Bad Windows Image

Status
Not open for further replies.
A

Arethka

New member
Hi,

I keep getting the same error message when i try to launch an application, the error comes up:

[programename.exe] - Bad Image
The application or DLL C:/Windows/system32/.......is not a valid Windows image. Please check your installation disk.

And then the program launches.

I use Webroot Spysweeper and Webroot Desktop Firewall.

My OS is Windows XP SP2.



Thanks,
Dan
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:49:03 PM, on 8/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Desktop Firewall\WDF.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\avedesk13\AVEDESK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Finderbar 1.5\Finderbar_Engine.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: {63adb92b-cb41-e20a-1c34-27797f624462} - {264426f7-9772-43c1-a02e-14bcb29bda36} - C:\WINDOWS\system32\wqridibx.dll
O2 - BHO: (no name) - {320635D7-379D-48C3-B183-ABD0C4B20E69} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Flash Module - {C87FA4A3-2474-4a3f-B413-67D515905024} - rasmoesa.dll (file missing)
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\Program Files\finexer\FindeXer.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [ImageShackUtil] "C:\Program Files\ImageShack\QuickShot\QuickShot.exe"
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [System Files Updater] "C:\WINDOWS\FlyakiteOSX\System Files Updater.exe" /S
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [d0ed3d80] rundll32.exe "C:\WINDOWS\system32\fbydlbaw.dll",b
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DesktopIconToy] "C:\Program Files\Desktop Icon Toy\DesktopIconToy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AVEDESK] "C:\Program Files\avedesk13\AVEDESK.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Finderbar_Engine.lnk = C:\Program Files\Finderbar 1.5\Finderbar_Engine.exe
O4 - Startup: ObjectBar.ini
O4 - Startup: Skylight.lnk = C:\Documents and Settings\Dan\Local Settings\Apps\2.0\LB51DTPY.Q4A\WDJJ69VG.44J\skyl..tion_9ebf2d73f145bd1d_0001.0000_d12826f4ee09ad20\Skylight.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Styler.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/stg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1184321644312
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/armhelper.ocx
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00D26E4.dat
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - cmd.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9797 bytes
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page. I'll need that Kaspersky scan, don't run and post it until I ask you to.

Looks like a Vundo infection which can be tough to remove, I will start by saying the until I say you are clean..

1) Return here: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <<< rename HJT.exe, call it Dan.exe or whatever you wish. The next log after a restart will show the hidden junk if it is there.

2) Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thanks
 
Last edited:
ComboFix Log:

ComboFix 07-11-08.1 - Dan 2007-11-11 16:47:56.3 - NTFSx86
Running from: C:\Documents and Settings\Dan\Desktop\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\__c00D26E4.dat
C:\WINDOWS\system32\glesquag.dllbox
C:\WINDOWS\system32\xpdx.sys

.
((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
.

