Spyware Protect 2009

Then asked to alow changes or not

Disallow it, what could be what was causing the problem in the first place and why this happened.

Run a new DDS scan for me so we can see why Spybot wants to change something.

There have been a lot of them now. Some just browser pages but this latest is:
Session manager
Value deleted
BootExecute
autocheck autochk *\lsdelete

Deny that too?

Yes, deny everything, and run the DDS scan again.

Back on my own machine again!!


DDS (Ver_09-01-18.01) - NTFSx86
Run by Ann at 19:47:35.50 on 21/01/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2558.1895 [GMT 1:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)

============== Running Processes ===============

svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\PROGRA~1\Wanadoo\CnxMon.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SkypeIntegration\SkypeIntegration\SkypeClient.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Ann\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Documents and Settings\Ann\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell.co.uk/myway
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.co.uk/
uWindow Title = Wanadoo
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Search Class: {08c06d61-f1f3-4799-86f8-be1a89362c85} - c:\progra~1\wanadoo\SEARCH~1.DLL
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [SkypeClient] "c:\program files\pdt\voipvoiceintegration\VoIPVoice Integration.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\ann\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [EPSON Stylus C82 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [WooCnxMon] c:\progra~1\wanadoo\CnxMon.exe
mRun: [WOOWATCH] c:\progra~1\wanadoo\Watch.exe
mRun: [WOOTASKBARICON] c:\progra~1\wanadoo\TaskbarIcon.exe
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NielsenOnline] c:\program files\netratingsnetsight\netsight\NielsenOnline.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRunOnce: [SpybotDeletingA2274] command /c del "c:\windows\system32\twain32\local.ds"
mRunOnce: [SpybotDeletingC8732] cmd /c del "c:\windows\system32\twain32\local.ds"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: { - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: bookcrossing.com\www
Trusted Zone: dyndns.org\yinionlinereg
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ann\applic~1\mozilla\firefox\profiles\ytw812uo.default\
FF - prefs.js: browser.search.selectedEngine - GoogleCOM
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://www.wcsearch.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\program files\mozilla firefox\components\nsgkff30_meter1.dll
FF - plugin: c:\documents and settings\ann\local settings\application data\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - GoogleCOM
FF - user.js: keyword.URL - hxxp://www.wcsearch.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=

============= SERVICES / DRIVERS ===============

R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [2006-9-28 11000]
R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2007-1-11 3968]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2002-2-11 33496]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.SYS [2000-9-11 10816]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R1 nnrnstdi;nnrnstdi;c:\windows\system32\drivers\nnrnstdi.sys [2009-1-14 14336]
R3 km_filter;km_filter;c:\windows\system32\drivers\km_filter.sys [2009-1-14 8832]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-9-10 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-9-10 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-9-10 168776]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [2006-9-28 312880]
R4 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2005-5-17 104000]
R4 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]
R4 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\AWHOST32.EXE [2002-2-15 114749]
S3 uac4pdt;PDT USB Composite Class Filter Driver;c:\windows\system32\drivers\uac4pdt.sys [2006-9-18 15232]

=============== Created Last 30 ================

2009-01-21 18:52 57,856 ac------ c:\windows\system32\dllcache\EXCH_scripto.dll
2009-01-21 18:51 10,096,640 ac------ c:\windows\system32\dllcache\hwxcht.dll
2009-01-21 18:50 19,456 ac------ c:\windows\system32\dllcache\agt040d.dll
2009-01-21 18:48 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-01-21 18:48 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-01-21 18:48 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-01-21 18:48 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-01-21 18:48 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-01-21 18:48 16,384 ac------ c:\windows\system32\dllcache\isignup.exe
2009-01-21 18:46 --d----- c:\windows\dell
2009-01-20 21:53 --d----- c:\program files\Lavasoft
2009-01-20 21:53 --d----- c:\program files\common files\Wise Installation Wizard
2009-01-20 21:50 23,804,784 a------- c:\temp\aaw2008-7.1.0.7.exe
2009-01-20 17:40 9,216 a------- c:\windows\system32\iehelper.dll
2009-01-20 14:12 788 a------- c:\temp\fix.reg
2009-01-20 09:50 401,720 a------- c:\temp\Hijack(GP)This.exe
2009-01-14 14:34 12,273 a------- c:\temp\Ser-PhotoBlogger-SerTurista-com.zip
2009-01-14 12:20 14,336 a------- c:\windows\system32\drivers\nnrnstdi.sys
2009-01-14 12:20 8,832 a------- c:\windows\system32\drivers\km_filter.sys
2009-01-14 12:17 53,248 a------- c:\windows\nswatchdog.exe
2009-01-14 12:17 --d----- c:\program files\NetRatingsNetSight
2009-01-14 12:16 501,912 a------- c:\temp\netsight_setup_5.1.3.20_MP_Production_New_Recruitment_UK_mid53015730615_p.exe
2009-01-05 23:33 3,751,995 a------- c:\windows\system32\GPhotos.scr

==================== Find3M ====================

2009-01-21 19:23 77,915 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-21 18:47 23,444 a------- c:\windows\system32\emptyregdb.dat
2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-31 12:04 104,659 a------- c:\windows\hpoins04.dat
2008-12-20 14:37 410,984 a------- c:\windows\system32\deploytk.dll

============= FINISH: 19:48:38.04 ===============

Finished.

ComboFix 09-01-21.01 - Ann 2009-01-21 20:24:31.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2558.1909 [GMT 1:00]
Running from: c:\temp\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\iehelper.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-12-21 to 2009-01-21 )))))))))))))))))))))))))))))))
.

2009-01-21 20:17 . 2009-01-21 20:17 3,048,283 -ra------ c:\temp\ComboFix.exe
2009-01-21 18:52 . 2004-08-12 14:58 482,304 --a--c--- c:\windows\SYSTEM32\DLLCACHE\pintlgnt.ime
2009-01-21 18:51 . 2004-08-12 14:58 10,096,640 --a--c--- c:\windows\SYSTEM32\DLLCACHE\hwxcht.dll
2009-01-21 18:50 . 2004-05-13 00:39 876,653 --a--c--- c:\windows\SYSTEM32\DLLCACHE\fp4awel.dll
2009-01-21 18:48 . 2004-08-12 14:58 16,384 --a--c--- c:\windows\SYSTEM32\DLLCACHE\isignup.exe
2009-01-21 18:48 . 2009-01-21 18:48 749 -rah----- c:\windows\WindowsShell.Manifest
2009-01-21 18:48 . 2009-01-21 18:48 749 -rah----- c:\windows\SYSTEM32\wuaucpl.cpl.manifest
2009-01-21 18:48 . 2009-01-21 18:48 749 -rah----- c:\windows\SYSTEM32\sapi.cpl.manifest
2009-01-21 18:48 . 2009-01-21 18:48 749 -rah----- c:\windows\SYSTEM32\ncpa.cpl.manifest
2009-01-21 18:48 . 2009-01-21 18:48 488 -rah----- c:\windows\SYSTEM32\logonui.exe.manifest
2009-01-21 18:46 . 2009-01-21 18:46 d-------- c:\windows\dell
2009-01-21 08:26 . 2004-12-21 10:20 d-------- c:\documents and settings\Administrator\Application Data\You've Got Pictures Screensaver
2009-01-21 08:26 . 2004-12-21 10:23 d-------- c:\documents and settings\Administrator\Application Data\Sonic
2009-01-21 08:26 . 2004-12-21 10:18 d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2009-01-21 08:25 . 2009-01-21 08:26 d-------- c:\documents and settings\Administrator
2009-01-20 21:53 . 2009-01-20 21:53 d-------- c:\program files\Lavasoft
2009-01-20 21:53 . 2009-01-20 21:53 d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-20 21:53 . 2009-01-20 21:55 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-20 21:50 . 2009-01-20 21:52 23,804,784 --a------ c:\temp\aaw2008-7.1.0.7.exe
2009-01-20 14:12 . 2009-01-20 14:12 788 --a------ c:\temp\fix.reg
2009-01-20 09:50 . 2009-01-20 09:51 401,720 --a------ c:\temp\Hijack(GP)This.exe
2009-01-14 14:34 . 2009-01-14 14:34 12,273 --a------ c:\temp\Ser-PhotoBlogger-SerTurista-com.zip
2009-01-14 12:20 . 2008-06-27 14:58 14,336 --a------ c:\windows\SYSTEM32\DRIVERS\nnrnstdi.sys
2009-01-14 12:20 . 2008-06-27 14:59 8,832 --a------ c:\windows\SYSTEM32\DRIVERS\km_filter.sys
2009-01-14 12:17 . 2009-01-14 12:17 d-------- c:\program files\NetRatingsNetSight
2009-01-14 12:17 . 2008-10-10 13:32 53,248 --a------ c:\windows\nswatchdog.exe
2009-01-14 12:16 . 2009-01-14 12:17 501,912 --a------ c:\temp\netsight_setup_5.1.3.20_MP_Production_New_Recruitment_UK_mid53015730615_p.exe
2009-01-10 14:57 . 2009-01-10 14:58 d-------- c:\documents and settings\Ann\Application Data\CyberLink
