My PC has a page file problem. It does not exist. Error messages include: "Windows created a temporary paging file on your computer because of a problem that occurred with your paging file configuration when you started your computer. The total paging file size for all disk drives may be somewhat larger than the size you specified." My machine always hangs at "loading your personal settings" during bootup. Another message received when booting at loading personal settings and hitting Alt-Tab is, "Limited virtual memory. Your system has no paging file, or the paging file is too small. To fix this problem..." Then the message describes the routine for setting page file sizes. I have searched the internet and found this problem to be common with a large variety of suggested fixes. I have tried all I've found with no success. This includes installing the Intel accelerator for this chip set (850); checking to insure I have all rights to set page file parameters; deleting and reinstalling page file; doing all in safe mode; etc.

I think I need to insure there is no spyware on this PC. We have run per your instructions, Spybot; we attempted to run Adaware, but the machine reboots during the middle of the scan. It seems to reboot while checking the files in the I386 directory - but that's a bit hard to catch. I have searched for pagefile.sys both from DOS with the /a setting. I can see system and hidden files - but no "pagefile.sys". I also searched for it with the GUI Explorer searcher after making sure the options were set so i could see hidden and system files - but still no "pagefile.sys".

The machine also reboots when I tried, per your instructions, to run my virus software which is Norton AntiVirus (copyright 2006) Version 14.3.0.8.

I look forward to your advice and help.

Following is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:39:00 AM, on 9/18/2001
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 5.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1;<local>
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 5.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {058025FC-4416-436B-ACFD-03E6224C901C} (FileInfo Class) - http://diagnostics.support.hp.com/mo.../ipgaxctrl.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/dell/site/PCPitStop.CAB
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://carpoint.msn.com/components/o...autopricer.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?223
O18 - Protocol: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5020} - C:\Harrisdirect\FlowHook.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

I don't see anything malicious in your log so may not be spyware related but we can do a couple scans to make sure.


1. Download this file - COMBOFIX
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Please download Deckard's System Scanner (DSS) to your desktop.

• Close all applications and windows.
• Double-click on dss.exe to run it, and follow the prompts.
• When the scan is complete, a text file will open - Main.txt
• Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt in your thread in the HijackThis Log Help Forum.
• An additional text file, Extra.txt,will also be available (by default) in the following FOLDER, C:\Deckard\System Scanner.
• Please go to that FOLDER and also copy the contents of Extra.txt to your post as well.

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

What DSS will do:

• Create a new System Restore point in Windows XP and Vista.
• Clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
• Check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed.

Post Logs:

• DSS Scan Results: contents of:
  • 1) Main.txt
  • 2) Extra.txt

Thanks for your response. Here are the logs you requested, and they should be in the following order:
1. Combofix log
2. DSS's Main.txt and Extra.txt
3. HijackThis log (you didn't ask for this but I'm including it just in case.
Look forward to any suggestions. If it turns out that you see no signs of spyware or any malware being the cause of our problem, would you suggest we got to the D-A-L XP forum?

Bob as in Bobarb9.


"Bob Golder" - 2007-05-19 16:16:26 Service Pack 2
ComboFix 07-05.20.5.V - Running from: "C:\Documents and Settings\Bob Golder\Desktop\"



((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-19 ))))))))))))))))))))))))))))))))))


2007-05-15 14:55 <DIR> d-------- C:\WINDOWS\pss
2007-05-15 14:31 <DIR> d-------- C:\Program Files\DellConnect
2007-05-15 14:19 <DIR> d-------- C:\WINDOWS\SYSTEM32\Dell
2007-05-15 13:45 268,435,456 C:\WINDOWS\SYSTEM32\temppf.sys
2007-05-15 10:06 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-05-09 09:47 44,875 --a------ C:\WINDOWS\SYSTEM32\IPrtCnst.dll
2007-05-09 09:47 13,891 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\IdeBusDr.sys
2007-05-09 09:47 101,431 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\IdeChnDr.sys
2007-05-09 09:36 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2007-05-09 09:36 <DIR> d-------- C:\Program Files\Intel
2007-05-09 09:35 <DIR> d-------- C:\Intel
2007-05-03 10:37 5 --ahs---- C:\WINDOWS\SYSTEM32\dfcbaecdea_g.dll
2007-05-03 10:37 <DIR> d-------- C:\Program Files\RegSupreme
2007-04-30 20:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-30 19:08 <DIR> d-------- C:\DOCUME~1\BOBGOL~1\APPLIC~1\Lavasoft
2007-04-30 19:07 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-30 19:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-30 18:31 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\MSN6
2007-04-30 18:14 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-04-30 18:14 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-04-30 18:13 1,835,008 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-04-30 17:47 22,112 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\COH_Mon.sys
2007-04-28 07:15 48,776 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2007-04-28 07:15 115,000 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2007-04-28 07:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Symantec Temporary Files


