ok i have been haveing some kinda of malware lately or spyware or something ok well after 3 days of not able to get a hijackthis log i finally got my cure! first i have a balloon popping up saying your computer is infected with spyware blah blah blah. Then it wants me to download a program to get rid of it obvioulsy fake. Also i have 2 fake icons on my desktop that are windows update and support center that take me to some website. I also get poppups all the time of errors while im working on the computer and starting up i get about 20. When i try to run hijackthis or Avg or spybot i click them to run and nothing happens and have tried to reinstall them a couple of times. here is the log

Log created by WinPatrol version 14.0.2007.1:14.0.2007.1
Scan saved at 7:49:52 PM, on 3/01/2008
Platform: Windows XP SP2 Home Edition Service Pack 2 (Build 2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\SMSS.EXE
C:\WINDOWS\SYSTEM32\WINLOGON.EXE
C:\WINDOWS\SYSTEM32\SERVICES.EXE
C:\WINDOWS\SYSTEM32\LSASS.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\PROGRAM FILES\Bonjour\MDNSRESPONDER.EXE
C:\WINDOWS\explorer.exe
C:\PROGRAM FILES\ANALOG DEVICES\Core\smax4pnp.exe
C:\PROGRAM FILES\2Wire\2PORTALMON.EXE
C:\PROGRAM FILES\MICROSOFT XBOX 360 ACCESSORIES\XBoxStat.exe
C:\PROGRAM FILES\Java\JRE1.6.0_03\bin\jusched.exe
C:\PROGRAM FILES\QUICKTIME\qttask.exe
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\WINDOWS\SYSTEM32\CTFMON.EXE
C:\PROGRAM FILES\AIM6\aim6.exe
C:\PROGRAM FILES\MSN MESSENGER\msnmsgr.exe
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\bin\hpobnz08.exe
C:\PROGRAM FILES\Yahoo!\browser\ybrowser.exe
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\bin\hpotdd01.exe
C:\PROGRAM FILES\COMMON FILES\AOL\Loader\aolload.exe
C:\PROGRAM FILES\THOOSJE SIDEBAR V2.3\THOOSJE VISTA SIDEBAR.EXE
C:\PROGRAM FILES\OPENOFFICE.ORG 2.3\program\soffice.exe
C:\PROGRAM FILES\OPENOFFICE.ORG 2.3\program\soffice.bin
C:\PROGRAM FILES\AIM6\AOLSOFTWARE.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\bin\hpoevm08.exe
C:\WINDOWS\SYSTEM32\HPZipm12.exe
C:\Program Files\Yahoo!\browser\ycommon.exe
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\bin\hposts08.exe
C:\PROGRAM FILES\Yahoo!\browser\ybrwicon.exe
C:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exe
C:\WINDOWS\SYSTEM32\bubbles.scr
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROLEX.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
O1 - Hosts: 127.0.0.
O2 - BHO: yjngchdt - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\SYSTEM32\yjngchdt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP]C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [2wSysTray]C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [XboxStat]c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe silentrun
O4 - HKLM\..\Run: [SunJavaUpdateSched]C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task]C:\Program Files\QuickTime\qttask.exe -atboottime
O4 - HKLM\..\Run: [30ff593c]C:\WINDOWS\system32\uuaxundd.dll,b
O4 - HKLM\..\Run: [BM33cc6aa0]C:\WINDOWS\system32\rdtimseq.dll,s
O4 - HKLM\..\Run: [WinReanimator]C:\Program Files\WinReanimator\WinReanimator.exe /hide
O4 - HKLM\..\Run: [WinPatrol]C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [ctfmon.exe]C:\WINDOWS\SYSTEM32\CTFMON.EXE
O4 - HKCU\..\Run: [msnmsgr]C:\Program Files\MSN Messenger\msnmsgr.exe /background
O4 - Global Startup: hp psc 2000 Series.lnk=C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk=C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: OpenOffice.org 2.3.lnk=C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Thoosje Vista Sidebar.lnk=C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [Java (Sun)] Java (Sun) - C:\Program Files\Java\jre1.6.0_03\bin
O11 - Options group: [] -
O14 - IERESET.INF: START_PAGE_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
O14 - IERESET.INF: SEARCH_PAGE_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
O14 - IERESET.INF:HKCU, Start Page = %START_PAGE_URL%
O14 - IERESET.INF:HKLM, Default_Page_URL = %START_PAGE_URL%
O14 - IERESET.INF:HKLM, Default_Search_URL = %SEARCH_PAGE_URL%
O14 - IERESET.INF:HKLM, Search Page = %SEARCH_PAGE_URL%
O14 - IERESET.INF:HKCU, Search Page = %SEARCH_PAGE_URL%
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/9/b...heckControl.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shock...director/sw.cab
O16 - DPF: {2DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/Activ...ldsDownload.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (Yahoo! MailTo) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h20264.www2.hp.com/ediags/hpfix/sj/.../qdiagh.cab?326
O20 - AppInit_DLLs: cru629.dat