2009-01-05 23:33 . 2009-01-05 23:33 3,751,995 --a------ c:\windows\SYSTEM32\GPhotos.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-21 19:03 --------- d-----w c:\documents and settings\Ann\Application Data\Skype
2009-01-21 18:09 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-20 15:04 --------- d-----w c:\program files\ZipCentral
2009-01-20 13:24 --------- d-----w c:\program files\Google
2009-01-20 12:47 --------- d-----w c:\documents and settings\Ann\Application Data\skypePM
2009-01-20 12:20 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-14 23:11 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-14 15:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 15:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-12 18:41 --------- d-----w c:\program files\Skype
2008-12-28 07:37 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-20 22:55 --------- d-----w c:\program files\iTunes
2008-12-20 22:55 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-20 22:54 --------- d-----w c:\program files\iPod
2008-12-20 22:54 --------- d-----w c:\program files\Common Files\Apple
2008-12-20 22:52 --------- d-----w c:\program files\QuickTime
2008-12-20 13:37 --------- d-----w c:\program files\Java
2008-06-27 13:59 163,840 ----a-w c:\program files\mozilla firefox\components\nsgkff30_meter1.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"SkypeClient"="c:\program files\PDT\VoIPVoiceIntegration\VoIPVoice Integration.exe" [2005-05-06 57344]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-12 15360]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-05 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"Google Update"="c:\documents and settings\Ann\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-28 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-20 136600]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-23 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"EPSON Stylus C82 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE" [2003-10-15 99840]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"WooCnxMon"="c:\progra~1\Wanadoo\CnxMon.exe" [2004-10-13 24576]
"WOOWATCH"="c:\progra~1\Wanadoo\Watch.exe" [2004-10-13 24576]
"WOOTASKBARICON"="c:\progra~1\Wanadoo\TaskbarIcon.exe" [2004-10-13 49152]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-03 185896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"NielsenOnline"="c:\program files\NetRatingsNetSight\NetSight\NielsenOnline.exe" [2008-10-10 45056]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-12 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 11:51 24638 c:\windows\SYSTEM32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=
"c:\\Program Files\\Dell Computer\\Dell Picture Studio v2.0\\launch.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Foxit Software\\PDF Editor\\PDFEdit.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"2599:TCP"= 2599:TCP:Labyrinth

R1 nnrnstdi;nnrnstdi;c:\windows\SYSTEM32\DRIVERS\nnrnstdi.sys [2009-01-14 14336]
R3 km_filter;km_filter;c:\windows\SYSTEM32\DRIVERS\km_filter.sys [2009-01-14 8832]
S3 uac4pdt;PDT USB Composite Class Filter Driver;c:\windows\SYSTEM32\DRIVERS\uac4pdt.sys [2006-09-18 15232]
.
Contents of the 'Scheduled Tasks' folder

2009-01-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3853566490-61804741-1186382756-1006.job
- c:\documents and settings\Ann\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-28 14:49]

2009-01-21 c:\windows\Tasks\User_Feed_Synchronization-{D877F16F-C7CB-4182-839C-34F334AD37DD}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 12:58]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe


.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: { - c:\program files\Messenger\msmsgs.exe
Trusted Zone: bookcrossing.com\www
Trusted Zone: dyndns.org\yinionlinereg
DPF: {A9FD89D6-C839-11D3-B0FE-0050044B8FE9} - hxxp://www.opinionbar.com/download/resources/OBInstallCabinet.CAB
FF - ProfilePath - c:\documents and settings\Ann\Application Data\Mozilla\Firefox\Profiles\ytw812uo.default\
FF - prefs.js: browser.search.selectedEngine - GoogleCOM
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://www.wcsearch.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\program files\Mozilla Firefox\components\nsgkff30_meter1.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Ann\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - GoogleCOM
FF - user.js: keyword.URL - hxxp://www.wcsearch.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-21 20:32:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

Last part:

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\Common Framework\Mctray.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\SkypeIntegration\SkypeIntegration\SkypeClient.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\SYSTEM32\msiexec.exe
.
**************************************************************************
.
Completion time: 2009-01-21 20:39:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-21 19:39:11

Pre-Run: 87,808,077,824 bytes free
Post-Run: 88,158,326,784 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=0 LastKnownGood=4 Sets=1,2,3,4
232 --- E O F --- 2009-01-14 23:11:47


Spybot has popped up again with the Spybot Deleting A2274 message.

Hello. We need to remove a Firefox Hijack.
Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

• Wanadoo
  

Now open a new notepad file.
Input this into the notepad file:

File::
c:\documents and settings\Ann\Application Data\Mozilla\Firefox\Profiles\ytw812uo.default\user.js

Folder::
c:\program files\Wanadoo

Domains::

Firefox::
FF - user.js: keyword.URL - hxxp://www.wcsearch.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WooCnxMon"=-
"WOOWATCH"=-
"WOOTASKBARICON"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

ComboFix 09-01-21.01 - Ann 2009-01-21 21:09:01.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2558.2037 [GMT 1:00]
Running from: c:\documents and settings\Ann\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ann\Desktop\CFscript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\documents and settings\Ann\Application Data\Mozilla\Firefox\Profiles\ytw812uo.default\user.js
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ann\Application Data\Mozilla\Firefox\Profiles\ytw812uo.default\user.js
c:\program files\Wanadoo
c:\program files\Wanadoo\alan.milne.pc
c:\program files\Wanadoo\SafeInstall\KitWanadoo.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-12-21 to 2009-01-21 )))))))))))))))))))))))))))))))
.

2009-01-21 20:17 . 2009-01-21 20:17 3,048,283 -ra------ c:\temp\ComboFix.exe
2009-01-21 18:52 . 2004-08-12 14:58 482,304 --a--c--- c:\windows\SYSTEM32\DLLCACHE\pintlgnt.ime
2009-01-21 18:51 . 2004-08-12 14:58 10,096,640 --a--c--- c:\windows\SYSTEM32\DLLCACHE\hwxcht.dll
2009-01-21 18:50 . 2004-05-13 00:39 876,653 --a--c--- c:\windows\SYSTEM32\DLLCACHE\fp4awel.dll
2009-01-21 18:48 . 2004-08-12 14:58 16,384 --a--c--- c:\windows\SYSTEM32\DLLCACHE\isignup.exe
2009-01-21 18:48 . 2009-01-21 18:48 749 -rah----- c:\windows\WindowsShell.Manifest
2009-01-21 18:48 . 2009-01-21 18:48 749 -rah----- c:\windows\SYSTEM32\wuaucpl.cpl.manifest
2009-01-21 18:48 . 2009-01-21 18:48 749 -rah----- c:\windows\SYSTEM32\sapi.cpl.manifest
2009-01-21 18:48 . 2009-01-21 18:48 749 -rah----- c:\windows\SYSTEM32\ncpa.cpl.manifest
2009-01-21 18:48 . 2009-01-21 18:48 488 -rah----- c:\windows\SYSTEM32\logonui.exe.manifest
2009-01-21 18:46 . 2009-01-21 18:46 d-------- c:\windows\dell
2009-01-21 08:26 . 2004-12-21 10:20 d-------- c:\documents and settings\Administrator\Application Data\You've Got Pictures Screensaver
2009-01-21 08:26 . 2004-12-21 10:23 d-------- c:\documents and settings\Administrator\Application Data\Sonic
2009-01-21 08:26 . 2004-12-21 10:18 d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2009-01-21 08:25 . 2009-01-21 08:26 d-------- c:\documents and settings\Administrator
2009-01-20 21:53 . 2009-01-20 21:53 d-------- c:\program files\Lavasoft
2009-01-20 21:53 . 2009-01-20 21:53 d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-20 21:53 . 2009-01-20 21:55 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-20 21:50 . 2009-01-20 21:52 23,804,784 --a------ c:\temp\aaw2008-7.1.0.7.exe
2009-01-20 14:12 . 2009-01-20 14:12 788 --a------ c:\temp\fix.reg
2009-01-20 09:50 . 2009-01-20 09:51 401,720 --a------ c:\temp\Hijack(GP)This.exe
2009-01-14 14:34 . 2009-01-14 14:34 12,273 --a------ c:\temp\Ser-PhotoBlogger-SerTurista-com.zip
2009-01-14 12:20 . 2008-06-27 14:58 14,336 --a------ c:\windows\SYSTEM32\DRIVERS\nnrnstdi.sys
2009-01-14 12:20 . 2008-06-27 14:59 8,832 --a------ c:\windows\SYSTEM32\DRIVERS\km_filter.sys
2009-01-14 12:17 . 2009-01-14 12:17 d-------- c:\program files\NetRatingsNetSight
2009-01-14 12:17 . 2008-10-10 13:32 53,248 --a------ c:\windows\nswatchdog.exe
2009-01-14 12:16 . 2009-01-14 12:17 501,912 --a------ c:\temp\netsight_setup_5.1.3.20_MP_Production_New_Recruitment_UK_mid53015730615_p.exe
2009-01-10 14:57 . 2009-01-10 14:58 d-------- c:\documents and settings\Ann\Application Data\CyberLink
2009-01-05 23:33 . 2009-01-05 23:33 3,751,995 --a------ c:\windows\SYSTEM32\GPhotos.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-21 19:03 --------- d-----w c:\documents and settings\Ann\Application Data\Skype
2009-01-21 18:09 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-20 15:04 --------- d-----w c:\program files\ZipCentral
2009-01-20 13:24 --------- d-----w c:\program files\Google
2009-01-20 12:47 --------- d-----w c:\documents and settings\Ann\Application Data\skypePM
2009-01-20 12:20 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-14 23:11 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-14 15:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 15:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-12 18:41 --------- d-----w c:\program files\Skype
2008-12-28 07:37 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-20 22:55 --------- d-----w c:\program files\iTunes
2008-12-20 22:55 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-20 22:54 --------- d-----w c:\program files\iPod
2008-12-20 22:54 --------- d-----w c:\program files\Common Files\Apple
2008-12-20 22:52 --------- d-----w c:\program files\QuickTime
2008-12-20 13:37 --------- d-----w c:\program files\Java
2008-06-27 13:59 163,840 ----a-w c:\program files\mozilla firefox\components\nsgkff30_meter1.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-21_20.37.34.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-21 20:13:24 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_770.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"SkypeClient"="c:\program files\PDT\VoIPVoiceIntegration\VoIPVoice Integration.exe" [2005-05-06 57344]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-12 15360]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-05 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"Google Update"="c:\documents and settings\Ann\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-28 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-20 136600]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-23 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"EPSON Stylus C82 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE" [2003-10-15 99840]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-03 185896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"NielsenOnline"="c:\program files\NetRatingsNetSight\NetSight\NielsenOnline.exe" [2008-10-10 45056]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-12 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 11:51 24638 c:\windows\SYSTEM32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=
"c:\\Program Files\\Dell Computer\\Dell Picture Studio v2.0\\launch.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Foxit Software\\PDF Editor\\PDFEdit.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"2599:TCP"= 2599:TCP:Labyrinth