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))

2007-05-19 23:22:45 268,435,456 --sha-w C:\WINDOWS\system32\temppf.sys
2007-05-19 22:55:40 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-05-19 22:46:50 -------- d-----w C:\Program Files\Microsoft Home Publishing
2007-05-15 20:13:31 -------- d-----w C:\Program Files\BroadJump
2007-05-15 16:49:21 -------- d-----w C:\Program Files\Common Files\PestPatrol
2007-05-15 16:45:28 -------- d-----w C:\Program Files\World Time
2007-05-09 16:47:58 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-28 14:24:19 -------- d-----w C:\Program Files\Norton AntiVirus
2007-04-28 14:19:09 -------- d-----w C:\Program Files\Symantec
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 16:39]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86 \3\hpztsb05.exe" [2002-03-28 01:50]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
"WorksFUD"="C:\Program Files\Microsoft Works\Wkfud.exe" [2000-08-10 11:00]
"POINTER"="point32.exe" []
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-02-07 15:39]
"NvCplDaemon"="NvQTwk" []
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-08-10 11:00]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2000-08-10 11:00]
"DellTouch"="C:\WINDOWS\DELLMMKB.EXE" [2001-09-23 06:14]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 14:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"QAGENT"="C:\QUICKENW\QAGENT.EXE" [1999-02-25 11:55]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2005-10-12 17:13]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [2000-07-19 08:00]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-05-01 03:00:45 C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Bob Golder.job

************************************************** ******************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-19 16:23:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


************************************************** ******************

Completion time: 2007-05-19 16:26:13 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-19 16:26


--- E O F ---

Deckard's System Scanner v20070426.43
Run by Bob Golder on 2007-05-20 at 16:11:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
18: 2007-05-20 23:11:15 UTC - RP432 - Deckard's System Scanner Restore Point
17: 2007-05-15 21:31:18 UTC - RP431 - Installed DellConnect.
16: 2007-05-15 16:49:00 UTC - RP430 - Removed Cox High Speed Internet security suite
15: 2007-05-15 16:48:23 UTC - RP429 - Removed Authentium
14: 2007-05-08 19:33:07 UTC - RP428 - Software Distribution Service 2.0


-- First Restore Point --
1: 2007-02-18 05:23:15 UTC - RP415 - Software Distribution Service 2.0


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Bob Golder.exe) ------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 4:12:24 PM, on 5/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 5.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\QUICKENW\QAGENT.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\WINDOWS\system32\RDSHOST.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
C:\Downloads\dss.exe
C:\PROGRA~1\HIJACK~1\Bob Golder.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 5.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {058025FC-4416-436B-ACFD-03E6224C901C} (FileInfo Class) - http://diagnostics.support.hp.com/mo.../ipgaxctrl.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/dell/site/PCPitStop.CAB
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://carpoint.msn.com/components/o...autopricer.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?223
O18 - Protocol: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5020} - C:\Harrisdirect\FlowHook.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 Cdr4_xp - c:\windows\system32\drivers\cdr4_xp.sys <Not Verified; Roxio; DirectCD>
R1 Cdralw2k - c:\windows\system32\drivers\cdralw2k.sys <Not Verified; Roxio; DirectCD>
R1 cdudf_xp - c:\windows\system32\drivers\cdudf_xp.sys <Not Verified; Roxio; DirectCD>
R1 pwd_2K - c:\windows\system32\drivers\pwd_2k.sys <Not Verified; Roxio; DirectCD>
R1 UdfReadr_xp - c:\windows\system32\drivers\udfreadr_xp.sys <Not Verified; Roxio; DirectCD>
R3 mmc_2K - c:\windows\system32\drivers\mmc_2k.sys <Not Verified; Roxio; DirectCD>

