PDA

View Full Version : Fraud XP Antivirus..HJT log included...


hottiechevelleman
2008-09-07, 23:10
I was on the MSN games site playing mah jong when I started getting pop-ups. I did my daily SpyBot Scan and discovered that I now have Fraud XPAntivirus. I attempted to get rid of it utilizing SpyBot, but it wouldn't go away.
I logged on to the forums and found someone getting advise about using Malwarebytes' Anti-Malware. I downloaded it and just got done with a 2 hour scan, which did not make it go away. I saved the log from it in case you need it.
The SpyBot scan told me that to remove it I need to "purchase a license". Can this be the only way?????
Please Help!!!!!!!:sad::sad::sick:
I'll provide any info that you require if you can walk me through it. I'm no IT type, but am fairly computer literate.
Thank you for your time!!!!

I posted yesterday, but forgot to include this log....I'm having problems trying to paste the HJT log here too so I'll put it in another thread..Thank you for your assistance...


Malwarebytes' Anti-Malware 1.26
Database version: 1125
Windows 5.1.2600 Service Pack 3

9/7/2008 3:49:26 PM
mbam-log-2008-09-07 (15-49-26).txt

Scan type: Full Scan (C:\|F:\|G:\|)
Objects scanned: 207520
Time elapsed: 1 hour(s), 33 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 18
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 19
Files Infected: 60

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\bndveano4.band (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndveano4.band.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndveano4.bho (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndveano4.bho.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{51c58711-1b4b-41c0-a08b-d4c659e0c94d} (Adware.ISM) -> Quarantined and deleted
successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ism (Adware.ISM) -> Quarantined and deleted
successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) ->
Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted
successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> Quarantined and deleted
successfully.
HKEY_CURRENT_USER\SOFTWARE\QdrPack (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QdrDrive (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BndVeano4.DLL (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie1f.exe (Trojan.Agent) -> Quarantined and
deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie1f.exe (Trojan.Agent) -> Quarantined and
deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data:
c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data:
system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\WinAble (Trojan.Adloader) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\Temporary (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\QdrDrive (Adware.AdBand) -> Quarantined and deleted successfully.
C:\Program Files\ISM (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrPack (Adware.ISM) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dave\Start Menu\Programs\Internet Speed Monitor (Adware.AdSponsor) -> Quarantined and deleted
successfully.
C:\Documents and Settings\Dave\Application Data\rhcl79j0er7r (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dave\Application Data\rhcl79j0er7r\Quarantine (Rogue.Multiple) -> Quarantined and deleted
successfully.
C:\Documents and Settings\Dave\Application Data\rhcl79j0er7r\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted
successfully.
C:\Documents and Settings\Dave\Application Data\rhcl79j0er7r\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and
deleted successfully.
C:\Documents and Settings\Dave\Application Data\rhcl79j0er7r\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) ->
Quarantined and deleted successfully.
C:\Documents and Settings\Dave\Application Data\rhcl79j0er7r\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and
deleted successfully.
C:\Documents and Settings\Dave\Application Data\rhcl79j0er7r\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) ->
Quarantined and deleted successfully.
C:\Documents and Settings\Dave\Application Data\rhcl79j0er7r\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) ->
Quarantined and deleted successfully.
C:\Documents and Settings\Dave\Application Data\rhcl79j0er7r\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) ->
Quarantined and deleted successfully.
C:\Documents and Settings\Dave\Application Data\rhcl79j0er7r\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and
deleted successfully.
C:\Documents and Settings\Dave\Application Data\rhcl79j0er7r\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted
successfully.

Files Infected:
C:\Program Files\PCHealthCenter\0.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\1.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\1.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\2.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\sc.html (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\QdrDrive\qdrloader.exe (Adware.AdBand) -> Quarantined and deleted successfully.
C:\Program Files\ISM\Uninstall.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrPack\dicts.gz (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrPack\trgts.gz (Adware.ISM) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dave\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk (Adware.AdSponsor) -> Quarantined
and deleted successfully.
C:\Program Files\MSA\msa0.dat (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MSA\msa1.dat (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MSA\MSA.ooo (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\akttzn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\anticipator.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\awtoolb.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\bsva-egihsg52.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\dpcproxy.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\emesx.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\hoproxy.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\hxiwlgpm.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\hxiwlgpm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\medup012.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\msgp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\msnbho.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\msvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mtr2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mwin32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\netode.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\newsd32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ps1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\psof1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\psoft1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\regc64.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\regm64.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\Rundl1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sncntr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ssurf022.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ssvchost.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ssvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sysreq.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\taack.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\taack.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\temp#01.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\thun.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\thun32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\VBIEWER.OCX (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\vcatchpi.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\winlogonpc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\winsystem.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\WINWGPX.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\vbsys2.dll (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ldinfo.ldr (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dave\INSTALL.EXE (Trojan.Dropper) -> Quarantined and deleted successfully.

I posted yesterday, but forgot to include this log....Thank you for your assistance...






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:11 PM, on 9/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\All Users\Application Data\rqpkpqpi\riduhudm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\tojqbidu.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\tojqbidu.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MaxtorOneTouch] "C:\Program Files\Maxtor\ManagerApp\Onetouch.exe"
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [\VIE1F.exe] C:\Windows\System32\VIE1F.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [syscmdact] C:\WINDOWS\system32\tojqbidu.exe
O4 - HKCU\..\Run: [msgapidsc] C:\WINDOWS\system32\mpmxobar.exe
O4 - HKLM\..\Policies\Explorer\Run: [4OT21jP8PB] C:\Documents and Settings\All Users\Application Data\rqpkpqpi\riduhudm.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\docume~1\dave\locals~1\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\docume~1\dave\locals~1\temp\ntdll64.dll
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdq/downloads/sysinfo.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175981734625
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab45837.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D5EC5989-671B-476D-AC86-090793776FB1} (AuctionBlast Templates) - http://download.ispeedway.com/AuctionBlast/XAuctionBlast.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by107fd.bay107.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O21 - SSODL: admui - {01E4741A-6484-9498-78DC-00FBB9716AA1} - C:\Program Files\fajhsd\admui.dll
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O24 - Desktop Component 0: (no name) - http://www.romancestuck.com/images/rsclipart/tn_cake.gif

--
End of file - 12626 bytes
Malwarebytes' Anti-Malware 1.26
Database version: 1125
Windows 5.1.2600 Service Pack 3

