fellow folder - big problems - logs included

Trogan

I don't think AVG quarantined the things it found, but thats ok.

I'll wait for the other results.

stacy3

sorry I fell asleep. here is the panda scan.

Incident Status Location

Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Documents\backup\file1092488730.dl_
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Scott\Application Data\Mozilla\Firefox\Profiles\default.0xv\cookies.txt[.go.com/]
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Stacy\Application Data\Mozilla\Firefox\Profiles\default.vw7\cookies.txt[www.myaffiliateprogram.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Stacy\Application Data\Mozilla\Firefox\Profiles\default.vw7\cookies.txt[.atwola.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Stacy\Application Data\Mozilla\Firefox\Profiles\default.vw7\cookies.txt[.belnk.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Stacy\Application Data\Mozilla\Firefox\Profiles\default.vw7\cookies.txt[.apmebf.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Stacy\Application Data\Mozilla\Firefox\Profiles\default.vw7\cookies.txt[.maxserving.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Stacy\Application Data\Mozilla\Firefox\Profiles\default.vw7\cookies.txt[.realmedia.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Stacy\Application Data\Mozilla\Firefox\Profiles\Stacy\cookies.txt[.maxserving.com/]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Stacy\Desktop\SmitfraudFix\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Stacy\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Documents and Settings\Stacy\My Documents\HijackThis Folder\backups\backup-20040813-133059-686.inf
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\default.9ux\cookies.txt[.apmebf.com/]
Adware:Adware/Lop Not disinfected C:\RECYCLER\S-1-5-21-3341562259-1085806099-568186159-1006\Dc101.1\backup\file1092575405.dl_
Adware:Adware/Lop Not disinfected C:\RECYCLER\S-1-5-21-3341562259-1085806099-568186159-1006\Dc101.1\backup.zip[backup/file1092575405.dl_]
Adware:Adware/Lop Not disinfected C:\RECYCLER\S-1-5-21-3341562259-1085806099-568186159-1006\Dc1211.dl_
Adware:Adware/Lop Not disinfected C:\RECYCLER\S-1-5-21-3341562259-1085806099-568186159-1006\Dc1212.dl_
Adware:Adware/Lop Not disinfected C:\RECYCLER\S-1-5-21-3341562259-1085806099-568186159-1006\Dc1213.dl_
Adware:Adware/Lop Not disinfected C:\RECYCLER\S-1-5-21-3341562259-1085806099-568186159-1006\Dc1214.dl_
Adware:Adware/Lop Not disinfected C:\RECYCLER\S-1-5-21-3341562259-1085806099-568186159-1006\Dc1215.dl_
Adware:Adware/Lop Not disinfected C:\RECYCLER\S-1-5-21-3341562259-1085806099-568186159-1006\Dc1216.exe
Potentially unwanted tool:Application/PRScheduler Not disinfected C:\RECYCLER\S-1-5-21-3341562259-1085806099-568186159-1006\Dc1217.exeStartup
Adware:Adware/Lop Not disinfected C:\RECYCLER\S-1-5-21-3341562259-1085806099-568186159-1006\Dc1219\coal ping knob.exe.tcf
Adware:Adware/Lop Not disinfected C:\RECYCLER\S-1-5-21-3341562259-1085806099-568186159-500\Dc3\coal ping knob.exe.tcf
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\SYSTEM32\Process.exe

stacy3

Hi Trogan...

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 3:42:15 AM, on 10/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Folding@Home\winFAH.exe
C:\Program Files\Folding@Home\FahCore_78.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] "C:\Program Files\Norton Internet Security\UrlLstCk.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Folding@Home 5.03.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O15 - Trusted Zone: http://home.comcast.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_7.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Trogan

Please do this...

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Next...