O21 - WPDShServiceObj - WPDShServiceObj Class - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\SYSTEM32\WPDShServiceObj.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) - - C:\Program Files\WinPcap\rpcapd.exe -d -f C:\Program Files\WinPcap\rpcapd.ini
O23 - Service: VET Message Service - - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPcservice.exe

--- Additional WinPatrol Info ---
Browser: Unable to find default browser.
MSIE: Internet Explorer (7.00.6000.16608)
134 IE Cookies in Folder: C:\Documents and Settings\Mitchell\Cookies\

WP00 - HKLM\CS1: BootExecute = autocheck autochk *
WP00 - HKLM\CCS: BootExecute = autocheck autochk *
WP00 - HKLM\CS2: BootExecute = autocheck autochk *
WP00 - HKLM\CS3: BootExecute = autocheck autochk *
WP02 - HKLM\CCS: Command = C:\WINDOWS\system32\cmd.exe

WP03 - Windows Automatic Update = 4:Automatically download recommended updates for my computer and install them.


WP08 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix: Default = http://
WP08 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes: www = http://

WP31 - Scheduled Tasks: [McAfee.com Scan for Viruses - My Computer (MITCHELLS-Administrator).job]c:\program files\mcafee.com\vso\mcmnhdlr.exe Never
WP31 - Scheduled Tasks: [McAfee.com Scan for Viruses - My Computer (1) (MITCHELLS-Mitchell).job]c:\program files\mcafee.com\vso\mcmnhdlr.exe Never
WP31 - Scheduled Tasks: [FRU Task #Hewlett-Packard#hp psc 2200 series#1201058568.job]C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqfrucl.exe Never

WP32 - Hidden File: C:\BOOT.BAK
WP32 - Hidden File: C:\boot.ini
WP32 - Hidden File: C:\cmldr
WP32 - Hidden File: C:\DELL.SDR
WP32 - Hidden File: C:\hiberfil.sys
WP32 - Hidden File: C:\IO.SYS
WP32 - Hidden File: C:\IPH.PH
WP32 - Hidden File: C:\MSDOS.SYS
WP32 - Hidden File: C:\pagefile.sys
WP32 - Hidden File: C:\sqmdata00.sqm
WP32 - Hidden File: C:\sqmdata01.sqm
WP32 - Hidden File: C:\sqmdata02.sqm
WP32 - Hidden File: C:\sqmdata03.sqm
WP32 - Hidden File: C:\sqmdata04.sqm
WP32 - Hidden File: C:\sqmdata05.sqm
WP32 - Hidden File: C:\sqmdata06.sqm
WP32 - Hidden File: C:\sqmdata07.sqm
WP32 - Hidden File: C:\sqmdata08.sqm
WP32 - Hidden File: C:\sqmdata09.sqm
WP32 - Hidden File: C:\sqmdata10.sqm
WP32 - Hidden File: C:\sqmdata11.sqm
WP32 - Hidden File: C:\sqmdata12.sqm
WP32 - Hidden File: C:\sqmdata13.sqm
WP32 - Hidden File: C:\sqmdata14.sqm
WP32 - Hidden File: C:\sqmdata15.sqm
WP32 - Hidden File: C:\sqmdata16.sqm
WP32 - Hidden File: C:\sqmdata17.sqm
WP32 - Hidden File: C:\sqmdata18.sqm
WP32 - Hidden File: C:\sqmdata19.sqm
WP32 - Hidden File: C:\sqmnoopt00.sqm
WP32 - Hidden File: C:\sqmnoopt01.sqm
WP32 - Hidden File: C:\sqmnoopt02.sqm
WP32 - Hidden File: C:\sqmnoopt03.sqm
WP32 - Hidden File: C:\sqmnoopt04.sqm
WP32 - Hidden File: C:\sqmnoopt05.sqm
WP32 - Hidden File: C:\sqmnoopt06.sqm
WP32 - Hidden File: C:\sqmnoopt07.sqm
WP32 - Hidden File: C:\sqmnoopt08.sqm
WP32 - Hidden File: C:\sqmnoopt09.sqm
WP32 - Hidden File: C:\sqmnoopt10.sqm
WP32 - Hidden File: C:\sqmnoopt11.sqm