9/7/2008 3:49:26 PM
mbam-log-2008-09-07 (15-49-26).txt

Scan type: Full Scan (C:\|F:\|G:\|)
Objects scanned: 207520
Time elapsed: 1 hour(s), 33 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 18
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 19
Files Infected: 60

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\bndveano4.band (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndveano4.band.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndveano4.bho (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndveano4.bho.1 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{51c58711-1b4b-41c0-a08b-d4c659e0c94d} (Adware.ISM) -> Quarantined and deleted
successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ism (Adware.ISM) -> Quarantined and deleted
successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) ->
Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted
successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> Quarantined and deleted
successfully.
HKEY_CURRENT_USER\SOFTWARE\QdrPack (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QdrDrive (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BndVeano4.DLL (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie1f.exe (Trojan.Agent) -> Quarantined and
deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vie1f.exe (Trojan.Agent) -> Quarantined and
deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data:
c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data:
system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\WinAble (Trojan.Adloader) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\Temporary (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\QdrDrive (Adware.AdBand) -> Quarantined and deleted successfully.
C:\Program Files\ISM (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrPack (Adware.ISM) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dave\Start Menu\Programs\Internet Speed Monitor (Adware.AdSponsor) -> Quarantined and deleted
successfully.
C:\Documents and Settings\Dave\Application Data\rhcl79j0er7r (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dave\Application Data\rhcl79j0er7r\Quarantine (Rogue.Multiple) -> Quarantined and deleted
successfully.
C:\Documents and Settings\Dave\Application Data\rhcl79j0er7r\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted
successfully.
C:\Documents and Settings\Dave\Application Data\rhcl79j0er7r\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and
deleted successfully.
C:\Documents and Settings\Dave\Application Data\rhcl79j0er7r\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) ->
Quarantined and deleted successfully.
C:\Documents and Settings\Dave\Application Data\rhcl79j0er7r\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and
deleted successfully.
C:\Documents and Settings\Dave\Application Data\rhcl79j0er7r\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) ->
Quarantined and deleted successfully.
C:\Documents and Settings\Dave\Application Data\rhcl79j0er7r\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) ->
Quarantined and deleted successfully.
C:\Documents and Settings\Dave\Application Data\rhcl79j0er7r\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) ->
Quarantined and deleted successfully.
C:\Documents and Settings\Dave\Application Data\rhcl79j0er7r\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and
deleted successfully.
C:\Documents and Settings\Dave\Application Data\rhcl79j0er7r\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted
successfully.

Files Infected:
C:\Program Files\PCHealthCenter\0.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\1.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\1.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\2.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\sc.html (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\QdrDrive\qdrloader.exe (Adware.AdBand) -> Quarantined and deleted successfully.
C:\Program Files\ISM\Uninstall.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrPack\dicts.gz (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrPack\trgts.gz (Adware.ISM) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dave\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk (Adware.AdSponsor) -> Quarantined
and deleted successfully.
C:\Program Files\MSA\msa0.dat (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MSA\msa1.dat (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MSA\MSA.ooo (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\akttzn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\anticipator.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\awtoolb.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\bsva-egihsg52.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\dpcproxy.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\emesx.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\hoproxy.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\hxiwlgpm.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\hxiwlgpm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\medup012.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\msgp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\msnbho.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\msvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mtr2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mwin32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\netode.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\newsd32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ps1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\psof1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\psoft1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\regc64.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\regm64.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\Rundl1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sncntr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ssurf022.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ssvchost.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ssvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sysreq.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\taack.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\taack.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\temp#01.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\thun.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\thun32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\VBIEWER.OCX (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\vcatchpi.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\winlogonpc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\winsystem.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\WINWGPX.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\vbsys2.dll (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ldinfo.ldr (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dave\INSTALL.EXE (Trojan.Dropper) -> Quarantined and deleted successfully.

-----------------------------------

[I]Edit:

I logged on to the forums and found someone getting advise about using Malwarebytes' Anti-Malware. I downloaded it and just got done with a 2 hour scan, which did not make it go away. I saved the log from it in case you need it.
The SpyBot scan told me that to remove it I need to "purchase a license". Can this be the only way?????

Spybot-S&D is free for personal use and does not require a license.

Please see our forum stickies, and do not add to this thread until a helper responds, thanks.

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Do NOT run 'fixes' before helpers have analyzed the HJT log (http://forums.spybot.info/showthread.php?t=16806)
Blade81
2008-09-11, 07:55
Hi


Disable Spybot's TeaTimer
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode

On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
hottiechevelleman
2008-09-11, 19:45
I have run the ComboFix and here are the logs you requested.....I am still getting the popup's.....


ComboFix 08-09-10.04 - Dave 2008-09-11 12:18:50.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.219 [GMT -4:00]
Running from: C:\Documents and Settings\Dave\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\rMa17yy
G:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-08-11 to 2008-09-11 )))))))))))))))))))))))))))))))
.

2008-09-08 16:46 . 2008-09-08 16:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-07 23:07 . 2008-09-07 23:07 102,400 --a------ C:\WINDOWS\SYSTEM32\fehuzqda.exe
2008-09-07 14:11 . 2008-09-07 14:11 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-07 14:11 . 2008-09-07 14:11 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Malwarebytes
2008-09-07 14:11 . 2008-09-07 14:11 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-07 14:11 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-09-07 14:11 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-09-07 11:07 . 2008-09-07 11:07 90,112 --a------ C:\WINDOWS\SYSTEM32\birsvaru.exe
2008-09-06 01:10 . 2008-09-06 01:10 102,400 --a------ C:\WINDOWS\SYSTEM32\mpmxobar.exe
2008-09-05 07:17 . 2008-09-05 07:17 86,016 --a------ C:\WINDOWS\SYSTEM32\whcbknif.exe
2008-09-04 20:04 . 2008-09-04 20:04 90,112 --a------ C:\WINDOWS\SYSTEM32\mvarkber.exe
2008-09-04 13:34 . 2008-09-07 15:49 <DIR> d-------- C:\Program Files\MSA
2008-09-04 13:34 . 2008-09-04 13:34 <DIR> d-------- C:\Program Files\fajhsd
2008-09-04 13:34 . 2008-09-10 07:06 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\rqpkpqpi
2008-08-23 11:44 . 2008-08-23 11:44 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-08-23 11:44 . 2008-08-23 11:44 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-08-23 11:44 . 2008-08-23 11:44 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-22 18:35 . 2008-04-13 20:12 69,120 --------- C:\WINDOWS\SYSTEM32\wlanapi.dll
2008-08-22 18:35 . 2008-04-13 20:12 53,248 --------- C:\WINDOWS\SYSTEM32\tsgqec.dll
2008-08-22 18:35 . 2008-04-13 20:12 50,688 --------- C:\WINDOWS\SYSTEM32\tspkg.dll
2008-08-22 18:33 . 2008-04-13 20:11 397,312 --------- C:\WINDOWS\SYSTEM32\mmcex.dll
2008-08-22 18:33 . 2008-04-13 20:11 184,320 --------- C:\WINDOWS\SYSTEM32\microsoft.managementconsole.dll
2008-08-22 18:33 . 2008-04-13 20:12 155,136 --------- C:\WINDOWS\SYSTEM32\mssha.dll
2008-08-22 18:33 . 2008-04-13 12:36 144,384 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hdaudbus.sys
2008-08-22 18:33 . 2008-04-13 20:11 106,496 --------- C:\WINDOWS\SYSTEM32\mmcfxcommon.dll
2008-08-22 18:33 . 2008-04-13 20:11 61,440 --------- C:\WINDOWS\SYSTEM32\kmsvc.dll
2008-08-22 18:33 . 2008-04-13 20:11 37,376 --------- C:\WINDOWS\SYSTEM32\l2gpstore.dll
2008-08-22 18:33 . 2008-04-13 20:12 33,792 --------- C:\WINDOWS\SYSTEM32\mmcperf.exe
2008-08-22 18:33 . 2007-09-17 04:48 1,261 --------- C:\WINDOWS\SYSTEM32\pid.inf
2008-08-15 03:01 . 2008-09-10 07:03 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-08-14 16:21 . 2008-04-11 15:04 691,712 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2008-08-14 16:21 . 2008-05-01 10:33 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-11 16:07 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-10 11:16 --------- d-----w C:\Program Files\SpywareBlaster
2008-09-10 01:27 --------- d-----w C:\Documents and Settings\Dave\Application Data\SiteAdvisor
2008-09-07 12:55 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-05 00:02 --------- d-----w C:\Program Files\McAfee
2008-09-04 17:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-29 10:25 --------- d-----w C:\Program Files\SiteAdvisor
2008-07-28 21:33 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-07-24 18:07 --------- dc----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-07-24 18:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-24 18:02 --------- d-----w C:\Program Files\McAfee.com
2008-07-24 18:02 --------- d-----w C:\Program Files\Common Files\McAfee
2008-07-24 11:26 --------- d-----w C:\Program Files\eommgsd
2008-07-24 11:25 --------- dc----w C:\Documents and Settings\All Users\Application Data\yxcpuvkl
2008-05-18 00:19 1,300,048 -c--a-w C:\Documents and Settings\All Users\Application Data\pswi_preloaded.exe
2006-08-12 15:57 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-12-12 05:19 0 ----a-w C:\Documents and Settings\Dave\3.dat
2005-12-12 05:19 0 ----a-w C:\Documents and Settings\Dave\2.dat
2005-12-12 05:19 0 ----a-w C:\Documents and Settings\Dave\1.dat
2005-03-31 01:20 533 ----a-w C:\Program Files\INSTALL.LOG
2003-07-19 18:06 311,296 ----a-w C:\Program Files\Common Files\msacc8.olb
1993-03-19 20:18 39,441 ----a-w C:\Documents and Settings\Dave\DEARJ.EXE
2004-06-08 20:51 278,528 ----a-w C:\Program Files\internet explorer\plugins\PanoViewer.dll
2004-06-08 20:51 143,360 ----a-w C:\Program Files\internet explorer\plugins\UPjpeg.dll
2008-05-19 21:58 328 --sh--r C:\WINDOWS\SYSTEM32\6D58EF527A.sys
2008-05-19 21:58 11,690 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 180,269 2004-12-26 14:34:09 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 110,592 2003-08-19 06:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w 306,688 2004-07-19 11:51:24 C:\Program Files\Dell Support\bak\DSAgnt.exe

----a-w 49,152 2005-02-17 04:11:42 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe

----a-w 241,664 2005-01-12 19:54:58 C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe

----a-w 204,800 2004-06-03 06:50:08 C:\Program Files\Microsoft IntelliPoint\bak\point32.exe

----a-w 421,888 2006-03-15 23:07:06 C:\Program Files\Picasa2\bak\PicasaMediaDetector.exe
----a-w 443,968 2008-02-26 01:23:34 C:\Program Files\Picasa2\PicasaMediaDetector.exe

----a-w 866,584 2006-10-06 03:11:54 C:\Program Files\Windows Defender\bak\MSASCui.exe
----a-w 866,584 2006-11-03 23:20:12 C:\Program Files\Windows Defender\MSASCui.exe

----a-w 126,976 2005-10-19 13:59:12 C:\WINDOWS\SYSTEM32\bak\hkcmd.exe
----a-w 126,976 2005-06-21 20:44:34 C:\WINDOWS\SYSTEM32\hkcmd.exe

----a-w 155,648 2005-10-19 13:59:14 C:\WINDOWS\SYSTEM32\bak\igfxtray.exe
----a-w 155,648 2005-06-21 20:48:18 C:\WINDOWS\SYSTEM32\igfxtray.exe

----a-w 122,933 2004-03-15 06:04:00 C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [N/A]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [N/A]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [2007-03-05 1103480]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"syscmdact"="C:\WINDOWS\system32\tojqbidu.exe" [N/A]
"msgapidsc"="C:\WINDOWS\system32\mpmxobar.exe" [2008-09-06 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MaxtorOneTouch"="C:\Program Files\Maxtor\ManagerApp\Onetouch.exe" [2006-08-11 712704]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2006-08-11 81920]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 126976]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-08-24 36640]
"\VIE1F.exe"="C:\Windows\System32\VIE1F.exe" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-07-06 24576]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 241664]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-29 53248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"admui"= {01E4741A-6484-9498-78DC-00FBB9716AA1} - C:\Program Files\fajhsd\admui.dll [2008-09-04 126976]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMsgSvc"=
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe
"mmtask"=c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\SYSTEM32\\dxdiag.exe"=
"C:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"C:\\WINDOWS\\SYSTEM32\\dpnsvr.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\Launch.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\9bb0rd73.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://msn.com/
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\DRIVERS\CDAC11BA.EXE
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\WINDOWS\SYSTEM32\PSIService.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\SYSTEM32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-09-11 12:32:32 - machine was rebooted [Dave]
ComboFix-quarantined-files.txt 2008-09-11 16:32:19
ComboFix2.txt 2008-09-11 11:22:42

Pre-Run: 12,984,532,992 bytes free
Post-Run: 12,976,431,104 bytes free

193 --- E O F --- 2008-09-10 11:07:05




















Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:57 PM, on 9/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\mpmxobar.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MaxtorOneTouch] "C:\Program Files\Maxtor\ManagerApp\Onetouch.exe"
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [\VIE1F.exe] C:\Windows\System32\VIE1F.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [syscmdact] C:\WINDOWS\system32\tojqbidu.exe
O4 - HKCU\..\Run: [msgapidsc] C:\WINDOWS\system32\mpmxobar.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdq/downloads/sysinfo.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175981734625
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab45837.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D5EC5989-671B-476D-AC86-090793776FB1} (AuctionBlast Templates) - http://download.ispeedway.com/AuctionBlast/XAuctionBlast.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by107fd.bay107.hotmail.msn.com/activex/HMAtchmt.ocx
O21 - SSODL: admui - {01E4741A-6484-9498-78DC-00FBB9716AA1} - C:\Program Files\fajhsd\admui.dll
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O24 - Desktop Component 0: (no name) - http://www.romancestuck.com/images/rsclipart/tn_cake.gif

--
End of file - 11560 bytes
Blade81
2008-09-11, 22:33
Hi


Disable Spybot's TeaTimer to make sure fix works and don't re-enable it until whole fixing is done, please :)

Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode

On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer


Start hjt, do a system scan, check (if found):
O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolba...lerControl.cab

Close browsers and fix checked.



Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\WINDOWS\SYSTEM32\fehuzqda.exe
C:\WINDOWS\SYSTEM32\birsvaru.exe
C:\WINDOWS\SYSTEM32\mpmxobar.exe
C:\WINDOWS\SYSTEM32\whcbknif.exe
C:\WINDOWS\SYSTEM32\mvarkber.exe

Folder::
C:\Program Files\MSA
C:\Program Files\fajhsd
C:\Documents and Settings\All Users\Application Data\rqpkpqpi

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"syscmdact"=-
"msgapidsc"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\VIE1F.exe"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"admui"=-



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 7 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says
The J2SE Runtime Environment (JRE) allows end-users to run Java applications.

Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.

The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.


Uninstall old Adobe Reader and get the latest one here (http://www.filehippo.com/download_adobe_reader/) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm).


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) (scan whole 'my computer'). Post back its report, a fresh hjt log and above meantioned ComboFix resultant log.
hottiechevelleman
2008-09-13, 20:38
I followed the instructions as follows:

1. Disabled SpyBot Teatimer.
2. Ran HJT and fixed items as instructed.
3. Added CFScript to ComboFix and ran it.
4. Updated JAVA.
5. Added ATF Cleaner and cleaned Microsoft IE and Firefox.
6. Below are the HJT, ComboFix and abbreviated Kapersky Scan logs. I did not complete the Kapersky Scan because it would have taken approximately five hours.

Saturday, September 13, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, September 13, 2008 14:46:04
Records in database: 1220742

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:07 AM, on 9/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\system32\hkcmd.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\internet explorer\iexplore.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MaxtorOneTouch] "C:\Program Files\Maxtor\ManagerApp\Onetouch.exe"
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [\VIE1F.exe] C:\Windows\System32\VIE1F.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [syscmdact] C:\WINDOWS\system32\tojqbidu.exe
O4 - HKCU\..\Run: [msgapidsc] C:\WINDOWS\system32\mpmxobar.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: CabBuilder -
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdq/downloads/sysinfo.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175981734625
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab45837.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D5EC5989-671B-476D-AC86-090793776FB1} (AuctionBlast Templates) - http://download.ispeedway.com/AuctionBlast/XAuctionBlast.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by107fd.bay107.hotmail.msn.com/activex/HMAtchmt.ocx
O21 - SSODL: admui - {01E4741A-6484-9498-78DC-00FBB9716AA1} - C:\Program Files\fajhsd\admui.dll
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O24 - Desktop Component 0: (no name) - http://www.romancestuck.com/images/rsclipart/tn_cake.gif

--
End of file - 11294 bytes
ComboFix 08-09-11.02 - Dave 2008-09-12 20:31:13.3 - NTFSx86
Running from: C:\Documents and Settings\Dave\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

G:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-08-13 to 2008-09-13 )))))))))))))))))))))))))))))))
.

2008-09-12 11:57 . 2008-09-12 11:57 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-09-12 11:38 . 2008-09-12 11:38 <DIR> d-------- C:\Program Files\Sun
2008-09-12 11:37 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-09-12 11:29 . 2008-09-12 11:29 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-08 16:46 . 2008-09-08 16:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-07 14:11 . 2008-09-07 14:11 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-07 14:11 . 2008-09-07 14:11 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Malwarebytes
2008-09-07 14:11 . 2008-09-07 14:11 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-07 14:11 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-09-07 14:11 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-09-07 11:07 . 2008-09-07 11:07 90,112 --a------ C:\WINDOWS\SYSTEM32\birsvaru.exe
2008-09-06 01:10 . 2008-09-06 01:10 102,400 --a------ C:\WINDOWS\SYSTEM32\mpmxobar.exe
2008-09-05 07:17 . 2008-09-05 07:17 86,016 --a------ C:\WINDOWS\SYSTEM32\whcbknif.exe
2008-09-04 13:34 . 2008-09-07 15:49 <DIR> d-------- C:\Program Files\MSA
2008-09-04 13:34 . 2008-09-04 13:34 <DIR> d-------- C:\Program Files\fajhsd
2008-09-04 13:34 . 2008-09-10 07:06 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\rqpkpqpi
2008-08-23 11:44 . 2008-08-23 11:44 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-08-23 11:44 . 2008-08-23 11:44 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-08-23 11:44 . 2008-08-23 11:44 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-22 18:35 . 2008-04-13 20:12 69,120 --------- C:\WINDOWS\SYSTEM32\wlanapi.dll
2008-08-22 18:35 . 2008-04-13 20:12 53,248 --------- C:\WINDOWS\SYSTEM32\tsgqec.dll
2008-08-22 18:35 . 2008-04-13 20:12 50,688 --------- C:\WINDOWS\SYSTEM32\tspkg.dll
2008-08-22 18:33 . 2008-04-13 20:11 397,312 --------- C:\WINDOWS\SYSTEM32\mmcex.dll
2008-08-22 18:33 . 2008-04-13 20:11 184,320 --------- C:\WINDOWS\SYSTEM32\microsoft.managementconsole.dll
2008-08-22 18:33 . 2008-04-13 20:12 155,136 --------- C:\WINDOWS\SYSTEM32\mssha.dll
2008-08-22 18:33 . 2008-04-13 12:36 144,384 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hdaudbus.sys
2008-08-22 18:33 . 2008-04-13 20:11 106,496 --------- C:\WINDOWS\SYSTEM32\mmcfxcommon.dll
2008-08-22 18:33 . 2008-04-13 20:11 61,440 --------- C:\WINDOWS\SYSTEM32\kmsvc.dll
2008-08-22 18:33 . 2008-04-13 20:11 37,376 --------- C:\WINDOWS\SYSTEM32\l2gpstore.dll
2008-08-22 18:33 . 2008-04-13 20:12 33,792 --------- C:\WINDOWS\SYSTEM32\mmcperf.exe
2008-08-22 18:33 . 2007-09-17 04:48 1,261 --------- C:\WINDOWS\SYSTEM32\pid.inf
2008-08-15 03:01 . 2008-09-10 07:03 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-08-14 16:21 . 2008-04-11 15:04 691,712 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2008-08-14 16:21 . 2008-05-01 10:33 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-13 00:29 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-12 15:54 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-12 15:37 --------- d-----w C:\Program Files\Java
2008-09-12 11:23 --------- d-----w C:\Program Files\McAfee
2008-09-10 11:16 --------- d-----w C:\Program Files\SpywareBlaster
2008-09-10 01:27 --------- d-----w C:\Documents and Settings\Dave\Application Data\SiteAdvisor
2008-09-07 12:55 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-04 17:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-29 10:25 --------- d-----w C:\Program Files\SiteAdvisor
2008-07-28 21:33 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-07-24 18:07 --------- dc----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-07-24 18:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-24 18:02 --------- d-----w C:\Program Files\McAfee.com
2008-07-24 18:02 --------- d-----w C:\Program Files\Common Files\McAfee
2008-07-24 11:26 --------- d-----w C:\Program Files\eommgsd
2008-07-24 11:25 --------- dc----w C:\Documents and Settings\All Users\Application Data\yxcpuvkl
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\SYSTEM32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\SYSTEM32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll
2008-06-24 22:12 295,936 ------w C:\WINDOWS\SYSTEM32\wmpeffects.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-24 16:43 74,240 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll
2008-06-24 14:57 3,592,192 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 11:51 361,600 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-05-18 00:19 1,300,048 -c--a-w C:\Documents and Settings\All Users\Application Data\pswi_preloaded.exe
2006-08-12 15:57 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-12-12 05:19 0 ----a-w C:\Documents and Settings\Dave\3.dat
2005-12-12 05:19 0 ----a-w C:\Documents and Settings\Dave\2.dat
2005-12-12 05:19 0 ----a-w C:\Documents and Settings\Dave\1.dat
2005-03-31 01:20 533 ----a-w C:\Program Files\INSTALL.LOG
2003-07-19 18:06 311,296 ----a-w C:\Program Files\Common Files\msacc8.olb
1993-03-19 20:18 39,441 ----a-w C:\Documents and Settings\Dave\DEARJ.EXE
2004-06-08 20:51 278,528 ----a-w C:\Program Files\internet explorer\plugins\PanoViewer.dll
2004-06-08 20:51 143,360 ----a-w C:\Program Files\internet explorer\plugins\UPjpeg.dll
2008-05-19 21:58 328 --sh--r C:\WINDOWS\SYSTEM32\6D58EF527A.sys
2008-05-19 21:58 11,690 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-09-11_12.30.49.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-12 19:06:42 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
- 2008-09-11 15:16:08 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2008-09-12 20:33:15 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2008-09-11 15:16:08 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2008-09-12 20:33:15 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2008-09-11 15:16:08 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
+ 2008-09-12 20:33:15 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
- 2004-07-06 14:40:44 24,670 ----a-w C:\WINDOWS\SYSTEM32\java.exe
+ 2008-06-10 05:21:01 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
- 2004-07-06 14:40:44 28,768 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2008-06-10 05:21:04 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2008-06-10 06:32:34 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
+ 2006-12-02 02:54:32 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-02 02:54:34 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 02:54:32 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 180,269 2004-12-26 14:34:09 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 110,592 2003-08-19 06:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w 306,688 2004-07-19 11:51:24 C:\Program Files\Dell Support\bak\DSAgnt.exe

----a-w 49,152 2005-02-17 04:11:42 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe

----a-w 241,664 2005-01-12 19:54:58 C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe

----a-w 204,800 2004-06-03 06:50:08 C:\Program Files\Microsoft IntelliPoint\bak\point32.exe

----a-w 421,888 2006-03-15 23:07:06 C:\Program Files\Picasa2\bak\PicasaMediaDetector.exe
----a-w 443,968 2008-02-26 01:23:34 C:\Program Files\Picasa2\PicasaMediaDetector.exe

----a-w 866,584 2006-10-06 03:11:54 C:\Program Files\Windows Defender\bak\MSASCui.exe
----a-w 866,584 2006-11-03 23:20:12 C:\Program Files\Windows Defender\MSASCui.exe

----a-w 126,976 2005-10-19 13:59:12 C:\WINDOWS\SYSTEM32\bak\hkcmd.exe
----a-w 126,976 2005-06-21 20:44:34 C:\WINDOWS\SYSTEM32\hkcmd.exe

----a-w 155,648 2005-10-19 13:59:14 C:\WINDOWS\SYSTEM32\bak\igfxtray.exe
----a-w 155,648 2005-06-21 20:48:18 C:\WINDOWS\SYSTEM32\igfxtray.exe