2007-11-08 17:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-07 16:08 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-07 15:52 32,768 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-11-05 18:57 58,368 --a------ C:\WINDOWS\NirCmd.exe
2007-11-05 18:40 85,568 --a------ C:\WINDOWS\system32\fbydlbaw.dll
2007-11-05 15:27 83,008 --a------ C:\WINDOWS\system32\wqridibx.dll
2007-11-05 15:24 1 --a------ C:\WINDOWS\system32\rc.dat
2007-11-05 15:24 1 --a------ C:\WINDOWS\system32\ps1.dat
2007-11-05 15:24 1 --a------ C:\WINDOWS\system32\cookie1.dat
2007-11-03 14:13 52,224 --a------ C:\WINDOWS\system32\rasmoesa.dll
2007-11-03 14:11 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-11-03 14:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-11-03 13:48 <DIR> d-------- C:\Program Files\Photoshop
2007-11-01 18:27 <DIR> dr-hs---- C:\Volume Information
2007-11-01 18:26 <DIR> d-------- C:\WINDOWS\Instant Lock
2007-11-01 18:26 <DIR> d-------- C:\Program Files\Instant Lock
2007-10-31 15:32 <DIR> d-------- C:\Program Files\DriveMounter
2007-10-28 17:42 <DIR> d-------- C:\Program Files\Mac Startup Screen
2007-10-28 17:40 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\Nubs
2007-10-28 17:34 <DIR> d-------- C:\Program Files\Concentrate
2007-10-28 17:27 <DIR> d--h----- C:\WINDOWS\PIF
2007-10-28 17:27 <DIR> d-------- C:\Program Files\Finderbar 1.5
2007-10-28 17:27 46,592 --a------ C:\WINDOWS\zipinst.exe
2007-10-28 17:21 <DIR> d-------- C:\Program Files\ICO-PNG
2007-10-27 13:35 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-10-26 22:29 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\Alien Skin
2007-10-23 21:02 <DIR> d-------- C:\Program Files\RK Launcher
2007-10-23 20:06 <DIR> d-------- C:\Program Files\RocketDock
2007-10-22 20:30 <DIR> d-------- C:\Program Files\Atlantis Xtreme V0.9.1
2007-10-21 12:02 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\HP
2007-10-21 11:47 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-10-20 18:35 <DIR> d-------- C:\Program Files\Star Trek Legacy
2007-10-20 13:20 177,496 --a------ C:\WINDOWS\system32\wdfproc.dll
2007-10-18 13:41 85,848 --a------ C:\WINDOWS\system32\drivers\pwipf6.sys
2007-10-16 17:49 <DIR> d-------- C:\Program Files\Activision
2007-10-16 17:39 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-10-16 17:32 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-10-16 16:39 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\DivX
2007-10-16 16:36 <DIR> d-------- C:\Program Files\Google
2007-10-15 18:24 <DIR> d-------- C:\Program Files\DivX
2007-10-15 13:03 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-10-15 13:03 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-10-15 12:12 <DIR> d-------- C:\Program Files\Xvid
2007-10-15 12:08 28,672 --a------ C:\WINDOWS\system32\Alphablending.dll
2007-10-15 11:06 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-10-15 10:54 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\CandyLabs
2007-10-14 18:10 <DIR> d-------- C:\Program Files\MSBuild
2007-10-14 18:02 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-10-14 17:59 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-10-14 17:58 14,048 --------- C:\WINDOWS\system32\spmsg2.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-11 08:14 --------- d-----w C:\Documents and Settings\Dan\Application Data\Azureus
2007-11-09 13:22 --------- d-----w C:\Program Files\Motorola Phone Tools
2007-11-09 13:17 --------- d-----w C:\Program Files\Avanquest update
2007-11-09 09:49 4,624,384 ----a-w C:\WINDOWS\system32\logonuiX.exe
2007-11-09 09:46 163,840 ----a-w C:\WINDOWS\system32\drivers\vidstub.sys
2007-11-08 11:06 --------- d-----w C:\Documents and Settings\Dan\Application Data\LimeWire
2007-11-07 09:45 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-06 09:49 --------- d-----w C:\Program Files\Webroot
2007-11-03 05:10 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-03 01:59 --------- d-----w C:\Program Files\Trillian
2007-10-31 08:57 --------- d-----w C:\Documents and Settings\Dan\Application Data\Matrix Y2K
2007-10-28 09:18 --------- d-----w C:\Program Files\iTunes
2007-10-21 02:45 164 ----a-w C:\install.dat
2007-10-17 11:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Webroot
2007-10-16 07:36 --------- d-----w C:\Program Files\Mozilla Thunderbird
2007-10-15 01:53 --------- d-----w C:\Program Files\WS_FTP Pro
2007-10-14 12:36 --------- d-----w C:\Program Files\Common Files\Stardock
2007-10-14 12:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-14 12:30 --------- d-----w C:\Program Files\Macromedia
2007-10-14 12:26 --------- d-----w C:\Program Files\AutoSizer
2007-10-11 08:17 --------- d-----w C:\Program Files\Matrix Y2K
2007-10-10 11:25 --------- d-----w C:\Documents and Settings\Dan\Application Data\SmartFTP
2007-10-09 13:06 --------- d-----w C:\Program Files\Azureus
2007-10-09 02:54 --------- d-----w C:\Documents and Settings\Dan\Application Data\CyberLink
2007-10-02 16:32 --------- d-----w C:\Program Files\Bonjour
2007-10-01 08:40 1,526,072 ----a-w C:\WINDOWS\WRSetup.dll
2007-10-01 08:24 23,864 ----a-w C:\WINDOWS\system32\drivers\sskbfd.sys
2007-10-01 08:24 21,816 ----a-w C:\WINDOWS\system32\drivers\sshrmd.sys
2007-10-01 08:24 163,640 ----a-w C:\WINDOWS\system32\drivers\ssidrv.sys
2007-09-29 12:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-29 12:26 --------- d-----w C:\Documents and Settings\Dan\Application Data\SpinTop