WP33 - File Type .AVI: [Video Clip]C:\Program Files\Windows Media Player\wmplayer.exe /prefetch:8 /Open %L
WP33 - File Type .BAT: [MS-DOS Batch File]%1 %*
WP33 - File Type .CAB: [WinRAR archive]C:\Program Files\WinRAR\WinRAR.exe %1
WP33 - File Type .CAT: [Security Catalog]rundll32.exe cryptext.dll,CryptExtOpenCAT %1
WP33 - File Type .CHM: [Compiled HTML Help file]C:\WINDOWS\hh.exe %1
WP33 - File Type .COM: [MS-DOS Application]%1 %*
WP33 - File Type .CMD: [Windows NT Command Script]%1 %*
WP33 - File Type .DOC: [WordPad Document]C:\Program Files\Windows NT\Accessories\WORDPAD.EXE %1
WP33 - File Type .EML: [Internet E-Mail Message]C:\Program Files\Outlook Express\msimn.exe /eml:%1
WP33 - File Type .EXE: [Application]%1 %*
WP33 - File Type .INF: [Setup Information]C:\WINDOWS\System32\NOTEPAD.EXE %1
WP33 - File Type .JS: [Microsoft ® Windows Script Host]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .LOG: [Text Document]C:\WINDOWS\system32\NOTEPAD.EXE %1
WP33 - File Type .MSI: [Windows Installer Package]C:\WINDOWS\System32\msiexec.exe /i %1 %*
WP33 - File Type .MID: [AT&T Yahoo! Music Jukebox File]C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe -play %1
WP33 - File Type .MP3: [MediaMonkey file]C:\Program Files\MediaMonkey\MediaMonkey.exe %1
WP33 - File Type .PIF: [Shortcut to MS-DOS Program]%1 %*
WP33 - File Type .RAM: [RealPlayer Presentation]C:\Program Files\Real\RealPlayer\RealPlay.exe %1
WP33 - File Type .REG: [Registration Entries]regedit.exe %1
WP33 - File Type .RTF: [Rich Text Document]C:\Program Files\Windows NT\Accessories\WORDPAD.EXE %1
WP33 - File Type .SBS: [Spyware supplemental file]C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe %1
WP33 - File Type .SCR: [Screen Saver]%1 /S
WP33 - File Type .TXT: [Text Document]C:\WINDOWS\system32\NOTEPAD.EXE %1
WP33 - File Type .URL: [Internet Shortcut]rundll32.exe ieframe.dll,OpenURL %l
WP33 - File Type .VBS: [VBScript Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .VBE: [VBScript Encoded Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .WSF: [Windows Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .WSH: [Windows Script Host Settings File]C:\WINDOWS\System32\WScript.exe %1 %*

Memory currently in use: 35%
Physical Memory Free: 506,008 KB
Paging File Free: 766,068 KB
Virtual Memory Free: 2,052,904 KB


--
End of file

What you've posted is a log from Winpatrol. WinPatrol is a great application, but I'd like to work with HijackThis itself.

