dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
8

LoPhatPhuud
MVM
join:2002-01-06
Albuquerque, NM

1 edit

1 recommendation

LoPhatPhuud to jaceg

MVM

to jaceg

Re: Help Please-Trouble With Vundo

With Ewido off that is puzzling.

Is there something in Norton that is providing resitry protection?

Go ahead and re-install Ewido if you want to continue using it. If you paid for, by all means install.

I wll do some check and review autoruns again to see if Ican see what is causing them to come back.

One other thing we can do is to check for a Rootkit...

Please download RootKitRevealer from here:
http://www.sysinternals.com/files/rootkitrevealer.zip
Unzip it to the desktop, run it, and click Scan. This will generate a log file; please post the entire contents of the log file here for me to see.

jaceg
Keep'In An Eye Out For Ya
Premium Member
join:2000-08-12
Revere, MA

jaceg

Premium Member

RootKitRevealer:

HKLM\S-1-5-21-3228436165-432603799-3767474241-1007\RemoteAccess\InternetProfile 10/31/2005 6:25 PM 15 bytes Data mismatch between Windows API and raw hive data.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 3/12/2006 6:58 PM 64.00 KB Visible in Windows API, but not in MFT or directory index.
jaceg

jaceg to LoPhatPhuud

Premium Member

to LoPhatPhuud
Lo: Would we be able to use either KillBox or The Avenger to remove these entries?

LoPhatPhuud
MVM
join:2002-01-06
Albuquerque, NM

LoPhatPhuud

MVM

This is an older version of Vundo that VundoFix will not remove. Not difficult, but time consuming. I contacted the author of VundoFix and havet he fix for this one.

Print these instructions and read over them before you begin. If you have any questions, ask before you start.

Ok, here we go....

Close all open windows and exit any open programs.

Open a new, blank, Notepad document. Copy the following file list to it, and then save it to your Desktop for easy location. The choice of file name is up to you.

C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\varba.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\siicca.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\spitna.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\gepjpa.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\cpkab.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\cvssab.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\tuntac.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\codrc.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\gmibd.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\gmicod.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\nurcod.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\padvd.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\nibalue.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\pctalue.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\sapxe.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\nibpxe.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\tenixaf.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\systnof.dat
C:\DOCUME~1\DANIEL~1\LOCALS~1\Temp\nutnof.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\smwptf.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\agvsii.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\xafgmi.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\golgmi.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\vaavaj.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\kabniam.da
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\gercm.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\vrs3pm.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\tensm.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\syssm.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\gerten.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\dmctun.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\bewcbdo.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\codnur.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\cvsmnur.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\pxes.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\avajvrs.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\gerrvs.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\ksatrvs.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\bkipat.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\smwksat.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\pipct.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\cfmpct.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\yeknu.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\ksidlru.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\dvdlru.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\pctlru.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\cmlitu.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\sassv.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\tenevaw.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\tacw.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\drahniw.dat
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\avajlmx.dat

Once you have that done, then download the following beta version of KillBox to your Desktop:

http://www.killbox.net/downloads/beta/KillBox_b862.exe

Double Click on KillBox to start the program.

Select 'Run as System Task' from the file menu
Wait for the program to re-open

Open the list of files you created earlier.

Click 'Processes' Killbox menu item
A window to the right will slide open
Put a check mark beside the following processes, if present:
smss.exe
winlogon.exe
rundll32.exe
explorer.exe
iexplore.exe

Click the 'End Task' button

Next copy each filename from the file list, one a time. Paste it into Killbox and click the 'Delete' button (red circle with white x).

Once you have all the files entered, select 'Options', 'Shutdown', 'Forced Reboot' from Killbox.

This will reboot the system and delete the files.

Once you have restarted, do the following...

Launch Notepad.
Copy/paste the text in the box below into a new text file.
Save it as fixme.reg on your Desktop

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"abrav"=-
"abrav"=-
"acciis"=-
"antips"=-
"apjpeg"=-
"bakpc"=-
"bassvc"=-
"catnut"=-
"crdoc"=-
"dbimg"=-
"docimg"=-
"docrun"=-
"dvdap"=-
"eulabin"=-
"eulatcp"=-
"expas"=-
"expbin"=-
"faxinet"=-
"fontsys"=-
"fontun"=-
"ftpwms"=-
"iisvga"=-
"imgfax"=-
"imglog"=-
"javaav"=-
"mainbak"=-
"mcreg"=-
"mp3srv"=-
"msnet"=-
"mssys"=-
"netreg"=-
"nutcmd"=-
"odbcweb"=-
"rundoc"=-
"runmsvc"=-
"sexp"=-
"srvjava"=-
"svrreg"=-
"svrtask"=-
"tapikb"=-
"taskwms"=-
"tcpip"=-
"tcpmfc"=-
"unkey"=-
"urldisk"=-
"urldvd"=-
"urltcp"=-
"utilmc"=-
"vssas"=-
"wavenet"=-
"wcat"=-
"winhard"=-
"xmljava"=-


Locate fixme.reg on your Desktop and double-click on it.

You will receive a prompt similar to: "Do you wish to merge the information into the registry?".

Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".