2007-09-29 12:25 94,208 ----a-w C:\WINDOWS\system32\ScrUnZip.dll
2007-09-29 12:25 908,716 ----a-w C:\WINDOWS\system32\GFC 2006.SCR
2007-09-29 12:25 129,536 ----a-w C:\WINDOWS\system32\IJL15.dll
2007-09-29 10:54 --------- d-----w C:\Program Files\ChaosAbout100
2007-09-28 16:08 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-28 16:07 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-09-28 16:07 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-09-28 16:07 532,480 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-09-28 16:07 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-09-28 16:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 16:07 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-09-28 16:07 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-09-28 16:07 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-09-28 16:07 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-09-28 16:07 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-28 16:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-09-28 16:05 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-28 16:05 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-28 16:05 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-09-28 16:05 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-09-28 16:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-09-28 16:05 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-09-28 16:05 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-09-28 16:05 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-09-28 13:23 --------- d-----w C:\Documents and Settings\Dan\Application Data\Talkback
2007-09-28 09:31 --------- d-----w C:\Program Files\iPod
2007-09-26 06:42 58,792 ----a-w C:\WINDOWS\system32\wbload.dll
2007-09-22 12:41 --------- d-----w C:\Program Files\LemonCord
2007-09-22 09:23 --------- d-----w C:\Program Files\Desktop Icon Toy
2007-09-15 03:36 --------- d-----w C:\Program Files\Styler
2007-09-14 12:26 --------- d-----w C:\Program Files\finexer
2007-09-14 12:11 --------- d-----w C:\Documents and Settings\Dan\Application Data\AveDesk
2007-09-14 12:04 --------- d-----w C:\Documents and Settings\Dan\Application Data\FindeXer
2007-09-14 11:32 --------- d-----w C:\Documents and Settings\Dan\Application Data\Styler
2007-09-14 09:46 --------- d-----w C:\Program Files\avedesk13
2007-09-14 09:16 --------- d-----w C:\Program Files\YzShadow
2007-09-14 09:16 --------- d-----w C:\Program Files\WinRoll
2007-09-14 09:16 --------- d-----w C:\Program Files\UberIcon
2007-09-14 09:16 --------- d-----w C:\Program Files\Tiger System Preferences v2
2007-09-12 07:47 --------- d-----w C:\Program Files\Apple Software Update
2007-09-02 07:27 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll
2007-08-27 09:47 7,852 ----a-w C:\WINDOWS\system32\mcdmsg7.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-02 09:48 92,064 ----a-w C:\Documents and Settings\Dan\mqdmmdm.sys
2007-08-02 09:48 9,232 ----a-w C:\Documents and Settings\Dan\mqdmmdfl.sys
2007-08-02 09:48 79,328 ----a-w C:\Documents and Settings\Dan\mqdmserd.sys
2007-08-02 09:48 66,656 ----a-w C:\Documents and Settings\Dan\mqdmbus.sys
2007-08-02 09:48 6,208 ----a-w C:\Documents and Settings\Dan\mqdmcmnt.sys
2007-08-02 09:48 5,936 ----a-w C:\Documents and Settings\Dan\mqdmwhnt.sys
2007-08-02 09:48 4,048 ----a-w C:\Documents and Settings\Dan\mqdmcr.sys
2007-08-02 09:48 25,600 ----a-w C:\Documents and Settings\Dan\usbsermptxp.sys
2007-08-02 09:48 22,768 ----a-w C:\Documents and Settings\Dan\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{264426f7-9772-43c1-a02e-14bcb29bda36}]
2007-11-05 15:27 83008 --a------ C:\WINDOWS\system32\wqridibx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{320635D7-379D-48C3-B183-ABD0C4B20E69}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C87FA4A3-2474-4a3f-B413-67D515905024}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ImageShackUtil"="C:\Program Files\ImageShack\QuickShot\QuickShot.exe" []
"Webroot Desktop Firewall"="C:\Program Files\Webroot\Desktop Firewall\WDF.exe" [2007-10-20 13:20]
"System Files Updater"="C:\WINDOWS\FlyakiteOSX\System Files Updater.exe" [2006-01-15 15:31]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 04:43]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 14:33]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 07:24]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15]
"LogonStudio"="C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 19:38]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 16:44 C:\WINDOWS\KHALMNPR.Exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 15:42]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 17:54]
"d0ed3d80"="C:\WINDOWS\system32\fbydlbaw.dll" [2007-11-05 18:40]
"BootSkin Startup Jobs"="C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 17:21]
"Windows Logon Application"="C:\WINDOWS\system32\logon.exe" [2007-06-13 19:23]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 17:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 01:24]
"DesktopIconToy"="C:\Program Files\Desktop Icon Toy\DesktopIconToy.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 22:56]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 16:13 49152 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~2\WINDOW~1\wbsrv.dll 2007-09-24 20:08 229376 C:\PROGRA~1\Stardock\OBJECT~2\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup"