Please do the following to download and install the latest version of HijackThis v2.0.2:

CLICK HERE to download the HijackThis Installer:

1. Save HJTInstall.exe to your desktop.
2. Double-click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
8. Come back here to this thread and paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

see thats wat the problem is. I cant get hijack this to run i even tried with your instructions and i still haven been able to get it to run . Winpatrol is the only thing that will run . I will save it to the desktop and click it and all i get is this. A small window pops up and i click install it installs and never get any message asking me to start and then nothing. So i figure its installed and i click to run the program and nothing i click again nothing.

OK, we'll see what we can do with the Winpatrol log

1. Please download VundoFix.exe by Atribune from Atribune and save it to your desktop.
2. Double click VundoFix.exe to run it.
3. Click the Scan for Vundo button.
4. Once it's done scanning, click the Fix Vundo button.
5. You will receive a prompt asking if you want to remove the files, click YES
6. Once you click yes, your desktop will go blank as it starts removing Vundo.
7. When completed, it will prompt that it will reboot your computer, click OK.
8. Please post the contents of C:\vundofix.txt and a new Winpatrol log.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

If you receive this error - "Run-time error '339': Component 'comdlg32.ocx' or one its dependencies not correctly registered: a file is missing or invalid" , please download this file and save it to your desktop.

1. Right click on Comdlg32.zip and select Extract All....
2. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
3. On the text box above the Browse button, copy and paste in C:\Windows\system32.
4. Click OK.
5. Uncheck (untick) the Show extracted files box and click Finish.
6. Click on Start > Run and copy and paste in the following into the Run box:
   
   REGSVR32 C:\Windows\system32\comdlg32.ocx
   
7. Press Enter.
8. You should receive this message - "DllRegisterServer in C:\Windows\system32\comdlg32.ocx succeeded."
9. Click OK and restart your computer. Then try running VundoFix again.

ya im downloaded it and tried to run it and same thing as hijackthis no response when i click on it i tried it a couple of times, then in safe mode too . And still nothing. I didnt download the 2 nd part because i never got an error message, all i got was no response so should i try that file part and then run it again?

No, let's try something else

• Download Autoruns from here
• Unzip/extract it to a folder on your desktop
• Double click on autoruns.exe to start Autoruns
• Wait for it to finish scanning
• Under Options make sure the following options are slected
  • Verify Code Signatures
  • Hide Signed Microsoft Entries
• Click File > Refresh
• Click File > Save As
• Save it to the desktop as autoruns.txt
• Post the contents of autoruns.txt as a reply to this topic

yep sorry this is such a pain but same thing no response when i click the autoruns.exe