Step 1.
==========
- Please download F-Secure's trial Blacklight from here
- Print out the help page for guidance. It will be found here
- Click the "I Accept" button at the the license agreement
- Click the "Download" button to start the download
- Save it to your Desktop

Step 2.
==========
- Double-click the blbeta.exe file on your Desktop
- Select the "I Accept the agreement" at the license agreement, then click "Next"
- Make sure all open programs and windows are closed (including this IE window) before clicking the "Scan" button
- Click "Scan
- When the animated graphics, in the bottom right-hand corner, disappears, click "Next"
- A text log file will appear on your Desktop when the scan is complete. It will start with fsbl-xxxxxx.txt (ie: fsbl-20051017165931.log)
- Paste the contents of that log back here.


Please post the logs from the tools above.

stacy3

Hi Trogan - here is the log from combofix.

Stacy - 06-10-07 16:20:40.46 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Stacy\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-07 to 2006-10-07 ))))))))))))))))))))))))))))))))))


2006-10-06 16:30 3,968 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2006-10-05 10:23 53,248 --a

---

C:\WINDOWS\SYSTEM32\Process.exe
2006-10-05 10:23 40,960 --a

---

C:\WINDOWS\SYSTEM32\swsc.exe
2006-10-05 10:23 288,417 --a

---

C:\WINDOWS\SYSTEM32\SrchSTS.exe
2006-10-05 10:23 135,168 --a

---

C:\WINDOWS\SYSTEM32\swreg.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-07 03:41

---

d

---

C:\Program Files\Hijackthis
2006-10-06 22:20

---

d

---

C:\Program Files\Symantec
2006-10-06 22:10

---

d

---

C:\Program Files\Internet Explorer
2006-10-06 22:08

---

d

---

C:\Program Files\Folding@Home
2006-10-06 22:06

---

d

---

C:\Program Files\Common Files\Symantec Shared
2006-10-06 21:48

---

d

---

C:\Documents and Settings\Stacy\Application Data\Symantec
2006-10-06 21:28

---

d

---

C:\Program Files\Messenger
2006-10-06 16:30

---

d

---

C:\Program Files\Grisoft
2006-10-06 15:56

---

d

---

C:\Program Files\Java
2006-10-06 15:55

---

d

---

C:\Program Files\Common Files\Java
2006-10-06 15:55

---

d

---

C:\Program Files\Common Files
2006-10-05 18:57

---

d

---

C:\Program Files\Kid's Typing Skills
2006-10-05 10:58

---

d

---

C:\Program Files\Common Files\Softwin
2006-10-05 10:38

---

d

---

C:\Program Files\Windows Media Player
2006-10-05 10:38

---

d

---

C:\Program Files\MUSICMATCH
2006-10-05 10:38

---

d

---

C:\Program Files\Movie Maker
2006-10-05 10:38

---

d

---

C:\Program Files\Modem Helper
2006-10-05 10:38

---

d

---

C:\Program Files\FinePixViewer
2006-10-05 10:38

---

d

---

C:\Program Files\Dell Modem-On-Hold
2006-10-05 10:38

---

d

---

C:\Program Files\Classic PhoneTools
2006-10-05 08:29

---

d

---

C:\Program Files\SpywareBlaster
2006-10-04 21:23

---

d

---

C:\Program Files\Norton Internet Security
2006-10-04 08:30

---

d

---

C:\Program Files\Mozilla Firefox
2006-10-02 09:10

---

d

---

C:\Program Files\Hasbro Interactive
2006-10-02 09:09

---

d--h

---

C:\Program Files\InstallShield Installation Information
2006-10-02 09:09

---

d

---

C:\Program Files\Disney Interactive
2006-10-02 09:07

---

d

---

C:\Program Files\The Learning Company
2006-09-28 18:27

---

d

---

C:\Program Files\QuickTime
2006-09-28 18:16

---

d

---

C:\Program Files\iTunes
2006-09-28 13:13

---

d

---

C:\Documents and Settings\Stacy\Application Data\AdobeUM
2006-09-28 11:06

---

d

---

C:\Documents and Settings\Stacy\Application Data\Lavasoft
2006-09-28 11:05

---

d

---

C:\Program Files\Lavasoft
2006-09-10 07:48

---

d

---

C:\Program Files\iPod
2006-09-06 09:00

---

d

---

C:\Documents and Settings\Stacy\Application Data\Adobe
2006-09-04 14:44 10344 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\symlcbrd.sys
2006-08-21 08:21 16896 --a