.
Contents of the 'Scheduled Tasks' folder
"2007-09-11 09:52:20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-05 08:00:46 C:\WINDOWS\Tasks\wrSpySweeper_L5D90EFAFC01D49D88C2490292CB7F309.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 17:16:13
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\unpr.sys 2432 bytes executable
C:\WINDOWS\system32\logon.exe 40960 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
Completion time: 2007-11-11 17:20:52 - machine was rebooted
.
--- E O F ---
 
HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:25:24 PM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Desktop Firewall\WDF.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\logon.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: {63adb92b-cb41-e20a-1c34-27797f624462} - {264426f7-9772-43c1-a02e-14bcb29bda36} - C:\WINDOWS\system32\wqridibx.dll
O2 - BHO: (no name) - {320635D7-379D-48C3-B183-ABD0C4B20E69} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Flash Module - {C87FA4A3-2474-4a3f-B413-67D515905024} - rasmoesa.dll (file missing)
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\Program Files\finexer\FindeXer.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [ImageShackUtil] "C:\Program Files\ImageShack\QuickShot\QuickShot.exe"
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [System Files Updater] "C:\WINDOWS\FlyakiteOSX\System Files Updater.exe" /S
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [d0ed3d80] "rundll32.exe" "C:\WINDOWS\system32\fbydlbaw.dll",b
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\system32\logon.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DesktopIconToy] "C:\Program Files\Desktop Icon Toy\DesktopIconToy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Styler.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/stg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1184321644312
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/armhelper.ocx
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9025 bytes
 
We have a problem, the reason I asked the computer be kept offline is because the junk often has the ability to continue to download more junk and in this case a very dangerous trojan is in your newest HJT log.
First HJT log: Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:49:03 PM, on 8/11/2007
a lot of junk to clean but this item is NOT there.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:25:24 PM, on 11/11/2007

O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\system32\logon.exe
http://www.castlecops.com/startuplist-8569.html
http://www.sophos.com/virusinfo/analyses/w32poebotj.html
Allows others to access the computer
Steals information
Downloads code from the internet
Reduces system security
Installs itself in the Registry
Used in DOS attacks
Click to expand...
As you can see this is a very bad trojan, I need to give you this information.
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

Please let us know what you have decided to do in your next post.

All of the rest of the junk is also still there except for the small start by combofix. If you should decide to proceed, I need to show you this:
1) Return here: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <<< rename HJT.exe, call it Dan.exe or whatever you wish. The next log after a restart will show the hidden junk if it is there.
Click to expand...
You continued with HJT.exe which is what the trash hides from: C:\Program Files\Trend Micro\HijackThis\HJT.exe I suggested Dan.exe but call it anything but HijackThis.exe or HJT.exe.

Thanks
 
My apologies Dan, one of our rootkit experts has pointed out that you also have one or more rootkit infections which does not make the situation any better. This was responsible for that logon.exe not showing in the first log. It was hidden until combofix went to work on it.

When it removed this: C:\WINDOWS\system32\xpdx.sys see the link:
http://www.bleepingcomputer.com/startups/xpdx.sys-18517.html
Then we could see the hidden item.

See this area of the log where combofix checks for rootkits:
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Sorry I missed that, but like I said, it only assures me of the seriousness of this infection.
http://en.wikipedia.org/wiki/Rootkit

Thanks
 
Bugger, I know how to and will Format the PC if necessary. But if I must take that action, would I be able to connect my External HDD to backup files, just my site and stuff like that, no programs, without it being infected?
 
Hi Dan, let me comment on this first:
Oh, I forgot to mention but after I ran ComboFix the popups went away
Click to expand...
Indeed as I explained, combofix hit the rootkit that was hiding the trojan and removed other items that were probably causing the popups.
As great as combofix is, it will not clean everything, think how hugh the program would have to be. We can see the trojan, andymanchesta has added that one to SDFix (it could also be removed manually) and we can clean the rest of the junk with a little effort. We can also run tools to look for and remove any rootkits. Then we ask, is this computer safe? That is where we run into a problem because we can never be assured of that. I will be glad to help get the computer as clean as possible and that is your decision.
I can say in my case, were it my computer which I use extensively for online banking, etc., I would have to reformat.

Here is information I have that should answer your questions:
http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm

Thanks...Phil
 
OK, thanks for that but can u answer my first question please.

Bugger, I know how to and will Format the PC if necessary. But if I must take that action, would I be able to connect my External HDD to backup files, just my site and stuff like that, no programs, without it being infected?
Click to expand...


Thanks,
Dan
 
OK Dan, we can do that, since a bit of time has passed and malware changes quickly, I would like you to remove the version of combofix report and a new HJT log. Please remember to keep the computer offline except when troubleshooting until we have kicked this junk out, it may download more.

Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thanks
 
ComboFix Log:

ComboFix 07-11-08.1 - Dan 2007-11-14 15:54:47.4 - NTFSx86
Running from: C:\Documents and Settings\Dan\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\windows\system32\explorer.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
.