----a-w 122,933 2004-03-15 06:04:00 C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [N/A]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [N/A]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [2007-03-05 1103480]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"syscmdact"="C:\WINDOWS\system32\tojqbidu.exe" [N/A]
"msgapidsc"="C:\WINDOWS\system32\mpmxobar.exe" [2008-09-06 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MaxtorOneTouch"="C:\Program Files\Maxtor\ManagerApp\Onetouch.exe" [2006-08-11 712704]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2006-08-11 81920]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 126976]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-08-24 36640]
"\VIE1F.exe"="C:\Windows\System32\VIE1F.exe" [N/A]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-07-06 24576]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 241664]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-29 53248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"admui"= {01E4741A-6484-9498-78DC-00FBB9716AA1} - C:\Program Files\fajhsd\admui.dll [2008-09-04 126976]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMsgSvc"=
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe
"mmtask"=c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\SYSTEM32\\dxdiag.exe"=
"C:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"C:\\WINDOWS\\SYSTEM32\\dpnsvr.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\Launch.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\9bb0rd73.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://msn.com/
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6261\saHook.dll
.
Completion time: 2008-09-12 20:38:47
ComboFix-quarantined-files.txt 2008-09-13 00:38:38
ComboFix2.txt 2008-09-11 16:32:35
ComboFix3.txt 2008-09-11 11:22:42

Pre-Run: 12,262,055,936 bytes free
Post-Run: 12,260,503,552 bytes free

231 --- E O F --- 2008-09-10 11:07:05



Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\
F:\
G:\

Scan statistics
Files scanned 61317
Threat name 1
Infected objects 1
Suspicious objects 0
Duration of the scan 01:33:55

File name Threat name Threats count
C:\Documents and Settings\Dave\Local Settings\Application DataKiweeToolbar1.2.116.msi Infected: Trojan-Downloader.Win32.Zlob.meq 1

The scan was stopped by the user.
Blade81
2008-09-14, 13:56
Hi

Two things:
1. It seems you didn't drag'n'drop CFScript.txt file to ComboFix.exe as shown in the screenshot. I can see that by looking at your ComboFix log. Please get the latest ComboFix.exe to your desktop and then do drag'n'dropping again.

2. I have to see that Kaspersky online scanner log to be able to say whether or not there're items not visible in hjt or ComboFix log that need to be deleted. You may try to speed up scanning by first defragging your hard drives and then keep antivirus protection disabled during the scan.
hottiechevelleman
2008-09-15, 22:07
Here are the Kaspersky log...I am now having problems opening my wordperfect program...I will forward the ComboFix log as soon as I can...

Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\
F:\
G:\

Scan statistics
Files scanned 168397
Threat name 2
Infected objects 4
Suspicious objects 0
Duration of the scan 03:35:20

File name Threat name Threats count
C:\Documents and Settings\Dave\Local Settings\Application DataKiweeToolbar1.2.116.msi Infected: Trojan-Downloader.Win32.Zlob.meq 1

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP10\A0002451.exe Infected: Trojan.Win32.Obfuscated.gx 1

C:\WINDOWS\SYSTEM32\birsvaru.exe Infected: Trojan.Win32.Obfuscated.gx 1

C:\WINDOWS\SYSTEM32\whcbknif.exe Infected: Trojan.Win32.Obfuscated.gx 1
hottiechevelleman
2008-09-15, 22:13
Here is the ComboFix log...

ComboFix 08-09-13.05 - Dave 2008-09-14 14:12:36.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.156 [GMT -4:00]
Running from: C:\Documents and Settings\Dave\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dave\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-08-14 to 2008-09-14 )))))))))))))))))))))))))))))))
.