---

C:\WINDOWS\SYSTEM32\fltlib.dll
2006-08-21 05:14 23040 --a

---

C:\WINDOWS\SYSTEM32\fltmc.exe
2006-08-21 05:14 128896

---

C:\WINDOWS\SYSTEM32\DRIVERS\fltmgr.sys
2006-08-07 16:02 534208 --a

---

C:\WINDOWS\SYSTEM32\SymNeti.dll
2006-08-07 16:02 31936 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\symids.sys
2006-08-07 16:02 28352 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\symndis.sys
2006-08-07 16:02 24768 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\symredrv.sys
2006-08-07 16:02 195776 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\symtdi.sys
2006-08-07 16:02 161472 --a

---

C:\WINDOWS\SYSTEM32\SymRedir.dll
2006-08-07 16:02 110784 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\symfw.sys
2006-08-07 16:01 12992 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\symdns.sys
2006-07-27 09:24 679424 --a

---

C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-21 04:24 72704

---

C:\WINDOWS\SYSTEM32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb09.exe"
"HPHUPD05"="C:\\Program Files\\Hewlett-Packard\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphupd05.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"URLLSTCK.exe"="\"C:\\Program Files\\Norton Internet Security\\UrlLstCk.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://us.i1.yimg.com/us.yimg.com/i/us/pim/el/tb_smiley_1.gif"
"SubscribedURL"="http://us.i1.yimg.com/us.yimg.com/i/us/pim/el/tb_smiley_1.gif"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,6a,02,00,00,df,00,00,00,16,00,00,00,16,00,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,6a,02,00,00,df,00,00,00,16,00,00,00,16,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:dc,ff,a4,01,86,bb,e9,77,b0,8d,e8,77,ff,ff,ff,ff,83,9a,\
e7,77,68,5a,35,04

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,90,01,00,00,00,00,00,00,90,01,00,00,36,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,50,00,00,00,00,00,00,00,d0,02,00,00,36,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,50,00,00,00,00,00,00,00,d0,02,00,00,36,02,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adelphia eSupport Assistant.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adelphia eSupport Assistant.lnk"
"backup"="C:\\WINDOWS\\pss\\Adelphia eSupport Assistant.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\ADELPH~1\\bin\\matcli.exe -boot"
"item"="Adelphia eSupport Assistant"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\America Online 7.0 Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\America Online 7.0 Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AMERIC~1.0\\aoltray.exe -check"
"item"="America Online 7.0 Tray Icon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Digital Line Detect.lnk"
"backup"="C:\\WINDOWS\\pss\\Digital Line Detect.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\DIGITA~1\\DLG.exe "
"item"="Digital Line Detect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photo Explosion Calendar Checker.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Photo Explosion Calendar Checker.lnk"
"backup"="C:\\WINDOWS\\pss\\Photo Explosion Calendar Checker.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\Installer\\{B8F19DA6-0BCD-48FC-9998-C6ACEAEEDEFE}\\PhotoExplosionCalendarChecker.exe "
"item"="Photo Explosion Calendar Checker"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Stacy^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
"path"="C:\\Documents and Settings\\Stacy\\Start Menu\\Programs\\Startup\\PowerReg SchedulerV2.exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg SchedulerV2.exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Stacy\\Start Menu\\Programs\\Startup\\PowerReg SchedulerV2.exe"
"item"="PowerReg SchedulerV2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AdaptecDirectCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DirectCD"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\HP Component Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpcmpmgr"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd2"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MoneyAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Money Express"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MoneyStartUp10.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Activation"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Microsoft Money\\System\\Activation.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Motive SmartBridge]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MotiveSB"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\ADELPH~1\\SMARTB~1\\MotiveSB.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\897486D584B736D9.job
C:\WINDOWS\tasks\A20415A191A78799.job
C:\WINDOWS\tasks\A42CF60A958F72CE.job
C:\WINDOWS\tasks\AFD1E4A0939A9F94.job
C:\WINDOWS\tasks\B81E814D94B530A9.job
C:\WINDOWS\tasks\Disk Cleanup.job
C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#7200#CN3862C21CI5.job
C:\WINDOWS\tasks\HP Usg Daily.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Stacy.job

