================================
=================================================================================
===================
SUSPECTS
Location
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:33:24 PM, on 2008-02-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
F:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
F:\WINDOWS\System32\nvsvc32.exe
F:\Program Files\Cyberlink\Shared files\RichVideo.exe
F:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\devldr32.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - F:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - F:\WINDOWS\system32\TwcToolbarBho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - F:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - F:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Client Access Service] "c:\program files\client access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "c:\program files\client access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "c:\program files\client access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "c:\program files\client access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DW4] "F:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "F:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "F:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Customize Menu - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsout...oad/tgctlcm.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - F:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1191172309058
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1191173845356
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://mail.wmbird.com/dwa7W.cab
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - F:\WINDOWS\CWBRXD.EXE
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - F:\Program Files\Cyberlink\Shared files\RichVideo.exe

--
End of file - 10442 bytes

[harrythook]

Hey Jdpowell,
Log looks a lot better, most of what you see is cookies. I would look in and clean out G:\temp, seems like you have some of the tools loaded there. Also there is one reference to the C drive in your log, might want to take a peek at whats stuffed in there.

Let know how its running

Harry

[Jdpowell]

Looks like you did it. I have installed Norton Internet Security just fine and everything seems to be okay. Thanks a lot for your help. This was a lot better than spending $250 to get it fixed.

[harrythook]

It was my pleasure to help you out

Come back if you need anything else, feel free to give me a shout.

Harry