2008-09-12 11:57 . 2008-09-12 11:57 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-09-12 11:38 . 2008-09-12 11:38 <DIR> d-------- C:\Program Files\Sun
2008-09-12 11:37 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-09-12 11:29 . 2008-09-12 11:29 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-08 16:46 . 2008-09-08 16:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-07 14:11 . 2008-09-07 14:11 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-07 14:11 . 2008-09-07 14:11 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Malwarebytes
2008-09-07 14:11 . 2008-09-07 14:11 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-07 14:11 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-09-07 14:11 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-09-07 11:07 . 2008-09-07 11:07 90,112 --a------ C:\WINDOWS\SYSTEM32\birsvaru.exe
2008-09-05 07:17 . 2008-09-05 07:17 86,016 --a------ C:\WINDOWS\SYSTEM32\whcbknif.exe
2008-09-04 13:34 . 2008-09-07 15:49 <DIR> d-------- C:\Program Files\MSA
2008-09-04 13:34 . 2008-09-04 13:34 <DIR> d-------- C:\Program Files\fajhsd
2008-09-04 13:34 . 2008-09-10 07:06 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\rqpkpqpi
2008-08-23 11:44 . 2008-08-23 11:44 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-08-23 11:44 . 2008-08-23 11:44 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-08-23 11:44 . 2008-08-23 11:44 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-22 18:35 . 2008-04-13 20:12 69,120 --------- C:\WINDOWS\SYSTEM32\wlanapi.dll
2008-08-22 18:35 . 2008-04-13 20:12 53,248 --------- C:\WINDOWS\SYSTEM32\tsgqec.dll
2008-08-22 18:35 . 2008-04-13 20:12 50,688 --------- C:\WINDOWS\SYSTEM32\tspkg.dll
2008-08-22 18:33 . 2008-04-13 20:11 397,312 --------- C:\WINDOWS\SYSTEM32\mmcex.dll
2008-08-22 18:33 . 2008-04-13 20:11 184,320 --------- C:\WINDOWS\SYSTEM32\microsoft.managementconsole.dll
2008-08-22 18:33 . 2008-04-13 20:12 155,136 --------- C:\WINDOWS\SYSTEM32\mssha.dll
2008-08-22 18:33 . 2008-04-13 12:36 144,384 --------- C:\WINDOWS\SYSTEM32\DRIVERS\hdaudbus.sys
2008-08-22 18:33 . 2008-04-13 20:11 106,496 --------- C:\WINDOWS\SYSTEM32\mmcfxcommon.dll
2008-08-22 18:33 . 2008-04-13 20:11 61,440 --------- C:\WINDOWS\SYSTEM32\kmsvc.dll
2008-08-22 18:33 . 2008-04-13 20:11 37,376 --------- C:\WINDOWS\SYSTEM32\l2gpstore.dll
2008-08-22 18:33 . 2008-04-13 20:12 33,792 --------- C:\WINDOWS\SYSTEM32\mmcperf.exe
2008-08-22 18:33 . 2007-09-17 04:48 1,261 --------- C:\WINDOWS\SYSTEM32\pid.inf
2008-08-15 03:01 . 2008-09-10 07:03 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-08-14 16:21 . 2008-04-11 15:04 691,712 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2008-08-14 16:21 . 2008-05-01 10:33 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-14 17:31 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-12 15:54 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-12 15:37 --------- d-----w C:\Program Files\Java
2008-09-12 11:23 --------- d-----w C:\Program Files\McAfee
2008-09-10 11:16 --------- d-----w C:\Program Files\SpywareBlaster
2008-09-10 01:27 --------- d-----w C:\Documents and Settings\Dave\Application Data\SiteAdvisor
2008-09-07 12:55 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-04 17:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-29 10:25 --------- d-----w C:\Program Files\SiteAdvisor
2008-07-28 21:33 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-07-24 18:07 --------- dc----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-07-24 18:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-24 18:02 --------- d-----w C:\Program Files\McAfee.com
2008-07-24 18:02 --------- d-----w C:\Program Files\Common Files\McAfee
2008-07-24 11:26 --------- d-----w C:\Program Files\eommgsd
2008-07-24 11:25 --------- dc----w C:\Documents and Settings\All Users\Application Data\yxcpuvkl
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\SYSTEM32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\SYSTEM32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\SYSTEM32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll
2008-06-24 22:12 295,936 ------w C:\WINDOWS\SYSTEM32\wmpeffects.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-24 16:43 74,240 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll
2008-06-24 14:57 3,592,192 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 11:51 361,600 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-05-18 00:19 1,300,048 -c--a-w C:\Documents and Settings\All Users\Application Data\pswi_preloaded.exe
2006-08-12 15:57 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-12-12 05:19 0 ----a-w C:\Documents and Settings\Dave\3.dat
2005-12-12 05:19 0 ----a-w C:\Documents and Settings\Dave\2.dat
2005-12-12 05:19 0 ----a-w C:\Documents and Settings\Dave\1.dat
2005-03-31 01:20 533 ----a-w C:\Program Files\INSTALL.LOG
2003-07-19 18:06 311,296 ----a-w C:\Program Files\Common Files\msacc8.olb
1993-03-19 20:18 39,441 ----a-w C:\Documents and Settings\Dave\DEARJ.EXE
2004-06-08 20:51 278,528 ----a-w C:\Program Files\internet explorer\plugins\PanoViewer.dll
2004-06-08 20:51 143,360 ----a-w C:\Program Files\internet explorer\plugins\UPjpeg.dll
2008-05-19 21:58 328 --sh--r C:\WINDOWS\SYSTEM32\6D58EF527A.sys
2008-05-19 21:58 11,690 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-09-11_12.30.49.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-12 19:06:42 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
- 2008-09-11 15:16:08 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2008-09-14 16:58:02 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2008-09-11 15:16:08 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2008-09-14 16:58:02 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2004-07-06 14:40:44 24,670 ----a-w C:\WINDOWS\SYSTEM32\java.exe
+ 2008-06-10 05:21:01 135,168 ----a-w C:\WINDOWS\SYSTEM32\java.exe
- 2004-07-06 14:40:44 28,768 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2008-06-10 05:21:04 135,168 ----a-w C:\WINDOWS\SYSTEM32\javaw.exe
+ 2008-06-10 06:32:34 139,264 ----a-w C:\WINDOWS\SYSTEM32\javaws.exe
+ 2006-12-02 02:54:32 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-02 02:54:34 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 02:54:32 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 180,269 2004-12-26 14:34:09 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 110,592 2003-08-19 06:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w 306,688 2004-07-19 11:51:24 C:\Program Files\Dell Support\bak\DSAgnt.exe

----a-w 49,152 2005-02-17 04:11:42 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe

----a-w 241,664 2005-01-12 19:54:58 C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe

----a-w 204,800 2004-06-03 06:50:08 C:\Program Files\Microsoft IntelliPoint\bak\point32.exe

----a-w 421,888 2006-03-15 23:07:06 C:\Program Files\Picasa2\bak\PicasaMediaDetector.exe
----a-w 443,968 2008-02-26 01:23:34 C:\Program Files\Picasa2\PicasaMediaDetector.exe

----a-w 866,584 2006-10-06 03:11:54 C:\Program Files\Windows Defender\bak\MSASCui.exe
----a-w 866,584 2006-11-03 23:20:12 C:\Program Files\Windows Defender\MSASCui.exe

----a-w 126,976 2005-10-19 13:59:12 C:\WINDOWS\SYSTEM32\bak\hkcmd.exe
----a-w 126,976 2005-06-21 20:44:34 C:\WINDOWS\SYSTEM32\hkcmd.exe

----a-w 155,648 2005-10-19 13:59:14 C:\WINDOWS\SYSTEM32\bak\igfxtray.exe
----a-w 155,648 2005-06-21 20:48:18 C:\WINDOWS\SYSTEM32\igfxtray.exe

----a-w 122,933 2004-03-15 06:04:00 C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [N/A]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [N/A]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [2007-03-05 1103480]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MaxtorOneTouch"="C:\Program Files\Maxtor\ManagerApp\Onetouch.exe" [2006-08-11 712704]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2006-08-11 81920]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 126976]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-08-24 36640]
"\VIE1F.exe"="C:\Windows\System32\VIE1F.exe" [N/A]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-07-06 24576]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 241664]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-29 53248]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMsgSvc"=
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe
"mmtask"=c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\SYSTEM32\\dxdiag.exe"=
"C:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"C:\\WINDOWS\\SYSTEM32\\dpnsvr.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\Launch.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Dave\Application Data\Mozilla\Firefox\Profiles\9bb0rd73.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://msn.com/
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6261\saHook.dll
.
Completion time: 2008-09-14 14:18:38
ComboFix-quarantined-files.txt 2008-09-14 18:18:29
ComboFix2.txt 2008-09-14 17:57:24
ComboFix3.txt 2008-09-13 00:38:49
ComboFix4.txt 2008-09-11 16:32:35
ComboFix5.txt 2008-09-14 18:11:21

Pre-Run: 12,068,761,600 bytes free
Post-Run: 12,056,801,280 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

230 --- E O F --- 2008-09-10 11:07:05
Blade81
2008-09-16, 07:29
Hi

Disable McAfee until the following fix is done.