Completion time: 06-10-07 16:23:01.84
ComboFix.txt

stacy3

Blacklight: didn't find any hidden files. whew.

10/07/06 16:30:05 [Info]: BlackLight Engine 1.0.47 initialized
10/07/06 16:30:05 [Info]: OS: 5.1 build 2600 (Service Pack 2)
10/07/06 16:30:09 [Note]: 7019 4
10/07/06 16:30:09 [Note]: 7005 0
10/07/06 16:32:22 [Note]: 7006 0
10/07/06 16:32:22 [Note]: 7011 236
10/07/06 16:32:22 [Note]: 7026 0
10/07/06 16:32:22 [Note]: 7026 0
10/07/06 16:32:58 [Note]: FSRAW library version 1.7.1020
10/07/06 16:52:37 [Note]: 7007 0


Is it strange that alll of a sudden my clock on my desktop reads military time?

Trogan

Hi Stacy

Is it strange that alll of a sudden my clock on my desktop reads military time?

Has it always been like that or have you just noticed it. What do you mean by military time? 24 hour clock?
__________________________________

- Click HERE and download the file to your desktop
- You should have a file called new_uninstall on your desktop - open it
- Press OK at the prompts
- Enter the code shown
- Press OK to complete the removal

Reboot your computer and run ComboFix again and post a new log please.

Also, can you tell how things are please.

stacy3

Trogan, I tried your link and Norton blocked it - a security risk. Should I ignore their block? They said the risk name was Adware.lop

Also, no I usually have the clock on a 12 hr clock - now it is switched to 24 hour.

Trogan

Yeah, tell Norton to ignore it. The file is not malicious.

Have you tried resetting the time?

stacy3

oh lordy, trogan, I can't even find WHERE to reset the time to 12 hour...

After I rebooted, my homepage is the basic mozilla one rather than the Yahoo one it has been set to.

I'm not exactly sure how things are. It took a loooong time to shut down windows. But I don't seem to have crazy emails. The time thing is weird too.

Here is the combofix log:

Stacy - 06-10-07 19:36:02.46 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Stacy\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-07 to 2006-10-07 ))))))))))))))))))))))))))))))))))


2006-10-06 16:30 3,968 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2006-10-05 10:23 53,248 --a

---

C:\WINDOWS\SYSTEM32\Process.exe
2006-10-05 10:23 40,960 --a

---

C:\WINDOWS\SYSTEM32\swsc.exe
2006-10-05 10:23 288,417 --a

---

C:\WINDOWS\SYSTEM32\SrchSTS.exe
2006-10-05 10:23 135,168 --a

---

C:\WINDOWS\SYSTEM32\swreg.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-07 03:41