2007-11-14 15:32 30,841 --a------ C:\WINDOWS\system32\dskfhfab.exe
2007-11-13 18:24 31,622 --a------ C:\WINDOWS\system32\tutrge.exe
2007-11-11 17:17 2,432 --a------ C:\WINDOWS\system32\unpr.sys
2007-11-08 17:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-07 16:08 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-07 15:52 32,768 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-11-05 18:57 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-05 18:40 85,568 --a------ C:\WINDOWS\system32\fbydlbaw.dll
2007-11-05 15:27 83,008 --a------ C:\WINDOWS\system32\wqridibx.dll
2007-11-05 15:24 1 --a------ C:\WINDOWS\system32\rc.dat
2007-11-05 15:24 1 --a------ C:\WINDOWS\system32\ps1.dat
2007-11-05 15:24 1 --a------ C:\WINDOWS\system32\cookie1.dat
2007-11-03 14:13 52,224 --a------ C:\WINDOWS\system32\rasmoesa.dll
2007-11-03 14:11 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-11-03 14:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-11-03 13:48 <DIR> d-------- C:\Program Files\Photoshop
2007-11-01 18:27 <DIR> dr-hs---- C:\Volume Information
2007-11-01 18:26 <DIR> d-------- C:\WINDOWS\Instant Lock
2007-11-01 18:26 <DIR> d-------- C:\Program Files\Instant Lock
2007-10-31 15:32 <DIR> d-------- C:\Program Files\DriveMounter
2007-10-28 17:42 <DIR> d-------- C:\Program Files\Mac Startup Screen
2007-10-28 17:40 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\Nubs
2007-10-28 17:34 <DIR> d-------- C:\Program Files\Concentrate
2007-10-28 17:27 <DIR> d--h----- C:\WINDOWS\PIF
2007-10-28 17:27 <DIR> d-------- C:\Program Files\Finderbar 1.5
2007-10-28 17:27 46,592 --a------ C:\WINDOWS\zipinst.exe
2007-10-28 17:21 <DIR> d-------- C:\Program Files\ICO-PNG
2007-10-27 13:35 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-10-26 22:29 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\Alien Skin
2007-10-23 21:02 <DIR> d-------- C:\Program Files\RK Launcher
2007-10-23 20:06 <DIR> d-------- C:\Program Files\RocketDock
2007-10-22 20:30 <DIR> d-------- C:\Program Files\Atlantis Xtreme V0.9.1
2007-10-21 12:02 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\HP
2007-10-21 11:47 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-10-20 18:35 <DIR> d-------- C:\Program Files\Star Trek Legacy
2007-10-20 13:20 177,496 --a------ C:\WINDOWS\system32\wdfproc.dll
2007-10-18 13:41 85,848 --a------ C:\WINDOWS\system32\drivers\pwipf6.sys
2007-10-16 17:49 <DIR> d-------- C:\Program Files\Activision
2007-10-16 17:39 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-10-16 17:32 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-10-16 16:39 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\DivX
2007-10-16 16:36 <DIR> d-------- C:\Program Files\Google
2007-10-15 18:24 <DIR> d-------- C:\Program Files\DivX
2007-10-15 13:03 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-10-15 13:03 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-10-15 12:12 <DIR> d-------- C:\Program Files\Xvid
2007-10-15 12:08 28,672 --a------ C:\WINDOWS\system32\Alphablending.dll
2007-10-15 11:06 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-10-15 10:54 <DIR> d-------- C:\Documents and Settings\Dan\Application Data\CandyLabs
2007-10-14 18:10 <DIR> d-------- C:\Program Files\MSBuild
2007-10-14 18:02 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-10-14 17:59 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-10-14 17:58 14,048 --------- C:\WINDOWS\system32\spmsg2.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-11 09:01 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-11 08:14 --------- d-----w C:\Documents and Settings\Dan\Application Data\Azureus
2007-11-09 13:22 --------- d-----w C:\Program Files\Motorola Phone Tools
2007-11-09 13:17 --------- d-----w C:\Program Files\Avanquest update
2007-11-09 09:49 4,624,384 ----a-w C:\WINDOWS\system32\logonuiX.exe
2007-11-09 09:46 163,840 ----a-w C:\WINDOWS\system32\drivers\vidstub.sys
2007-11-08 11:06 --------- d-----w C:\Documents and Settings\Dan\Application Data\LimeWire
2007-11-07 09:45 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-06 09:49 --------- d-----w C:\Program Files\Webroot
2007-11-03 01:59 --------- d-----w C:\Program Files\Trillian
2007-10-31 08:57 --------- d-----w C:\Documents and Settings\Dan\Application Data\Matrix Y2K
2007-10-28 09:18 --------- d-----w C:\Program Files\iTunes
2007-10-21 02:45 164 ----a-w C:\install.dat
2007-10-17 11:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Webroot
2007-10-16 07:36 --------- d-----w C:\Program Files\Mozilla Thunderbird
2007-10-15 01:53 --------- d-----w C:\Program Files\WS_FTP Pro
2007-10-14 12:36 --------- d-----w C:\Program Files\Common Files\Stardock
2007-10-14 12:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-14 12:30 --------- d-----w C:\Program Files\Macromedia
2007-10-14 12:26 --------- d-----w C:\Program Files\AutoSizer
2007-10-11 08:17 --------- d-----w C:\Program Files\Matrix Y2K
2007-10-10 11:25 --------- d-----w C:\Documents and Settings\Dan\Application Data\SmartFTP
2007-10-09 13:06 --------- d-----w C:\Program Files\Azureus
2007-10-09 02:54 --------- d-----w C:\Documents and Settings\Dan\Application Data\CyberLink
2007-10-02 16:32 --------- d-----w C:\Program Files\Bonjour
2007-10-01 08:40 1,526,072 ----a-w C:\WINDOWS\WRSetup.dll
2007-10-01 08:24 23,864 ----a-w C:\WINDOWS\system32\drivers\sskbfd.sys
2007-10-01 08:24 21,816 ----a-w C:\WINDOWS\system32\drivers\sshrmd.sys
2007-10-01 08:24 163,640 ----a-w C:\WINDOWS\system32\drivers\ssidrv.sys
