Analyze This log

[fishingaddictsinc]

I need help with my HiJackThis/AnalyzeThis log. I have ran scan after scan with Spybot, AVG, AdAware, and Norton but nothing can identify what is living in this computer. Windows is updated. I am curious if anyone can tell me what is living in my Internet Explorer and how to get rid of it. The reason I say something is living in IE is because everytime the puter boots there is a pop up window that comes up asking if I want to allow Active X Controls in IE but I have not even launched IE. Thank you.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:03 PM, on 10/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\netdde.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Trend Micro\HijackThis\AnalyzeThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = sas.ne2.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *ne2.attbb.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.stonyfield.com/coupons/scriptX/smsx.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/...6/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188167353968
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/...16/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DA233065-EE7E-4F89-85C0-4B2CF4D0EF5A}: Domain = sympatico.ca
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 5276 bytes

[jholland1964]

I really don't see anything in your log. Are you in Canada?
Did you add this;
O17 - HKLM\System\CCS\Services\Tcpip\..\{DA233065-EE7E-4F89-85C0-4B2CF4D0EF5A}: Domain = sympatico.ca

[Gizmokid2005]

Do you have AOL instant messenger or does Skype open up a "Today" box (basically a little window that gives news/weather/snippets, etc...) on startup?

[fishingaddictsinc]

Judy,
I am do not need sympatico anymore because I am here in the states.

Do have any idea what is causing the following problem? When I boot up there is a window that opens asking if I want to allow Active X controls to run in IE but I did not launch IE at start up. This window popping up on its own seems suspicious to me. Am I being paranoid? Thanks and sorry for the delay in my reply.

[fishingaddictsinc]

Gizmo,
No Skype starting up or AOL. The only thing that does weather is a toolbar in Firefox. I am stumped about what is popping up when I start up. Perhaps tinkering with my selective start up might help??? Thanks. Oh and yes this puter is from Canada.

[Gizmokid2005]

Hmmm...FF wouldn't cause the ActiveX warning as it doesn't use ActiveX...Thats quite interesting...

[jholland1964]

You DO show some ActiveX listings in your log;
*O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.stonyfield.com/coupons/scriptX/smsx.cab
**O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/...6/mcinsctl.cab
**O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188167353968
**O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/...16/mcgdmgr.cab

The three I have "starred" with 2 blue stars are macafee and microsoft...doubt they would bring anything in...and they do require the use of IE, and O16 entry does.
The one with the red star is one I don't know and may be legitimate it is MeadCo's ScriptX software.
Here is what it says;
Installation of the ScriptX software is automatic. The first-ever time a user visits a ScriptX-enabled document, smsx.cab is downloaded and the user is prompted to accept the ScriptX and Security Manager controls by Internet Explorer's standard Authenticode security mechanism.
For those network environments where client workstations are 'locked down', MeadCo will supply system administrators with an installation executable with which they can 'push' out and pre-install the licensed binaries on their client machines.

I may be barking up the wrong tree but it appears this computer may be part of at least a home network, with the Pure Networks Network Magic running on it.
Don't know that this would cause this pop-up but you might try removing this *O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.stonyfield.com/coupons/scriptX/smsx.cab
and see if it makes a difference.

The other question which Gizmokid2005 asked about skype...and you said

No Skype starting up

there IS a O18 referencing this;
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
This IS a legitimate item, BUT...
The O18 entries are.....
This section corresponds to extra protocols and protocol hijackers.
This method is used by changing the standard protocol drivers that your computer users to ones that the Hijacker provides.

Skype4COM is an interface which represents the Skype API as objects, with properties, commands, and events and notifications. Use Skype4COM in any ActiveX environment,

Now Skype is out of my realm of knowledge so I cannot advise, possibly Gizmo will be able to do so. Do you know what this is fishingaddictsinc?

[Gizmokid2005]

That skype4com entry is part of a skype installation. In some way/shape/form skype was/is installed on this particular computer, and that dll may be part of the issue that you are seeing, but I can't say for sure without knowing how that DLL got there.

[fishingaddictsinc]

I need to apologize about the pervious information I gave you about Skype. I was not very clear on my last post about Skype. Skype was on this computer but I have erased it since the HJT log was posted. I was meaning that neither Skype or AOL launch when I start up. Yes Skype was a valid program but should not be running.

I'll try removing the stonyfield coupons. I'll bet that is the cuplrit.

Gizmo what can I show you to help with analyzing the Skype issue? Thank you both.

[fishingaddictsinc]

okay I tried removing the stony coupons entry and the pop up still comes up when the puter boots up. Could the issue of the pop up be related to a previous virus that was removed? It was called the Colorado Sheep. not sure if this helps but I figure if we are going fishing why not use all of our lures. Thank you.