FInally, run HiJackThis again and post a new log in this thread.

jaceg
Keep'In An Eye Out For Ya
Premium Member
join:2000-08-12
Revere, MA

jaceg

Premium Member

Logfile of HijackThis v1.99.1
Scan saved at 10:48:16 PM, on 3/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Utilities\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PnIEBrowserHelperObj Class - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - Winlogon Notify: abrav - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\varba.dat (file missing)
O20 - Winlogon Notify: acciis - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\siicca.dat (file missing)
O20 - Winlogon Notify: antips - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\spitna.dat (file missing)
O20 - Winlogon Notify: apjpeg - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\gepjpa.dat (file missing)
O20 - Winlogon Notify: bakpc - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\cpkab.dat (file missing)
O20 - Winlogon Notify: bassvc - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\cvssab.dat (file missing)
O20 - Winlogon Notify: catnut - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\tuntac.dat (file missing)
O20 - Winlogon Notify: crdoc - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\codrc.dat (file missing)
O20 - Winlogon Notify: dbimg - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\gmibd.dat (file missing)
O20 - Winlogon Notify: docimg - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\gmicod.dat (file missing)
O20 - Winlogon Notify: docrun - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\nurcod.dat (file missing)
O20 - Winlogon Notify: dvdap - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\padvd.dat (file missing)
O20 - Winlogon Notify: eulabin - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\nibalue.dat (file missing)
O20 - Winlogon Notify: eulatcp - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\pctalue.dat (file missing)
O20 - Winlogon Notify: expas - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\sapxe.dat (file missing)
O20 - Winlogon Notify: expbin - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\nibpxe.dat (file missing)
O20 - Winlogon Notify: faxinet - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\tenixaf.dat (file missing)
O20 - Winlogon Notify: fontsys - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\systnof.dat (file missing)
O20 - Winlogon Notify: fontun - C:\DOCUME~1\DANIEL~1\LOCALS~1\Temp\nutnof.dat (file missing)
O20 - Winlogon Notify: ftpwms - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\smwptf.dat (file missing)
O20 - Winlogon Notify: iisvga - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\agvsii.dat (file missing)
O20 - Winlogon Notify: imgfax - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\xafgmi.dat (file missing)
O20 - Winlogon Notify: imglog - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\golgmi.dat (file missing)
O20 - Winlogon Notify: javaav - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\vaavaj.dat (file missing)
O20 - Winlogon Notify: mcreg - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\gercm.dat (file missing)
O20 - Winlogon Notify: mp3srv - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\vrs3pm.dat (file missing)
O20 - Winlogon Notify: msnet - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\tensm.dat (file missing)
O20 - Winlogon Notify: mssys - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\syssm.dat (file missing)
O20 - Winlogon Notify: netreg - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\gerten.dat (file missing)
O20 - Winlogon Notify: nutcmd - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\dmctun.dat (file missing)
O20 - Winlogon Notify: odbcweb - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\bewcbdo.dat (file missing)
O20 - Winlogon Notify: rundoc - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\codnur.dat (file missing)
O20 - Winlogon Notify: runmsvc - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\cvsmnur.dat (file missing)
O20 - Winlogon Notify: sexp - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\pxes.dat (file missing)
O20 - Winlogon Notify: srvjava - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\avajvrs.dat (file missing)
O20 - Winlogon Notify: svrreg - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\gerrvs.dat (file missing)
O20 - Winlogon Notify: svrtask - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\ksatrvs.dat (file missing)
O20 - Winlogon Notify: tapikb - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\bkipat.dat (file missing)
O20 - Winlogon Notify: taskwms - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\smwksat.dat (file missing)
O20 - Winlogon Notify: tcpip - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\pipct.dat (file missing)
O20 - Winlogon Notify: tcpmfc - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\cfmpct.dat (file missing)
O20 - Winlogon Notify: unkey - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\yeknu.dat (file missing)
O20 - Winlogon Notify: urldisk - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\ksidlru.dat (file missing)
O20 - Winlogon Notify: urldvd - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\dvdlru.dat (file missing)
O20 - Winlogon Notify: urltcp - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\pctlru.dat (file missing)
O20 - Winlogon Notify: utilmc - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\cmlitu.dat (file missing)
O20 - Winlogon Notify: vssas - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\sassv.dat (file missing)
O20 - Winlogon Notify: wavenet - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\tenevaw.dat (file missing)
O20 - Winlogon Notify: wcat - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\tacw.dat (file missing)
O20 - Winlogon Notify: winhard - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\drahniw.dat (file missing)
O20 - Winlogon Notify: xmljava - C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\avajlmx.dat (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

LoPhatPhuud
MVM
join:2002-01-06
Albuquerque, NM

1 recommendation

LoPhatPhuud

MVM

Well, we know all the files were successfully deleted. Now to find out what format is needed to delete the registry entries.

Try booting into Safe Mode and do the manual registry key deletion you did before...

Here it is to be safe...

Open regedit (Start -> Run -> regedit)

Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify

Once there, under the notify key shoudl be all the entries we want to remove. FInd the first three (listed below). Right Click on each one in turn, then select 'Delete'. If there are no errors and the keys delete, run HiJackThis again and post a new log in this thread. If there is an error, please post it.

abrav
acciis
antips

If they succecssfully delete, do the same for all the others in the list above, then post a new HiJAckTHis log.

jaceg
Keep'In An Eye Out For Ya
Premium Member
join:2000-08-12
Revere, MA

jaceg

Premium Member

Logfile of HijackThis v1.99.1
Scan saved at 11:28:12 PM, on 3/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Utilities\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PnIEBrowserHelperObj Class - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe