Hi! Is this the HJT forum? Please advise....I don't want to post in the wrong forum.

Ok, right forum. Here it is. Oh, I ran this a few weeks ago, and tried "fixing" things. R0 or R1's (2) probably microsoft; 04 BHO "unknown" author; and I thought 10 INTERNATIONAL, but that's there under 11, maybe I didn't touch that.

Logfile of HijackThis v1.99.1
Scan saved at 10:13:05 PM, on 12/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Documents and Settings\Mona\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6DFD889B-7F81-44C4-BC1F-06A857C01C41} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ArmorIE - {0565CF3E-6070-4272-8EEF-51E5083BE3D9} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} (CPlayFirstChocolatieControl Object) - http://zone.msn.com/bingame/choc/default/ChocolatierWeb.1.0.0.15.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202225674654
O16 - DPF: {775879E2-7309-4619-BB02-AADE41F4B690} (CPlayFirstdreamControl Object) - http://www.shockwave.com/content/dreamchronicles/sis/dreamweb.1.0.0.10.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://www.shockwave.com/content/zenerchi/sis/ZenerchiWeb.1.0.0.10.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GO333C~1\GOEC62~1.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Desktop Manager 5.8.811.4345 (GoogleDesktopManager-110408-113106) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c95c32ff115ffe) (gupdate1c95c32ff115ffe) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

Alrighty, then! :angel:

I see you are swamped daily. This is just in case I haven't given enough info. I've learned that what I have is: Also Known As: W32.Novarg.A@mm, W32/Mydoom@MM [McAfee], WORM_MIMAIL.R [Trend], Win32.Mydoom.A [Computer Assoc, W32/Mydoom-A [Sophos], I-Worm.Novarg [Kaspersky]; also DROPPER-7556 [WinClam]. I was actually reading about Mydoom.B...

OK, SOME problems are: cannot update Windows; cannot download anything from Microsoft, F-Secure, etc...; cannot access various anti-spyware sites; computer thinks I have IE5 (I have IE7); and I cannot get into "Internet Options" through the Tools menu. (I forget how to access it, but I have...)
My last windows update was 10/15/08.

As soon as this thing realizes who you are, I won't be able to read this forum, either.

Hi

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Thank you so much for responding!
I'm trying to do as instructed, but I cannot find Recovery Console on my disk. I found a file named Recover.EX_-Filealyser in i386... I also don't know how to boot from the CD. It doesn't happen automatically when I boot with the disk inserted. Also, it tells me that what's on the computer is more recent than what's on the disk and the (do it anyway) button is not highlighted.
I also need to learn how to do a backup. I have a flash drive, but I assumed that would take forever...and I don't want to infect it.
I did update hjt and combofix...:snorkle:

Hi

I merged your topics. Please don't create new thread for every reply. Use "post reply" -button to reply :)

Run ComboFix and it should ask if you want to install recovery console. Allow it do so. No need to play with os media here :)

G'day, mates!

OK, first, to PM you, can I reply to your e-mail?

I just got this used computer in August '08. At some point, I must have ran Alter Ego-I'd sure like to undo that. I was using free version of ThreatFire. I noticed mid-November that when I press WindowsUpdate button, IE opens instead. Malwarebytes points Trojan.dnschanger to my satellite ISP (Dec. 08, 08.)
I uninstalled ThreatFire and installed Avast! free version. Since then, about 1/3 of the webpages I load do not completely load, and I have to reload them.

I disabled Avast! and ran ComboFix. It said ThreatFire was still running. (That explains the wwwpages not loading.) It's not in my tray or in TaskManager processes, so bewildered, I told CF to continue. It quarantined some files right away, but never said anything about the RecoveryConsole (that I saw.) If that links to Microsoft, downloading it probably wouldn't work, anyway. After reboot, it mentioned both (what are TF and Avast!, firewalls? Same thing as anti-spyware, right?) So I proceeded to delete all TF files except the main dll-which won't-then resumed CF. The log isn't in said path, but here it is:

ComboFix 09-01-02.01 - Bruce 2009-01-04 20:12:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.239.50 [GMT -6:00]
Running from: c:\documents and settings\Mona\Desktop\ComboFix.exe
AV: ThreatFire *On-access scanning enabled* (Updated)
AV: avast! antivirus 4.8.1296 [VPS 090104-0] *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\test.txt
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
.

2009-01-04 00:39 . 2009-01-04 00:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Alawar Stargaze
2008-12-28 20:57 . 2008-12-28 20:57 <DIR> d-------- c:\documents and settings\Mona\Application Data\Foxit
2008-12-28 20:29 . 2008-12-28 20:29 <DIR> d-------- c:\program files\Defraggler
2008-12-28 20:19 . 2008-12-28 20:24 <DIR> d-------- c:\program files\Piriform
2008-12-28 19:35 . 2008-12-28 19:35 <DIR> d-------- c:\program files\NASA
2008-12-27 05:29 . 2008-12-27 05:29 <DIR> d-------- c:\program files\HotHotSoftware
2008-12-27 05:29 . 2004-03-09 00:00 1,081,616 --a------ c:\windows\system32\mscomctl.ocx
2008-12-27 05:29 . 2000-07-16 16:20 185,856 --a------ c:\windows\system32\Bmp2Jpeg.dll
2008-12-27 05:29 . 2004-03-09 00:00 152,848 --a------ c:\windows\system32\Comdlg32.ocx
2008-12-27 05:29 . 2000-07-15 00:00 101,888 --a------ c:\windows\system32\VB6STKIT.DLL
2008-12-18 09:25 . 2008-12-18 09:25 <DIR> d-------- c:\program files\Geekbench 2
2008-12-17 07:10 . 2009-01-04 19:40 4,195,527 --a------ c:\windows\pfirewall.log.old
2008-12-16 09:59 . 2008-12-16 10:14 <DIR> d-------- c:\program files\Safer Networking
2008-12-16 09:18 . 2008-12-16 09:18 <DIR> d-------- c:\program files\Secunia
2008-12-14 16:36 . 2008-12-14 16:51 <DIR> d-------- c:\program files\Security Task Manager
2008-12-14 16:36 . 2008-12-14 16:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\SecTaskMan
2008-12-14 07:30 . 2008-12-20 06:26 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-14 07:30 . 2008-12-16 02:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-13 23:21 . 2008-12-13 23:22 5,242,934 --a------ c:\windows\BGInfo.bmp
2008-12-13 23:09 . 2008-12-13 23:10 4,826,994 --a------ c:\windows\system32\CAEJCFEVIB
2008-12-13 02:10 . 2008-12-12 00:57 78,336 --a------ c:\windows\system32\Agent.OMZ.Fix.exe
2008-12-13 01:45 . 2008-12-13 01:45 <DIR> d-------- c:\documents and settings\Mona\Application Data\Simply Super Software
2008-12-13 01:45 . 2008-12-13 01:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Simply Super Software
2008-12-13 01:45 . 2006-05-25 14:52 162,304 --a------ c:\windows\system32\ztvunrar36.dll
2008-12-13 01:45 . 2003-02-02 19:06 153,088 --a------ c:\windows\system32\unrar3.dll
2008-12-13 01:45 . 2005-08-26 00:50 77,312 --a------ c:\windows\system32\ztvunace26.dll
2008-12-13 01:45 . 2002-03-06 00:00 75,264 --a------ c:\windows\system32\unacev2.dll
2008-12-13 01:45 . 2006-06-19 12:01 69,632 --a------ c:\windows\system32\ztvcabinet.dll
2008-12-12 05:28 . 2008-12-12 05:28 23,040 --a------ c:\windows\system32\drivers\fsbts.sys
2008-12-11 22:08 . 2008-12-11 22:08 <DIR> d-------- c:\program files\Common Files\Apple
2008-12-11 22:07 . 2008-12-11 22:08 <DIR> d-------- c:\program files\QuickTime
2008-12-10 08:17 . 2008-12-10 08:17 7,808 --a------ c:\windows\system32\drivers\psi_mf.sys
2008-12-09 19:30 . 2008-12-09 19:33 8,628 --ah----- c:\windows\system32\JAVAPERM.GID
2008-12-09 15:51 . 2008-12-09 15:51 <DIR> d-------- c:\program files\Alwil Software
2008-12-09 15:51 . 2003-03-18 16:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2008-12-09 01:11 . 2008-12-09 01:11 <DIR> d-------- c:\program files\Smart Projects
2008-12-08 16:17 . 2008-12-08 16:20 <DIR> d-------- c:\program files\Apple zips
2008-12-08 14:54 . 2008-12-08 14:54 <DIR> d-------- c:\windows\Freecorder Toolbar
2008-12-08 14:54 . 2008-12-08 14:54 <DIR> d-------- c:\program files\Conduit
2008-12-08 14:53 . 2008-12-08 14:53 <DIR> d-------- c:\windows\Replay Converter 3
2008-12-08 14:53 . 2008-12-08 14:53 <DIR> d-------- c:\windows\Applian FLV Player
2008-12-08 14:53 . 2008-12-08 14:53 <DIR> d-------- c:\program files\JC Software
2008-12-08 14:53 . 2008-12-15 09:46 <DIR> d-------- c:\documents and settings\Mona\dwhelper
2008-12-08 14:52 . 2008-12-08 14:52 <DIR> d-------- c:\program files\CCleaner
2008-12-08 14:52 . 2008-12-08 14:53 <DIR> d-------- C:\Inetpub
2008-12-08 14:52 . 2008-12-08 14:52 <DIR> d-------- c:\documents and settings\Mona\Application Data\InstallShield
2008-12-08 10:21 . 2008-12-09 07:53 <DIR> d-------- c:\program files\Replay Media Catcher
2008-12-08 05:11 . 2008-12-10 16:40 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-08 05:11 . 2008-12-08 05:11 <DIR> d-------- c:\documents and settings\Mona\Application Data\Malwarebytes
2008-12-08 05:11 . 2008-12-08 05:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-08 05:11 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-08 05:11 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-08 04:31 . 2008-12-08 04:31 1,888,682 --a------ c:\program files\instantmemorycleaner.zip
2008-12-07 23:16 . 2008-12-07 23:16 <DIR> d-------- c:\windows\system32\msmq
2008-12-07 02:01 . 2008-12-07 02:01 <DIR> d-------- c:\documents and settings\Mona\Application Data\Talkback
2008-12-07 02:00 . 2008-12-08 12:28 <DIR> d-------- c:\documents and settings\Mona\Application Data\Thunderbird
2008-12-07 01:51 . 2008-12-07 01:51 <DIR> d-------- c:\documents and settings\Mona\Application Data\GrabPro
2008-12-07 01:50 . 2008-12-09 07:49 <DIR> d-------- c:\documents and settings\Mona\Application Data\Orbit
2008-12-06 23:24 . 2008-12-08 14:52 <DIR> d-------- c:\program files\IrfanView
2008-12-06 21:08 . 2008-12-08 15:50 <DIR> d-------- c:\documents and settings\Mona\Application Data\Apple Computer
2008-12-05 01:49 . 2009-01-04 09:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-05 02:30 --------- d-----w c:\program files\ThreatFire
2009-01-04 07:39 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-03 10:07 --------- d-----w c:\program files\TuneUp Utilities 2008
2009-01-02 03:51 --------- d-----w c:\program files\Oberon Media
2009-01-02 03:51 --------- d-----w c:\program files\MSN Games
2008-12-15 23:38 --------- d-----w c:\program files\Minefield
2008-12-15 13:33 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-15 13:25 --------- d-----w c:\program files\Shockwave.com
2008-12-15 13:24 --------- d-----w c:\program files\Advanced System Optimizer
2008-12-12 08:25 --------- d-----w c:\program files\Google
2008-12-12 04:07 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-11 20:48 --------- d-----w c:\documents and settings\Mona\Application Data\ErrorSmart
2008-12-08 10:35 841,728 ----a-w c:\program files\Setup.msi
2008-12-08 06:33 533 ----a-w c:\program files\Shortcut to Windows Media Player.lnk
2008-11-29 19:10 --------- d-----w c:\documents and settings\Mona\Application Data\TuneUp Software
2008-11-29 19:08 --------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2008-11-29 19:02 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-29 06:26 --------- d-----w c:\documents and settings\Mona\Application Data\GlarySoft
2008-11-29 03:12 --------- d-----w c:\program files\Selectsoft
2008-11-25 11:26 --------- d-----w c:\documents and settings\Mona\Application Data\Super-Cow
2008-11-18 13:20 --------- d-----w c:\documents and settings\Mona\Application Data\Oberon Games
2008-11-18 13:20 --------- d-----w c:\documents and settings\All Users\Application Data\Oberon Games
2008-11-17 23:48 --------- d-----w c:\program files\Nick Arcade
2008-11-17 20:05 12,576 ----a-w c:\windows\system32\drivers\TfKbMon.sys
2008-11-12 15:39 --------- d-----w c:\documents and settings\All Users\Application Data\MumboJumbo
2008-11-11 00:00 --------- d-----w c:\program files\Common Files\AVSMedia
2008-11-09 15:08 --------- d-----w c:\program files\The Weather Channel FW
2008-11-09 15:00 --------- d-----w c:\program files\Real
2008-11-09 15:00 --------- d-----w c:\program files\Common Files\xing shared
2008-11-09 15:00 --------- d-----w c:\program files\Common Files\Real
2008-11-05 23:25 --------- d-----w c:\documents and settings\Mona\Application Data\PlayFirst
2008-11-05 23:25 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2008-11-05 02:29 --------- d-----w c:\documents and settings\Mona\Application Data\iWin
2008-10-28 20:28 9,786,348 ----a-w c:\program files\SysinternalsSuite.zip
2008-10-27 23:00 18,432 ----a-w c:\windows\ss3unstl.exe
2008-09-18 19:12 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091820080919\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-08-20 118784]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-09 185872]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 0 (0x0)

[HKLM\~\startupfolder\C:^Documents and Settings^Mona^Start Menu^Programs^Startup^MemTurbo.lnk]
backup=c:\windows\pss\MemTurbo.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\mmc.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-09 111184]
R3 WMP110;Linksys WMP110 RangePlus Wireless PCI Adapter Service;c:\windows\system32\drivers\WMP110.sys [2008-09-23 1299520]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-09 20560]
S3 GoogleDesktopManager-110408-113106;Google Desktop Manager 5.8.811.4345;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-12-06 30192]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-12-10 7808]
S4 gupdate1c95c32ff115ffe;Google Update Service (gupdate1c95c32ff115ffe);c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 119280]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7845e49f-d87b-11dd-ba9f-001ee5fbaa73}]
\Shell\AutoRun\command - e:\portableapps\PortableAppsMenu\PortableAppsMenu.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-02 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 09:09]

2008-12-29 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-07-18 10:08]

2009-01-05 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 02:23]

2009-01-04 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 15:21]

2008-12-18 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 15:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s

c:\windows\Downloaded Program Files\dream.1.0.0.10.dll - O16 -: {775879E2-7309-4619-BB02-AADE41F4B690}
hxxp://www.shockwave.com/content/dreamchronicles/sis/dreamweb.1.0.0.10.cab
c:\windows\Downloaded Program Files\dream.1.0.0.10.inf

c:\windows\Downloaded Program Files\zenerchi.1.0.0.10.dll - O16 -: {BAC761D3-DFFD-4DB4-A01D-173346E090A7}
hxxp://www.shockwave.com/content/zenerchi/sis/ZenerchiWeb.1.0.0.10.cab
c:\windows\Downloaded Program Files\zenerchi.1.0.0.10.inf
.
.
------- File Associations -------
.
VBSFile=%WINDIR%\System32\CScript.exe //nologo "%1" %*
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-04 20:35:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\B*NULL*u*NULL*r*NULL*g*NULL*e*NULL*r*NULL* *NULL*I*NULL*s*NULL*l*NULL*a*NULL*n*NULL*d*NULL*"!]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,f0,69,02,00,00,00,00,0e,5b,a4,\
fe,80,43,c9,01,00,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,\
61,00,6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,53,00,68,00,6f,00,63,\
00,6b,00,77,00,61,00,76,00,65,00,2e,00,63,00,6f,00,6d,00,5c,00,42,00,75,00,\
72,00,67,00,65,00,72,00,20,00,49,00,73,00,6c,00,61,00,6e,00,64,00,5c,00,70,\
00,72,00,6f,00,64,00,75,00,63,00,74,00,5c,00,62,00,69,00,2e,00,65,00,78,00,\
65,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00
"Changed"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\C*NULL*h*NULL*o*NULL*c*NULL*o*NULL*l*NULL*a*NULL*t*NULL*i*NULL*e*NULL*r*NULL*®*NULL* *NULL*2*NULL*:*NULL* *NULL*S*NULL*e*NULL*c*NULL*r*NULL*e*NULL*t*NULL* *NULL*I*NULL*n*NULL*g*NULL*r*NULL*e*NULL*d*NULL*i*NULL*e*NULL*n*NULL*t*NULL*s*NULL*"!]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,d0,92,01,00,00,00,00,68,46,c5,\
a7,a5,37,c9,01,00,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,\
61,00,6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,53,00,68,00,6f,00,63,\
00,6b,00,77,00,61,00,76,00,65,00,2e,00,63,00,6f,00,6d,00,5c,00,43,00,68,00,\
6f,00,63,00,6f,00,6c,00,61,00,74,00,69,00,65,00,72,00,20,00,32,00,20,00,2d,\
00,20,00,53,00,65,00,63,00,72,00,65,00,74,00,20,00,49,00,6e,00,67,00,72,00,\
65,00,64,00,69,00,65,00,6e,00,74,00,73,00,5c,00,70,00,72,00,6f,00,64,00,75,\
00,63,00,74,00,5c,00,63,00,68,00,6f,00,63,00,6f,00,74,00,77,00,6f,00,2e,00,\
65,00,78,00,65,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00
"Changed"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Z*NULL*e*NULL*n*NULL*e*NULL*r*NULL*c*NULL*h*NULL*i*NULL*"!]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,20,28,01,00,00,00,00,2a,d4,f5,\
8f,01,0f,c9,01,07,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,\
61,00,6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,53,00,68,00,6f,00,63,\
00,6b,00,77,00,61,00,76,00,65,00,2e,00,63,00,6f,00,6d,00,5c,00,5a,00,65,00,\
6e,00,65,00,72,00,63,00,68,00,69,00,5c,00,5a,00,65,00,6e,00,65,00,72,00,63,\
00,68,00,69,00,2e,00,65,00,78,00,65,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00
"Changed"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\B*NULL*u*NULL*r*NULL*g*NULL*e*NULL*r*NULL* *NULL*I*NULL*s*NULL*l*NULL*a*NULL*n*NULL*d*NULL*"!]
"DisplayName"="Burger Island™"
"UninstallString"="c:\\PROGRA~1\\SHOCKW~1.COM\\BURGER~2\\UNWISE.EXE c:\\PROGRA~1\\SHOCKW~1.COM\\BURGER~2\\INSTALL.LOG"
"DisplayVersion"="32.0.0.0"
"HelpLink"="http://www.shockwave.com/help/contact_us.jsp"
"Publisher"="Shockwave.com"
"URLInfoAbout"="http://www.shockwave.com/help/contact_us.jsp"
"Contact"="Customer Support"
"Comments"=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\C*NULL*h*NULL*o*NULL*c*NULL*o*NULL*l*NULL*a*NULL*t*NULL*i*NULL*e*NULL*r*NULL*®*NULL* *NULL*2*NULL*:*NULL* *NULL*S*NULL*e*NULL*c*NULL*r*NULL*e*NULL*t*NULL* *NULL*I*NULL*n*NULL*g*NULL*r*NULL*e*NULL*d*NULL*i*NULL*e*NULL*n*NULL*t*NULL*s*NULL*"!]
"DisplayName"="Chocolatier® 2: Secret Ingredients™"
"UninstallString"="c:\\PROGRA~1\\SHOCKW~1.COM\\CHOCOL~1\\UNWISE.EXE c:\\PROGRA~1\\SHOCKW~1.COM\\CHOCOL~1\\INSTALL.LOG"
"DisplayVersion"="32.0.0.0"
"HelpLink"="http://www.shockwave.com/help/contact_us.jsp"
"Publisher"="Shockwave.com"
"URLInfoAbout"="http://www.shockwave.com/help/contact_us.jsp"
"Contact"="Customer Support"
"Comments"=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Uninstall\Z*NULL*e*NULL*n*NULL*e*NULL*r*NULL*c*NULL*h*NULL*i*NULL*"!]
"DisplayName"="Zenerchi™"
"UninstallString"="c:\\PROGRA~1\\SHOCKW~1.COM\\Zenerchi\\UNWISE.EXE c:\\PROGRA~1\\SHOCKW~1.COM\\Zenerchi\\INSTALL.LOG"
"DisplayVersion"="32.0.0.0"
"HelpLink"="http://www.shockwave.com/help/contact_us.jsp"
"Publisher"="Shockwave.com"
"URLInfoAbout"="http://www.shockwave.com/help/contact_us.jsp"
"Contact"="Customer Support"
"Comments"=""
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
.
**************************************************************************
.
Completion time: 2009-01-04 20:39:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-05 02:39:25

Pre-Run: 28,285,603,840 bytes free
Post-Run: 28,741,492,736 bytes free

309 --- E O F --- 2008-10-29 06:47:41



Now, HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:47:45 AM, on 1/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Mona\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6DFD889B-7F81-44C4-BC1F-06A857C01C41} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ArmorIE - {0565CF3E-6070-4272-8EEF-51E5083BE3D9} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} (CPlayFirstChocolatieControl Object) - http://zone.msn.com/bingame/choc/default/ChocolatierWeb.1.0.0.15.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202225674654
O16 - DPF: {775879E2-7309-4619-BB02-AADE41F4B690} (CPlayFirstdreamControl Object) - http://www.shockwave.com/content/dreamchronicles/sis/dreamweb.1.0.0.10.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://www.shockwave.com/content/zenerchi/sis/ZenerchiWeb.1.0.0.10.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Desktop Manager 5.8.811.4345 (GoogleDesktopManager-110408-113106) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c95c32ff115ffe) (gupdate1c95c32ff115ffe) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 6074 bytes


After running CF, I noticed a huge speed improvement! I'm thankful I don't have (VirtuMunde). Do you know where it comes from, so I can avoid it?

OK, let's bow our heads....(Thank You)


(What would I be rating below, my degree of satisfaction? Of results? General reading? Cuteness of emoticons?)

Hi

I don't do logs or any kind of helping thru email, just at forums :)


what are TF and Avast!, firewalls? Same thing as anti-spyware, right?
Both are antivirus programs.


Start hjt, do a system scan, check (if found):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {6DFD889B-7F81-44C4-BC1F-06A857C01C41} - (no file)
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)

Close browsers and fix checked.




Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems

Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.