R1 nnrnstdi;nnrnstdi;c:\windows\SYSTEM32\DRIVERS\nnrnstdi.sys [2009-01-14 14336]
R3 km_filter;km_filter;c:\windows\SYSTEM32\DRIVERS\km_filter.sys [2009-01-14 8832]
S3 uac4pdt;PDT USB Composite Class Filter Driver;c:\windows\SYSTEM32\DRIVERS\uac4pdt.sys [2006-09-18 15232]
.
Contents of the 'Scheduled Tasks' folder

2009-01-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3853566490-61804741-1186382756-1006.job
- c:\documents and settings\Ann\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-28 14:49]

2009-01-21 c:\windows\Tasks\User_Feed_Synchronization-{D877F16F-C7CB-4182-839C-34F334AD37DD}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 12:58]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.co.uk/
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {A9FD89D6-C839-11D3-B0FE-0050044B8FE9} - hxxp://www.opinionbar.com/download/resources/OBInstallCabinet.CAB
FF - ProfilePath - c:\documents and settings\Ann\Application Data\Mozilla\Firefox\Profiles\ytw812uo.default\
FF - prefs.js: browser.search.selectedEngine - GoogleCOM
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://www.wcsearch.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\program files\Mozilla Firefox\components\nsgkff30_meter1.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Ann\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-21 21:15:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Part 2

.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Network Associates\Common Framework\Mctray.exe
c:\program files\SkypeIntegration\SkypeIntegration\SkypeClient.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\SYSTEM32\msiexec.exe
.
**************************************************************************
.
Completion time: 2009-01-21 21:21:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-21 20:21:10
ComboFix2.txt 2009-01-21 19:39:35

Pre-Run: 88,215,420,928 bytes free
Post-Run: 88,140,382,208 bytes free

Current=2 Default=2 Failed=0 LastKnownGood=4 Sets=1,2,3,4
222 --- E O F --- 2009-01-14 23:11:47

Spybot is yet again sitting there asking if it should allow a change to userinit.exe

Keep denying it, we left something behind.

Open Firefox.
In the URL bar, type about:config
Press the "I'll be careful button"
Locate this: keyword.URL

Change it from wcsearch to www.google.com
Close Firefox.

Does TeaTimer give you an exact value it wants to change it to? does it want to add something like twex.exe to the value?

I've changed keyword.url.

TeaTimer didn't react to that particular change. The earlier ones were mostly saying they were going to be deleted and the previous entry ran beyond the edge of the box so I didn't see.

Windows is wanting me to download updates. Is it all right to do that, or should I wait a bit?

Do them now, we need to keep the infection out.

They are in progress, but they were entirely up to date before this happened. It's one thing I'm OK on at least.

Were gonna reset TeaTimer once Windows Updates is done, it may help and it might stop bothering you about deleting a registry value.

OK, I installed Service Pack3 and 26 updates. There were one or two reboots along the way. I denied all Tea Timer's prompts. No problem until I got to the very end of the 26 updates, rebooted - and I was back where I started. Logging off as soon as I logged in.

It's now midnight here and I need to go. Any thoughts of what I should do next, tomorrow for me? Do you sleep?

Darn it.

Okay, next step, to rule out if it Spybot causing this.
Tomorrow, do a repair install again, and as soon as you get back on, uninstall Spybot.
Then do updates again, and see if it happens again.

And no, I don't sleep, I'm a robot.

Repaired, uninstalled Spybot (though it seems to have left the teatimer running and I have to cancel that each time). All updates now done, and all seems well. I have re-booted several times now.

Will it be all right to re-install Spybot? Anything else I should do?

No, don't install Spybot, we might have found the reason for the damage but I don't want to replace the problem, keep it uninstalled for now.

Aslong as you read this and install one or two security programs, you should be fine.

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck.

OK the new restore point has been set. I have most of those security programs already, and always do keep updates on automatic, which is why it has been so irritating that this happened.

Never mind, all is OK now. Many thanks for your help.

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.