---

d

---

C:\Program Files\Hijackthis
2006-10-06 22:20

---

d

---

C:\Program Files\Symantec
2006-10-06 22:10

---

d

---

C:\Program Files\Internet Explorer
2006-10-06 22:08

---

d

---

C:\Program Files\Folding@Home
2006-10-06 22:06

---

d

---

C:\Program Files\Common Files\Symantec Shared
2006-10-06 21:48

---

d

---

C:\Documents and Settings\Stacy\Application Data\Symantec
2006-10-06 21:28

---

d

---

C:\Program Files\Messenger
2006-10-06 16:30

---

d

---

C:\Program Files\Grisoft
2006-10-06 15:56

---

d

---

C:\Program Files\Java
2006-10-06 15:55

---

d

---

C:\Program Files\Common Files\Java
2006-10-06 15:55

---

d

---

C:\Program Files\Common Files
2006-10-05 18:57

---

d

---

C:\Program Files\Kid's Typing Skills
2006-10-05 10:58

---

d

---

C:\Program Files\Common Files\Softwin
2006-10-05 10:38

---

d

---

C:\Program Files\Windows Media Player
2006-10-05 10:38

---

d

---

C:\Program Files\MUSICMATCH
2006-10-05 10:38

---

d

---

C:\Program Files\Movie Maker
2006-10-05 10:38

---

d

---

C:\Program Files\Modem Helper
2006-10-05 10:38

---

d

---

C:\Program Files\FinePixViewer
2006-10-05 10:38

---

d

---

C:\Program Files\Dell Modem-On-Hold
2006-10-05 10:38

---

d

---

C:\Program Files\Classic PhoneTools
2006-10-05 08:29

---

d

---

C:\Program Files\SpywareBlaster
2006-10-04 21:23

---

d

---

C:\Program Files\Norton Internet Security
2006-10-04 08:30

---

d

---

C:\Program Files\Mozilla Firefox
2006-10-02 09:10

---

d

---

C:\Program Files\Hasbro Interactive
2006-10-02 09:09

---

d--h

---

C:\Program Files\InstallShield Installation Information
2006-10-02 09:09

---

d

---

C:\Program Files\Disney Interactive
2006-10-02 09:07

---

d

---

C:\Program Files\The Learning Company
2006-09-28 18:27

---

d

---

C:\Program Files\QuickTime
2006-09-28 18:16

---

d

---

C:\Program Files\iTunes
2006-09-28 13:13

---

d

---

C:\Documents and Settings\Stacy\Application Data\AdobeUM
2006-09-28 11:06

---

d

---

C:\Documents and Settings\Stacy\Application Data\Lavasoft
2006-09-28 11:05

---

d

---

C:\Program Files\Lavasoft
2006-09-10 07:48

---

d

---

C:\Program Files\iPod
2006-09-06 09:00

---

d

---

C:\Documents and Settings\Stacy\Application Data\Adobe
2006-09-04 14:44 10344 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\symlcbrd.sys
2006-08-21 08:21 16896 --a

---

C:\WINDOWS\SYSTEM32\fltlib.dll
2006-08-21 05:14 23040 --a

---

C:\WINDOWS\SYSTEM32\fltmc.exe
2006-08-21 05:14 128896

---

C:\WINDOWS\SYSTEM32\DRIVERS\fltmgr.sys
2006-08-07 16:02 534208 --a

---

C:\WINDOWS\SYSTEM32\SymNeti.dll
2006-08-07 16:02 31936 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\symids.sys
2006-08-07 16:02 28352 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\symndis.sys
2006-08-07 16:02 24768 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\symredrv.sys
2006-08-07 16:02 195776 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\symtdi.sys
2006-08-07 16:02 161472 --a

---

C:\WINDOWS\SYSTEM32\SymRedir.dll
2006-08-07 16:02 110784 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\symfw.sys
2006-08-07 16:01 12992 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\symdns.sys
2006-07-27 09:24 679424 --a