2007-09-29 12:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-29 12:26 --------- d-----w C:\Documents and Settings\Dan\Application Data\SpinTop
2007-09-29 12:25 94,208 ----a-w C:\WINDOWS\system32\ScrUnZip.dll
2007-09-29 12:25 908,716 ----a-w C:\WINDOWS\system32\GFC 2006.SCR
2007-09-29 12:25 129,536 ----a-w C:\WINDOWS\system32\IJL15.dll
2007-09-29 10:54 --------- d-----w C:\Program Files\ChaosAbout100
2007-09-28 16:08 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-28 16:07 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-09-28 16:07 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-09-28 16:07 532,480 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-09-28 16:07 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-09-28 16:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 16:07 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-09-28 16:07 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-09-28 16:07 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-09-28 16:07 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-09-28 16:07 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-28 16:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-09-28 16:05 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-28 16:05 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-28 16:05 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-09-28 16:05 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-09-28 16:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-09-28 16:05 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-09-28 16:05 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-09-28 16:05 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-09-28 13:23 --------- d-----w C:\Documents and Settings\Dan\Application Data\Talkback
2007-09-28 09:31 --------- d-----w C:\Program Files\iPod
2007-09-26 06:42 58,792 ----a-w C:\WINDOWS\system32\wbload.dll
2007-09-22 12:41 --------- d-----w C:\Program Files\LemonCord
2007-09-22 09:23 --------- d-----w C:\Program Files\Desktop Icon Toy
2007-09-15 03:36 --------- d-----w C:\Program Files\Styler
2007-09-14 12:26 --------- d-----w C:\Program Files\finexer
2007-09-14 12:11 --------- d-----w C:\Documents and Settings\Dan\Application Data\AveDesk
2007-09-14 12:04 --------- d-----w C:\Documents and Settings\Dan\Application Data\FindeXer
2007-09-14 11:32 --------- d-----w C:\Documents and Settings\Dan\Application Data\Styler
2007-09-14 09:46 --------- d-----w C:\Program Files\avedesk13
2007-09-14 09:16 --------- d-----w C:\Program Files\YzShadow
2007-09-14 09:16 --------- d-----w C:\Program Files\WinRoll
2007-09-14 09:16 --------- d-----w C:\Program Files\UberIcon
2007-09-14 09:16 --------- d-----w C:\Program Files\Tiger System Preferences v2
2007-09-02 07:27 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll
2007-08-27 09:47 7,852 ----a-w C:\WINDOWS\system32\mcdmsg7.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-02 09:48 92,064 ----a-w C:\Documents and Settings\Dan\mqdmmdm.sys
2007-08-02 09:48 9,232 ----a-w C:\Documents and Settings\Dan\mqdmmdfl.sys
2007-08-02 09:48 79,328 ----a-w C:\Documents and Settings\Dan\mqdmserd.sys
2007-08-02 09:48 66,656 ----a-w C:\Documents and Settings\Dan\mqdmbus.sys
2007-08-02 09:48 6,208 ----a-w C:\Documents and Settings\Dan\mqdmcmnt.sys
2007-08-02 09:48 5,936 ----a-w C:\Documents and Settings\Dan\mqdmwhnt.sys
2007-08-02 09:48 4,048 ----a-w C:\Documents and Settings\Dan\mqdmcr.sys
2007-08-02 09:48 25,600 ----a-w C:\Documents and Settings\Dan\usbsermptxp.sys
2007-08-02 09:48 22,768 ----a-w C:\Documents and Settings\Dan\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{264426f7-9772-43c1-a02e-14bcb29bda36}]
2007-11-05 15:27 83008 --a------ C:\WINDOWS\system32\wqridibx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{320635D7-379D-48C3-B183-ABD0C4B20E69}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C87FA4A3-2474-4a3f-B413-67D515905024}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ImageShackUtil"="C:\Program Files\ImageShack\QuickShot\QuickShot.exe" []
"Webroot Desktop Firewall"="C:\Program Files\Webroot\Desktop Firewall\WDF.exe" [2007-10-20 13:20]
"System Files Updater"="C:\WINDOWS\FlyakiteOSX\System Files Updater.exe" [2006-01-15 15:31]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 04:43]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 14:33]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 07:24]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15]
"LogonStudio"="C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 19:38]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 16:44 C:\WINDOWS\KHALMNPR.Exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 15:42]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 17:54]
"d0ed3d80"="rundll32.exe" [2004-08-12 23:04 C:\WINDOWS\system32\rundll32.exe]
"BootSkin Startup Jobs"="C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 17:21]
"Windows Logon Application"="C:\WINDOWS\system32\logon.exe" [2007-06-13 19:23]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"Windows Explorer"="C:\WINDOWS\system32\explorer.exe" []
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 17:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 01:24]
"DesktopIconToy"="C:\Program Files\Desktop Icon Toy\DesktopIconToy.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 22:56]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 16:13 49152 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~2\WINDOW~1\wbsrv.dll 2007-09-24 20:08 229376 C:\PROGRA~1\Stardock\OBJECT~2\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup"