S3 bvrp_pci - c:\windows\system32\drivers\bvrp_pci.sys
S3 dvd_2K - c:\windows\system32\drivers\dvd_2k.sys <Not Verified; Roxio; DirectCD>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Scheduled Tasks -------------------------------------------------------------

2007-04-30 20:00:45 566 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Bob Golder.job


-- Files created between 2007-04-20 and 2007-05-20 -----------------------------

2007-05-15 14:55:52 0 d-------- C:\WINDOWS\pss
2007-05-15 14:31:19 0 d-------- C:\Program Files\DellConnect
2007-05-15 14:19:25 0 d-------- C:\WINDOWS\system32\Dell
2007-05-15 13:45:27 268435456 --ahs---- C:\WINDOWS\system32\temppf.sys
2007-05-15 10:06:23 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-05-09 09:36:24 0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-05-09 09:36:24 0 d-------- C:\Program Files\Intel
2007-05-09 09:35:28 0 d-------- C:\Intel
2007-05-03 10:37:56 5 --ahs---- C:\WINDOWS\system32\dfcbaecdea_g.dll
2007-05-03 10:37:05 0 d-------- C:\Program Files\RegSupreme
2007-04-30 20:23:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-04-30 19:08:13 0 d-------- C:\Documents and Settings\Bob Golder\Application Data\Lavasoft
2007-04-30 19:07:51 0 d-------- C:\Program Files\Lavasoft
2007-04-30 19:07:21 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-30 18:31:30 0 d-------- C:\Documents and Settings\Administrator\Application Data\MSN6
2007-04-30 18:14:01 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-04-30 18:14:01 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-04-30 18:14:01 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-04-30 18:14:01 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-04-30 18:14:01 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-04-30 18:14:01 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-04-30 18:14:01 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-04-30 18:14:01 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-04-30 18:14:01 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-04-30 18:14:01 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-04-30 18:14:01 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-04-30 18:14:01 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-04-30 18:14:01 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-04-30 18:14:00 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-04-30 18:14:00 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-04-30 18:14:00 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-04-30 18:13:59 1835008 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-04-28 07:03:27 0 d-------- C:\Documents and Settings\All Users\Symantec Temporary Files


-- Find3M Report ---------------------------------------------------------------

2007-05-20 16:08:16 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-05-20 15:44:06 0 d-------- C:\Program Files\Microsoft Home Publishing
2007-05-15 13:13:31 0 d-------- C:\Program Files\BroadJump
2007-05-15 09:49:21 0 d-------- C:\Program Files\Common Files\PestPatrol
2007-05-15 09:45:28 0 d-------- C:\Program Files\World Time
2007-05-09 09:47:58 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-04-28 07:24:19 0 d-------- C:\Program Files\Norton AntiVirus
2007-04-28 07:19:09 0 d-------- C:\Program Files\Symantec


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
{53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run]
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w 32x86\\3\\hpztsb05.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"WorksFUD"="C:\\Program Files\\Microsoft Works\\Wkfud.exe"
"POINTER"="point32.exe"
"osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\""
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"DellTouch"="C:\\WINDOWS\\DELLMMKB.EXE"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.ex e"
"QAGENT"="C:\\QUICKENW\\QAGENT.EXE"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnph ost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



-- End of Deckard's System Scanner: finished at 2007-05-20 at 16:13:03 ---------
Deckard's System Scanner v20070426.43
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 1.80GHz
Percentage of Memory in Use: 54%
Physical Memory (total/avail): 511.01 MiB / 231.04 MiB
Pagefile Memory (total/avail): 737.04 MiB / 460.79 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1969.99 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.5 GiB total, 30.83 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FW: Norton AntiVirus v2007 (Symantec Corporation) Disabled
AV: Norton AntiVirus v2007 (Symantec Corporation) Disabled