---

C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-21 04:24 72704

---

C:\WINDOWS\SYSTEM32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb09.exe"
"HPHUPD05"="C:\\Program Files\\Hewlett-Packard\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphupd05.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"URLLSTCK.exe"="\"C:\\Program Files\\Norton Internet Security\\UrlLstCk.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://us.i1.yimg.com/us.yimg.com/i/us/pim/el/tb_smiley_1.gif"
"SubscribedURL"="http://us.i1.yimg.com/us.yimg.com/i/us/pim/el/tb_smiley_1.gif"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,6a,02,00,00,df,00,00,00,16,00,00,00,16,00,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,6a,02,00,00,df,00,00,00,16,00,00,00,16,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:dc,ff,a4,01,86,bb,e9,77,b0,8d,e8,77,ff,ff,ff,ff,83,9a,\
e7,77,68,5a,35,04

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,36,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,50,00,00,00,00,00,00,00,d0,02,00,00,36,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,50,00,00,00,00,00,00,00,d0,02,00,00,36,02,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adelphia eSupport Assistant.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adelphia eSupport Assistant.lnk"
"backup"="C:\\WINDOWS\\pss\\Adelphia eSupport Assistant.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\ADELPH~1\\bin\\matcli.exe -boot"
"item"="Adelphia eSupport Assistant"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\America Online 7.0 Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\America Online 7.0 Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AMERIC~1.0\\aoltray.exe -check"
"item"="America Online 7.0 Tray Icon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Digital Line Detect.lnk"
"backup"="C:\\WINDOWS\\pss\\Digital Line Detect.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\DIGITA~1\\DLG.exe "
"item"="Digital Line Detect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photo Explosion Calendar Checker.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Photo Explosion Calendar Checker.lnk"
"backup"="C:\\WINDOWS\\pss\\Photo Explosion Calendar Checker.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\Installer\\{B8F19DA6-0BCD-48FC-9998-C6ACEAEEDEFE}\\PhotoExplosionCalendarChecker.exe "
"item"="Photo Explosion Calendar Checker"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Stacy^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
"path"="C:\\Documents and Settings\\Stacy\\Start Menu\\Programs\\Startup\\PowerReg SchedulerV2.exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg SchedulerV2.exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Stacy\\Start Menu\\Programs\\Startup\\PowerReg SchedulerV2.exe"
"item"="PowerReg SchedulerV2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AdaptecDirectCD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DirectCD"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\HP Component Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpcmpmgr"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd2"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MoneyAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Money Express"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MoneyStartUp10.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Activation"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Microsoft Money\\System\\Activation.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Motive SmartBridge]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MotiveSB"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\ADELPH~1\\SMARTB~1\\MotiveSB.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Disk Cleanup.job
C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#7200#CN3862C21CI5.job
C:\WINDOWS\tasks\HP Usg Daily.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Stacy.job

Completion time: 06-10-07 19:38:45.70
ComboFix.txt
ComboFix2.txt

Trogan

oh lordy, trogan, I can't even find WHERE to reset the time to 12 hour...

I'm not sure either. You might want to ask in the Windows forum.

After I rebooted, my homepage is the basic mozilla one rather than the Yahoo one it has been set to.

In Firefox, go to Tools > Options > General tab and set your homepage as Yahoo there.

The ComboFix looks fine to me. You can delete all the tools we downloaded, such as SmitfraudFix, ComboFix, the Lop remover, etc.

I'm glad the Emails have stopped.

Let me know how things in after a little while

stacy3

I will - thank you.

stacy3

Hi Trogan - for future reference if anyone else is reading - to change the clock - go to Control Panel - Regional and Language Options - Choose customize - Then under the Time tab, choose hss.

Anyway, thank you so much for all the time you put into getting me straightened out. Things seem to be going smoothly now.

Can you give me a hint - were there multiple problems? What did I do to get myself into that mess?

Thanks again
~Stacy

Trogan

Hi Stacy,

Thanks for the clock top - glad you figured it out.

You had part of a Lop infection. Using ComboFix showed that, and running the tool I had you download removed it as the second ComboFix log showed no signs of it. How you got the Emails or why they started, I don't know, sorry.