.
Contents of the 'Scheduled Tasks' folder
"2007-09-11 09:52:20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-12 08:00:22 C:\WINDOWS\Tasks\wrSpySweeper_L5D90EFAFC01D49D88C2490292CB7F309.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 16:02:26
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-14 16:04:12
.
--- E O F ---
 
HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:13:30 PM, on 14/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Styler\Styler.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dskfhfab.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\Dan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {63adb92b-cb41-e20a-1c34-27797f624462} - {264426f7-9772-43c1-a02e-14bcb29bda36} - C:\WINDOWS\system32\wqridibx.dll
O2 - BHO: (no name) - {320635D7-379D-48C3-B183-ABD0C4B20E69} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Flash Module - {C87FA4A3-2474-4a3f-B413-67D515905024} - rasmoesa.dll (file missing)
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\Program Files\finexer\FindeXer.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [ImageShackUtil] "C:\Program Files\ImageShack\QuickShot\QuickShot.exe"
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [System Files Updater] "C:\WINDOWS\FlyakiteOSX\System Files Updater.exe" /S
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [d0ed3d80] "rundll32.exe" "C:\WINDOWS\system32\fbydlbaw.dll",b
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\system32\logon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Explorer] C:\WINDOWS\system32\explorer.exe
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DesktopIconToy] "C:\Program Files\Desktop Icon Toy\DesktopIconToy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Styler.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/stg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1184321644312
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/armhelper.ocx
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9225 bytes
 
Thanks for returning the fresh information, let's start like this:

1) TeaTimer will block changes we must make, use these instruction to turn it off until we are done.
http://russelltexas.com/malware/teatimer.htm

2) To disable SpySweeper: <<< may be old instructions but turn it off until you are done and then back on to continue your realtime protection.

Open the program
On the left, click: Options, then > Program Options
Uncheck: Load at windows startup
Again on the left click: Shields and uncheck all items there.
Uncheck: Home Page Shield
Uncheck: Automatically restore default without notification

3) Thanks to andymanchesta and anyone else who helped with the fix.

Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
This is a start, you have other infections.

Thanks
 
SDFix:

SDFix: Version 1.114

Run by Dan on Thu 15/11/2007 at 04:09 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\cmds.txt - Deleted
C:\WINDOWS\system32\cookie1.dat - Deleted
C:\WINDOWS\system32\logon.exe - Deleted
C:\WINDOWS\system32\ps1.dat - Deleted
C:\WINDOWS\system32\rasmoesa.dll - Deleted
C:\WINDOWS\system32\rc.dat - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 16:25:11
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:41,63,05,f0,07,12,e5,1a,b4,af,53,f6,e1,25,16,af,da,bc,6c,b1,6b,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:41,63,05,f0,07,12,e5,1a,b4,af,53,f6,e1,25,16,af,da,bc,6c,b1,6b,..

scanning hidden registry entries ...

scanning hidden files ...