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Bob Golder\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BOBS
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Bob Golder
LOGONSERVER=\\BOBS
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\Sys tem32\Wbem;C:\Program Files\Common Files\Adaptec Shared\System
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WS F;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0102
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\BOBGOL~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\BOBGOL~1\LOCALS~1\Temp
USERDOMAIN=BOBS
USERNAME=Bob Golder
USERPROFILE=C:\Documents and Settings\Bob Golder
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Bob Golder (admin)
Barbara Golder (admin)
goldbeee@primenet.co (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
ArcSoft PhotoBase --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ArcSoft\PhotoBase\Uninst.isu"
ArcSoft PhotoStudio 2000 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ArcSoft\PhotoStudio 2000\Uninst.isu"
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
Avery Wizard 2.1 for Microsoft® Word 2000 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Avery Wizard\DeIsL1.isu" -c"C:\Program Files\Avery Wizard\uninst.dll
Canon iP1600 --> C:\WINDOWS\system32\CNMCP75.exe "-PRINTERNAMECanon iP1600" "-HELPERDLLC:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon iP1600 Installer\Inst2\cnmis.dll" "-RCDLLcnmi0409.dll"
Canon ScanGear Toolbox 3.0 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\ScanGear Toolbox Ver3\Uninst.isu" -c"C:\Program Files\Canon\ScanGear Toolbox Ver3\uninst.dll"
Canon Utilities Easy-PhotoPrint --> C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
Conexant HSF V92 56K RTAD Speakerphone PCI Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2016&SU BSYS_021913E0\SETUP.EXE -U -CMODEM -BPCI -IVEN_14F1&DEV_2016&SUBSYS_021913E0
CorrectConnect --> C:\WINDOWS\ISUninst.exe -f"C:\Program Files\CConnect\Uninst.isu" -c"C:\Program Files\CConnect\Uninst.dll"
DAO 3.5 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Intuit\DAO 3.5\Uninst.isu"
Dell Picture Studio - Image Expert 2000 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Sierra Imaging\Image Expert 2000\Uninst.isu" -c"C:\Program Files\Sierra Imaging\Image Expert 2000\uninstall.dll
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
DellConnect --> MsiExec.exe /X{52D56C42-8C69-4882-A661-39695537C9CF}
DellTouch --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{706D5382-7381-4680-9DD0-161832578252}\setup.exe"
Easy-WebPrint --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
Harrisdirect MarketSpeed --> C:\HARRIS~1\UNWISE.EXE C:\HARRIS~1\INSTALL.LOG
HijackThis 1.99.1 --> C:\Program Files\HijackThis\HijackThis.exe /uninstall
hp instant support --> C:\PROGRA~1\HEWLET~1\hpis\Uninstall.exe CeS
Intel Application Accelerator --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9984DF60-1C5B-11D3-ACA1-908A4FC10801}\Setup.exe" -INTELUNINST
Internet Worm Protection --> MsiExec.exe /I{2908F0CB-C1D4-447F-97A2-CFC135C9F8D4}
KODAK DC3200 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\KODAK\DC3200\UninstDC3200.isu"
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Macromedia Flash Player 8 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Encarta Encyclopedia Standard 2001 --> MsiExec.exe /I{01001202-5D65-445A-B3B4-3DCE72BA0C6C}
Microsoft Greetings --> C:\Program Files\Microsoft Home Publishing\Setup\mhpstp.exe /m
Microsoft Interactive Training --> C:\Program Files\MSPress\Training\lunins32_s.exe
Microsoft Money 2001 --> MsiExec.exe /I{D085A1B6-90A4-11D3-82B7-00C04FA309DE}
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Office XP Media Content --> MsiExec.exe /I{90300409-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Standard --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0050048383C9}
Microsoft Picture It! Publishing 2001 --> MsiExec.exe /I{15D9EB74-998E-4A04-B468-51C2E7B32182}
Microsoft Streets and Trips 2001 --> MsiExec.exe /I{3D719053-5593-11D3-8F25-0060085C1758}
Microsoft Web Publishing Wizard 1.52 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,WebPostUninstall
Microsoft Works 2001 Setup Launcher --> c:\program files\microsoft works suite 2001\setup\launcher.exe d:\
Microsoft Works 6.0 --> MsiExec.exe /I{F8D0829C-9C6F-11D3-8080-00C04FA329AA}
Microsoft Works Suite Add-in for Microsoft Word --> MsiExec.exe /I{5F629FE8-5B4C-4863-937A-AFC2961F7DD3}
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\SETUP.EXE" ControlPanel
MSN Messenger 7.5 --> MsiExec.exe /I{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5}
MusicMatch Jukebox --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MusicMatch\MusicMatch Jukebox\Uninst.isu" -cC:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.dll
Norton AntiVirus --> MsiExec.exe /X{830D8CBD-C668-49e2-A969-C2C2106332E0}
Norton AntiVirus (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{830D8CBD-C668-49e2-A969-C2C2106332E0}_14_3_0_8\{830D8CBD-C668-49e2-A969-C2C2106332E0}.exe" /X
Norton AntiVirus Help --> MsiExec.exe /I{34EEB1F5-E939-40A1-A6BA-957282A4B2C8}
Norton AntiVirus Parent MSI --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton AntiVirus SYMLT MSI --> MsiExec.exe /I{D1FF75E7-DD42-4CFD-B052-20B3FFF4EDB8}
Norton Protection Center --> MsiExec.exe /I{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvdd.inf
OmniPage Pro 9.0 --> C:\Program Files\Caere\OmniPagePro90\Deinstall.exe "C:\Program Files\Caere\OmniPagePro90\uninstall.exe -f'C:\Program Files\Caere\OmniPagePro90\DeIsL1.isu'"
Print Screen Deluxe --> C:\WINDOWS\amuninst.exe -fC:\WINDOWS\unpsdev.ini
PrintMaster 16 --> MsiExec.exe /I{4FA46975-176F-457A-A09C-DBD0CBDA65F3}
PRO200WL --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{280C7673-2DF8-4E74-B031-D8F108BE2A6D}\SETUP.EXE" -uninst
Quicken Deluxe 99 --> C:\WINDOWS\IsUninst.exe -fC:\QUICKENW\Uninst.isu
RegSupreme 1.4 --> "C:\Program Files\RegSupreme\unins000.exe"
Scan Manager 5.2 --> MsiExec.exe /I{E0A1559B-9886-11D4-8D06-0050DA284A39}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spunins t.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spunins t.exe"
Shockwave --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\INSTALL.LOG
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Symantec --> MsiExec.exe /I{228F6876-A313-40A3-91C0-C3CBE6997D09}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
World Time --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\World Time\Uninst.isu"