It would be a good idea to Flush your System Restore points now. You can clean this by doing the following:

• Click Start | Help and Support | Undo changes to your computer with System Restore.
• Click Create A Restore Point then click Next. Give it a name it and then click Create, then Close.
• Close the Help and Support Center box.
• Click Start | Run and type Cleanmgr
• Select (C: ) then click OK.
• Click the More Options tab.
• Click Clean Up in the System Restore Section.

This will remove all previous restore points except the newly created one.

Is there anything else I can help with? I'm happy things are back to normal...you don't need to buy a new computer now.

stacy3

I can't thank you enough.

But, I do have to squeeze in one more stupid question - JUST to be sure!

I followed your instructions and at the end, I clicked on Clean Up in the System Restore Section, then chose More Options and when I chose Clean Up for System Restore...nothing really happened. So then I chose OK at the bottom and a window pops up titled Disk Cleanup for C:...and it says Are you sure you want to perform these actions. I said yes and it started doing a C cleanup, rather than just system restore cleanup (?) So I hit cancel. Am I supposed to let that run?

Stacy :confused2

Trogan

Hi Stacy,

No, thats fine. I'm sure Disk Cleanup did its thing.

stacy3

Ok!

thank You!!!!!!!!!!!!

Trogan

Your welcome!

stacy3

Hi Trogan -

Occasionally I have a Norton Window pop up that says "A suspected security risk has been blocked" The risk name is Adware.lop. The file was automatically blocked.

It asks me to do one of the following:
Scan Now (recommended)
Exclude this risk from future scans
or
Ignore this risk for 30 minutes

I had mentioned this the first time it happened - while we were performing all those scans but not sure what to do, now.

thanks,
Stacy

Trogan

Hi Stacy,

Have you deleted the new_uninstall.exe file you downloaded? What is the location of the infected file Norton keeps finding?

stacy3

ahh that one was hiding out on my desktop. sorry. will that fix it now? I don't know where the file is.

Trogan

Deleting the file should stop the Norton alerts.

stacy3

thanks - sorry.

Trogan

Sorry for what?

Have you found and deleted the file? Tell if that stops the alerts or not.

stacy3

I guess my ignorance...:-/ I just seem to keep coming up with these silly questions... and I know you've got to have better things to do!

I deleted from my desktop - do I have to go somewhere else?

The popups aren't all the time, it may take a bit to see if they're gone...

Trogan

Give it some time, and let me know.

stacy3

Hello again Trogan...

Today while running adaware - the popup occurred again.

also, on 2 occasions - once yesterday and once today, my Outlook Express has frozen up. Yesterday while receiving messages, today while sending one. (By the way, this is not the email where I had been getting those strange ones - that was my yahoo address.) And they were not involved emails - text only. I can't seem to get it off my desktop without restarting...it still has the little envelope with the magnifying glass...

Stacy

Trogan

Hi Stacy...I'm a bit confused.

Today while running adaware - the popup occurred again.

What popup?

also, on 2 occasions - once yesterday and once today, my Outlook Express has frozen up. Yesterday while receiving messages, today while sending one. (By the way, this is not the email where I had been getting those strange ones - that was my yahoo address.) And they were not involved emails - text only. I can't seem to get it off my desktop without restarting...it still has the little envelope with the magnifying glass...

I don't get what you mean? Get what off your desktop?

stacy3

I guess it's the taskbar at the bottom. It still looks like Im receiving email. But I also just checked my yahoo inbox and have numerous of the other emails with attachments...

The popup I meant is the Norton alert, that should have stopped when I deleted the new uninstall.exe.

stacy3

sorry Trogan - I went back and I had explained the emails in the beginning when I was dealing with someone else. Here is what I had written:

I am getting emails only at my yahoo email account - all with attachments. The subjects vary - Re: Your details; Your Document; Re: Phone number; Thank you!, etc...

Some are from totally unknown addresses. But lots of them are from a specific "list" in my address book. It's easy to see because they are all former classmates of mine that I have listed together and I don't communicate with them very often.

Stacy