C:\Documents and Settings\Dan\Local Settings\Application Data\Microsoft\Messenger\dont.ask.ryda@hotmail.com\SharingMetadata\chevron8653@hotmail.com\DFSR\Staging\CS{5AA6FED8-7CBB-ED5C-EF09-256C4E790D86}\01\29-{5AA6FED8-7CBB-ED5C-EF09-256C4E790D86}-v1-{8B5FECED-7AC1-4D16-BB9C-8A71369F3636}-v29-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API
C:\Documents and Settings\Dan\Local Settings\Application Data\Microsoft\Messenger\dont.ask.ryda@hotmail.com\SharingMetadata\chevron8653@hotmail.com\DFSR\Staging\CS{5AA6FED8-7CBB-ED5C-EF09-256C4E790D86}\53\353-{74EE1628-3DE3-44BB-BE92-96BC5C9F44A3}-v353-{74EE1628-3DE3-44BB-BE92-96BC5C9F44A3}-v353-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 1400 bytes hidden from API
C:\Documents and Settings\Dan\Local Settings\Application Data\Microsoft\Messenger\dont.ask.ryda@hotmail.com\SharingMetadata\martouf_of_tokra@hotmail.com\DFSR\Staging\CS{372F4939-D34C-5F6B-D909-099612CAD1CF}\01\10-{372F4939-D34C-5F6B-D909-099612CAD1CF}-v1-{8B5FECED-7AC1-4D16-BB9C-8A71369F3636}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API
C:\Documents and Settings\Dan\Local Settings\Application Data\Microsoft\Messenger\dont.ask.ryda@hotmail.com\SharingMetadata\martouf_of_tokra@hotmail.com\DFSR\Staging\CS{372F4939-D34C-5F6B-D909-099612CAD1CF}\11\11-{8B5FECED-7AC1-4D16-BB9C-8A71369F3636}-v11-{8B5FECED-7AC1-4D16-BB9C-8A71369F3636}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 4


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"\\??\\C:\\WINDOWS\\system32\\winlogon.exe"="\\??\\C:\\WINDOWS\\system32\\winlogon.exe:*:enabled:@shell32.dll,-1"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Thu 12 Aug 2004 100,352 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Sat 22 Sep 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Wed 14 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab9217b6e5750f9481b4ee261d21b730\BIT44.tmp"
Wed 14 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ecdaae76294ae865d5456738faf3aa2e\BIT43.tmp"
Tue 6 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fe95c915e785c18bf9cc0792fb5a73df\BIT3E.tmp"

Finished!

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:46:46 PM, on 15/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Dan.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {63adb92b-cb41-e20a-1c34-27797f624462} - {264426f7-9772-43c1-a02e-14bcb29bda36} - C:\WINDOWS\system32\wqridibx.dll
O2 - BHO: (no name) - {320635D7-379D-48C3-B183-ABD0C4B20E69} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\Program Files\finexer\FindeXer.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [ImageShackUtil] "C:\Program Files\ImageShack\QuickShot\QuickShot.exe"
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [System Files Updater] "C:\WINDOWS\FlyakiteOSX\System Files Updater.exe" /S
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [d0ed3d80] "rundll32.exe" "C:\WINDOWS\system32\fbydlbaw.dll",b
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DesktopIconToy] "C:\Program Files\Desktop Icon Toy\DesktopIconToy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Styler.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/stg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1184321644312
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/armhelper.ocx
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8455 bytes
 
Thanks for returning your information, let's do this now:

1) see this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\jre1.6.0_01\ <<< update your Java program and uninstall all old versions in Add Remove programs.

2) C:\Program Files\Styler\Styler.exe <<< assure me this is a valid program.

3) Please download F-Secure Blacklight:
ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
(fsbl.exe) and save to your C:\ drive.
Open a command window by going to Start > Run and typing: cmd
Copy/paste or type the following in the command window: C:\fsbl.exe /expert
Hit "Enter" to start the program and then close the cmd box.
Accept the user agreement and click "Next".
Click "Scan".
After the scan is complete, click "Next", then "Exit".
BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
The log will have a list of all items found. Do not choose to rename any yet!
I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
Exit Blacklight and post the contents of the log in your next reply.

(don't fix anything, just post the log)

4) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

5) SpySweeper turned off please.

6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: {63adb92b-cb41-e20a-1c34-27797f624462} - {264426f7-9772-43c1-a02e-14bcb29bda36} - C:\WINDOWS\system32\wqridibx.dll
O2 - BHO: (no name) - {320635D7-379D-48C3-B183-ABD0C4B20E69} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [d0ed3d80] "rundll32.exe" "C:\WINDOWS\system32\fbydlbaw.dll",b

Close all programs but HJT and all browser windows, then click on "Fix Checked"

7) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\system32\fbydlbaw.dll <<< delete that file if there.
8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer, post the report from BlackLight, a new HJT log and some feedback. How is the computer running.

Thanks
 
Styler is a program i use, it is safe. And I don't have time at the moment to follow the steps, ill do it on Saturday night.


thanks,
Dan
 
Ive hit a snag. i installed the latest java and i opened the cmd window and typed in what you said, hit enter but nothing happened.
 
Status
Not open for further replies.
Back
Top