-- End of Deckard's System Scanner: finished at 2007-05-20 at 16:13:03 ---------

Logfile of HijackThis v1.99.1
Scan saved at 4:36:08 PM, on 5/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 5.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\QUICKENW\QAGENT.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\WINDOWS\system32\RDSHOST.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 5.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {058025FC-4416-436B-ACFD-03E6224C901C} (FileInfo Class) - http://diagnostics.support.hp.com/mo.../ipgaxctrl.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/dell/site/PCPitStop.CAB
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://carpoint.msn.com/components/o...autopricer.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?223
O18 - Protocol: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5020} - C:\Harrisdirect\FlowHook.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:


C:\WINDOWS\system32\dfcbaecdea_g.dll


Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.


If that one is to busy here is another option:


http://virusscan.jotti.org

And

http://www.kaspersky.com/scanforvirus.html




If you did not set these restrictions yourself they can be fixed useing hijackthis


Run hijackthis and click on scan button and put checks next to these:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Reboot your computer




Apparently Symantec has been disabled, did you do this yourself.

FW(firewall): Norton AntiVirus v2007 (Symantec Corporation) Disabled
AV(anti-virus): Norton AntiVirus v2007 (Symantec Corporation) Disabled

You should check on the Symantec thing immediately.

Please post results of file scan. Thanks.

First place was too busy. Used the second.

I am a neighbor and friend who is helping Bobarb9 (I am registered as korndorb). The scans run yesterday were done using Microsoft's "Remote Assistance" where I ran Bobarb9 (Mr. Golder's) from my PC. We live about 5 miles apart. That may explain the O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present that you suggested putting checkmarks next to. I do not see those entries today, and I am actually at Mr. Golder's house on his PC. Is it okay to use the "Remote Assistance" service? I will not do so if you so advise.

I disabled Norton yesterday before running "DSS". I was concerned about the instruction to "Close all applications and windows." In fact, I thought the word "windows" meant "Windows" and tried to figure how to boot to DOS until I assumed it just meant visible windows from various applications. Is it okay to leave Norton enabled while running the various programs you suggest?