Save text below as fix.reg on Notepad (save it as all files (*.*)) on the Desktop.


REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"syscmdact"=-
"msgapidsc"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\VIE1F.exe"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"admui"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMsgSvc"=-


It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif

Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Reg_File_) with screenshots.)


Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



C:\WINDOWS\SYSTEM32\fehuzqda.exe
C:\WINDOWS\SYSTEM32\birsvaru.exe
C:\WINDOWS\SYSTEM32\mpmxobar.exe
C:\WINDOWS\SYSTEM32\whcbknif.exe
C:\WINDOWS\SYSTEM32\mvarkber.exe
C:\Program Files\MSA
C:\Program Files\fajhsd
C:\Documents and Settings\All Users\Application Data\rqpkpqpi
C:\Program Files\eommgsd
C:\Documents and Settings\All Users\Application Data\yxcpuvkl
C:\Documents and Settings\Dave\3.dat
C:\Documents and Settings\Dave\2.dat
C:\Documents and Settings\Dave\1.dat
C:\Documents and Settings\Dave\Local Settings\Application DataKiweeToolbar1.2.116.msi


Return to OTMoveIt2, right click in the
Paste Standard List of Files/Folders to Move
window (under the light blue bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document & a fresh hjt log back here in your next post. How's the system running?
hottiechevelleman
2008-09-16, 17:54
Machine is running better. No antivirus popups, just some popups reporting infected items....

here is the hjt log..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:01 AM, on 9/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\internet explorer\iexplore.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\I386\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MaxtorOneTouch] "C:\Program Files\Maxtor\ManagerApp\Onetouch.exe"
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [\VIE1F.exe] C:\Windows\System32\VIE1F.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [syscmdact] C:\WINDOWS\system32\tojqbidu.exe
O4 - HKCU\..\Run: [msgapidsc] C:\WINDOWS\system32\mpmxobar.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: CabBuilder -
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdq/downloads/sysinfo.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175981734625
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab45837.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D5EC5989-671B-476D-AC86-090793776FB1} (AuctionBlast Templates) - http://download.ispeedway.com/AuctionBlast/XAuctionBlast.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by107fd.bay107.hotmail.msn.com/activex/HMAtchmt.ocx
O21 - SSODL: admui - {01E4741A-6484-9498-78DC-00FBB9716AA1} - C:\Program Files\fajhsd\admui.dll (file missing)
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O24 - Desktop Component 0: (no name) - http://www.romancestuck.com/images/rsclipart/tn_cake.gif

--
End of file - 11355 bytes

Here is the contents of the results portion of moveit...


C:\WINDOWS\SYSTEM32\fehuzqda.exe
C:\WINDOWS\SYSTEM32\birsvaru.exe
C:\WINDOWS\SYSTEM32\mpmxobar.exe
C:\WINDOWS\SYSTEM32\whcbknif.exe
C:\WINDOWS\SYSTEM32\mvarkber.exe
C:\Program Files\MSA
C:\Program Files\fajhsd
C:\Documents and Settings\All Users\Application Data\rqpkpqpi
C:\Program Files\eommgsd
C:\Documents and Settings\All Users\Application Data\yxcpuvkl
C:\Documents and Settings\Dave\3.dat
C:\Documents and Settings\Dave\2.dat
C:\Documents and Settings\Dave\1.dat
C:\Documents and Settings\Dave\Local Settings\Application DataKiweeToolbar1.2.11
Blade81
2008-09-16, 19:37
Here is the contents of the results portion of moveit...


C:\WINDOWS\SYSTEM32\fehuzqda.exe
C:\WINDOWS\SYSTEM32\birsvaru.exe
C:\WINDOWS\SYSTEM32\mpmxobar.exe
C:\WINDOWS\SYSTEM32\whcbknif.exe
C:\WINDOWS\SYSTEM32\mvarkber.exe
C:\Program Files\MSA
C:\Program Files\fajhsd
C:\Documents and Settings\All Users\Application Data\rqpkpqpi
C:\Program Files\eommgsd
C:\Documents and Settings\All Users\Application Data\yxcpuvkl
C:\Documents and Settings\Dave\3.dat
C:\Documents and Settings\Dave\2.dat
C:\Documents and Settings\Dave\1.dat
C:\Documents and Settings\Dave\Local Settings\Application DataKiweeToolbar1.2.11
May I ask you where did you got that? It looks just like the list on codebox in my earlier post. I didn't want you to post it but run OTMoveIt2 like instructed and then post its log. I'll post instructions one more time and if those still are too complicated for you to follow then I'm afraid you have to take your machine to shop to get it fixed. You said in opening post: "I'm no IT type, but am fairly computer literate." so these steps shouldn't be too difficult to follow. :) Just do things carefully step by step reading all instructions.



Disable Spybot's TeaTimer and don't re-enable it until I've given you all clean sign.
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode

On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer


Disable McAfee until the following fix is done.


Save text below as fix.reg on Notepad (save it as all files (*.*)) on the Desktop.


REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"syscmdact"=-
"msgapidsc"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\VIE1F.exe"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"admui"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMsgSvc"=-


It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif

Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Reg_File_) with screenshots.)



Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



C:\WINDOWS\SYSTEM32\fehuzqda.exe
C:\WINDOWS\SYSTEM32\birsvaru.exe
C:\WINDOWS\SYSTEM32\mpmxobar.exe
C:\WINDOWS\SYSTEM32\whcbknif.exe
C:\WINDOWS\SYSTEM32\mvarkber.exe
C:\Program Files\MSA
C:\Program Files\fajhsd
C:\Documents and Settings\All Users\Application Data\rqpkpqpi
C:\Program Files\eommgsd
C:\Documents and Settings\All Users\Application Data\yxcpuvkl
C:\Documents and Settings\Dave\3.dat
C:\Documents and Settings\Dave\2.dat
C:\Documents and Settings\Dave\1.dat
C:\Documents and Settings\Dave\Local Settings\Application DataKiweeToolbar1.2.11


Return to OTMoveIt2, right click in the
Paste Standard List of Files/Folders to Move
window (under the light blue bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Blade81
2008-09-23, 18:27
Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.