Below is the report from http://virusscan.jotti.org

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: dfcbaecdea_g.dll
Status: OK
MD5 bdf9a1341f51a1770cb9da9b8761fd6a
Packers detected: -

Scanner results
Scan taken on 21 May 2007 1755 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, HotelScraper.com, people who donated in the past, and some people who prefer to remain anonymous... many thanks to all!
--------------------------------------------------------------------------------


Statistics
Last file scanned at least one scanner reported something about: 124327M.dll_ (MD5: e7f3caca3e55ec54e8e7950bff99feac, size: 20624 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir TR/PSW.Lmir.azc.2
ArcaVir X
Avast Win32:Lmir-MW
AVG Antivirus PSW.Legendmir.ERP
BitDefender Trojan.PWS.Legmir.DLM
ClamAV Trojan.Spy-5161
Dr.Web Trojan.PWS.Legmir.694
F-Prot Antivirus X
F-Secure Anti-Virus Trojan-PSW.Win32.OnLineGames.mk
Fortinet X
Kaspersky Anti-Virus Trojan-PSW.Win32.OnLineGames.mk
NOD32 Win32/PSW.Legendmir.AVG
Norman Virus Control W32/Suspicious_U.gen
Panda Antivirus X
Rising Antivirus X
VirusBuster Packed/Upack
VBA32 Trojan.PWS.Legmir.694


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.





Frequently asked questions - Feedback - Privacy policy



Page generated by JTPL

Copyright © 2004-2007 Jordi Bosveld <jotti@jotti.org>

Yes it is ok to have Norton on during the fix.



You may want to printout the following instructions:

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.

• Install AVG Anti-Spyware by double clicking the installer.
• Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
• On the main screen under Your Computer's security.
  • Click on Change state next to Resident shield. It should now change to inactive.
  • Click on Change state next to Automatic updates. It should now change to inactive.
  • Next to the words Last Update, click on Update now. (You will need an active internet connection to perform this)
  • Wait until you see the Update successful message.
  • Click on Scanner on the toolbar at top of this screen.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Close AVG Anti-Spyware without running yet.

Now disable (turn off AVG Anti-Spyware)

• Right-click the AVG Anti-Spyware Tray Icon (Bottom right corner of computer screen near clock) and uncheck Start with Windows.
• Right-click the AVG Anti-Spyware Tray Icon again and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update AVG Anti-Spyware.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
______________________________

Reboot your computer in Safe Mode.

• If the computer is running, shut down Windows, and then turn off the power.
• Wait 30 seconds, and then turn the computer on.
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
• Ensure that the Safe Mode option is selected.
• Press Enter. The computer then begins to start in Safe mode.
• Login on your usual account.

______________________________


Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Note: If AVG Anti-Spyware screen does not fit your monitor screen Hold down the Alt button on keyboard then tap spacebar, menu should pop up then choose maximize. AVG Anti-Spyware screen should now fit to the screen a lot better.

• Click on the Scan tab.
• Click on Complete System Scan to start the scan process.
• Let the program scan the machine.
• When the scan has finished, follow the instructions below.

IMPORTANT : Don't click on the "Save Scan Report" button before you hit the "Apply all Actions" button.

• Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
• At the bottom of the window click on the Apply all Actions button.(3)

• When done, click the Save Scan Report button. (4)
  • Click the Save Report as button.
  • Save the report to your Desktop. I will need you to post this in your next reply.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.

Could not complete AVG Anti-Spyware run. We were running in safe mode and the machine rebooted while scanning files. Seemed to reboot (again) when it was scanning C:\I386\blip.wav. We tried twice - both failed. We highlighted that wav file in Explorer, double clicked it to see what the sound was and the PC froze hard. Had to power down to reboot.

Looked to see if there was a AVG report and there was none.
What do you suggest?

Thanks - as always.

Bobarb9

This is a shorter scan:



Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

* Doubleclick the drweb-cureit.exe file and Allow to run the express scan
* This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
* Once the short scan has finished, mark the drives that you want to scan.
* Select all drives. A red dot shows which drives have been chosen.
* Click the green arrow at the right, and the scan will start.
* Click 'Yes to all' if it asks if you want to cure/move the file.
* When the scan has finished, look if you can click next icon next to the files found:

* If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:


This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
* After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
* Save the report to your desktop. The report will be called DrWeb.csv
* Close Dr.Web Cureit.
* Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.

Tried running drweb-cureit twice. Both times the machine locked up while the program was at the following file: C:\program files\common files\microsoft shared\web components\10\owc10.dll. Had to power off and back on to reboot.