rename autoruns.exe to random.exe and try running it again

yeah it worked ok here is the fileVVVVVVVVVVVVVVVVVVVVV


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ 2wSysTray HomePortal Monitor Application by 2Wire Engineering (Not verified) 2Wire, Inc. c:\program files\2wire\2portalmon.exe
+ BM33cc6aa0 c:\windows\system32\iafgkuct.dll
+ SoundMAXPnP SMax4PNP MFC Application (Not verified) Analog Devices, Inc. c:\program files\analog devices\core\smax4pnp.exe
+ WinPatrol WinPatrol System Monitor (Verified) BillP Studios c:\program files\billp studios\winpatrol\winpatrol.exe
+ XboxStat XBoxStat.exe (Not verified) Microsoft Corporation c:\program files\microsoft xbox 360 accessories\xboxstat.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
+ hp psc 2000 Series.lnk HP OfficeJet COM Device Objects (Not verified) Hewlett-Packard Co. c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe
+ hpoddt01.exe.lnk hpotdd01 (Not verified) Hewlett-Packard c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
C:\Documents and Settings\Mitchell\Start Menu\Programs\Startup
+ OpenOffice.org 2.3.lnk c:\program files\openoffice.org 2.3\program\quickstart.exe
+ Thoosje Vista Sidebar.lnk c:\program files\thoosje sidebar v2.3\thoosje vista sidebar.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+ Aim6 AIM (Not verified) AOL LLC c:\program files\aim6\aim6.exe
+ Jnskdfmf9eldfd c:\documents and settings\mitchell\local settings\temp\csrssc.exe
HKLM\SOFTWARE\Classes\Protocols\Filter
+ application/octet-stream Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll
+ application/x-complus Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll
+ application/x-msdownload Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
+ n/a Microsoft .NET IE SECURITY REGISTRATION (Not verified) Microsoft Corporation c:\windows\system32\mscories.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
+ jhsf8d984jief8dsfus98jkefn c:\windows\system32\jfiehayd.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
+ hggfgdb.dll c:\windows\system32\hggfgdb.dll
+ Trend Micro Anti-Spyware Shell Extension Anti-Spyware Shell Extension (Not verified) Trend Micro Incorporated c:\program files\trend micro\tmas\sshook.dll
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers
+ CA_AntiVirus CA Antivirus Shell Extension Handler (Verified) Computer Associates International c:\windows\avshlext.dll
+ PowerISO PowerISOShell DLL (Not verified) PowerISO Computing, Inc. c:\program files\poweriso\pwrisosh.dll
+ SASContextMenu Class SUPERAntiSpyware Context Menu Extension (Not verified) SUPERAntiSpyware.com c:\program files\superantispyware\sasctxmn.dll
+ WinRAR c:\program files\winrar\rarext.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll
+ Yahoo! Mail Yahoo! Mail (Verified) Yahoo! Inc. c:\program files\yahoo!\common\ymmapi.dll
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers
+ CA_AntiVirus CA Antivirus Shell Extension Handler (Verified) Computer Associates International c:\windows\avshlext.dll
+ PowerISO PowerISOShell DLL (Not verified) PowerISO Computing, Inc. c:\program files\poweriso\pwrisosh.dll
+ WinRAR c:\program files\winrar\rarext.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
+ PowerISO PowerISOShell DLL (Not verified) PowerISO Computing, Inc. c:\program files\poweriso\pwrisosh.dll
+ SASContextMenu Class SUPERAntiSpyware Context Menu Extension (Not verified) SUPERAntiSpyware.com c:\program files\superantispyware\sasctxmn.dll
+ WinRAR c:\program files\winrar\rarext.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll
HKCU\Software\Classes\Folder\Shellex\ColumnHandlers
+ {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} (Not verified) Sun Microsystems, Inc. c:\program files\openoffice.org 2.3\program\shlxthdl.dll
HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
+ PDF Shell Extension PDF Shell Extension (Not verified) Adobe Systems, Inc. c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ CA_AntiVirus CA Antivirus Shell Extension Handler (Verified) Computer Associates International c:\windows\avshlext.dll
+ Display Panning CPL Extension File not found: deskpan.dll
+ Fusion Cache Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll
+ iTunes iTunes Mini Player DLL (Verified) Apple Computer, Inc. c:\program files\itunes\itunesminiplayer.dll
+ OpenOffice.org Column Handler (Not verified) Sun Microsystems, Inc. c:\program files\openoffice.org 2.3\program\shlxthdl.dll
+ OpenOffice.org Infotip Handler (Not verified) Sun Microsystems, Inc. c:\program files\openoffice.org 2.3\program\shlxthdl.dll
+ OpenOffice.org Property Sheet Handler (Not verified) Sun Microsystems, Inc. c:\program files\openoffice.org 2.3\program\shlxthdl.dll
+ OpenOffice.org Thumbnail Viewer (Not verified) Sun Microsystems, Inc. c:\program files\openoffice.org 2.3\program\shlxthdl.dll
+ PowerISO PowerISOShell DLL (Not verified) PowerISO Computing, Inc. c:\program files\poweriso\pwrisosh.dll
+ Shell Extensions for RealOne Player RealPlayer Shell Extensions (Verified) RealNetworks, Inc. c:\program files\real\realplayer\rpshell.dll
+ Shell Icon Handler for Application References Application Deployment Support Library (Not verified) Microsoft Corporation c:\windows\system32\dfshim.dll
+ ShellLink for Application References Application Deployment Support Library (Not verified) Microsoft Corporation c:\windows\system32\dfshim.dll
+ Trend Micro Anti-Spyware Shell Extension Anti-Spyware Shell Extension (Not verified) Trend Micro Incorporated c:\program files\trend micro\tmas\sshook.dll
+ WinRAR shell extension c:\program files\winrar\rarext.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll
+ Yahoo! Mail Yahoo! Mail (Verified) Yahoo! Inc. c:\program files\yahoo!\common\ymmapi.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
+ C:\WINDOWS\system32\jfiehayd.dll c:\windows\system32\jfiehayd.dll
+ {70AB0A8B-8A8A-496F-A339-4CD2F3352991} c:\windows\system32\hggfgdb.dll
+ {D4C1697C-6EBA-47B6-ADC9-328A4C997EB1} c:\windows\system32\awtqn.dll
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
+ Yahoo! Toolbar Yahoo! Toolbar (Verified) Yahoo! Inc. c:\program files\yahoo!\companion\installs\cpn2\yt.dll
HKLM\Software\Microsoft\Internet Explorer\Toolbar
+ Yahoo! Toolbar Yahoo! Toolbar (Verified) Yahoo! Inc. c:\program files\yahoo!\companion\installs\cpn2\yt.dll
Task Scheduler
+ FRU Task #Hewlett-Packard#hp psc 2200 series#1201058568.job FRU-Client MFC Application c:\program files\hewlett-packard\digital imaging\bin\hpqfrucl.exe
+ McAfee.com Scan for Viruses - My Computer (1) (MITCHELLS-Mitchell).job File not found: c:\program files\mcafee.com\vso\mcmnhdlr.exe
+ McAfee.com Scan for Viruses - My Computer (MITCHELLS-Administrator).job File not found: c:\program files\mcafee.com\vso\mcmnhdlr.exe
HKLM\System\CurrentControlSet\Services
+ Bonjour Service ##Id_String2.6844F930_1628_4223_B5CC_5BB94B879762## (Not verified) Apple Computer, Inc. c:\program files\bonjour\mdnsresponder.exe
+ CAISafe File not found: C:\Program Files\Yahoo!\Antivirus\ISafe.exe
+ VETMSGNT File not found: C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
HKLM\System\CurrentControlSet\Services
+ Beep c:\windows\system32\drivers\beep.sys
+ BsStor B.H.A Storage Helper Driver (WindowsNT5.x) (Not verified) B.H.A Co.,Ltd. c:\windows\system32\drivers\bsstor.sys
+ Changer File not found: C:\WINDOWS\System32\Drivers\Changer.sys
+ d347bus PnP BIOS Extension (Not verified) c:\windows\system32\drivers\d347bus.sys
+ d347prt SCSI miniport (Not verified) c:\windows\system32\drivers\d347prt.sys
+ DiagnosticScan File not found: C:\Program Files\Adware Away\DiagnosticScan.SYS
+ GEARAspiWDM CD/DVD Class Filter Driver (Verified) GEAR Software Inc. c:\windows\system32\drivers\gearaspiwdm.sys
+ IFP300 iriver Internet Audio Player IFP-300 File not found: system32\DRIVERS\ifp300.sys
+ InCDPass File not found: system32\drivers\InCDPass.sys
+ InCDRm remapper (Not verified) Ahead Software AG c:\windows\system32\drivers\incdrm.sys
+ IPVNMon IPVNMon (Not verified) Visual Networks c:\windows\system32\drivers\ipvnmon.sys
+ lbrtfdc File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys
+ MCSTRM RealNetworks Virtual Path Manager® (Not verified) RealNetworks, Inc. c:\windows\system32\drivers\mcstrm.sys
+ NPF npf (Not verified) CACE Technologies c:\windows\system32\drivers\npf.sys
+ npkcrypt File not found: C:\Program Files\NEXON\MapleStory\npkcrypt.sys
+ nuvaud2 File not found: system32\DRIVERS\nuvaud2.sys
+ oreans32 File not found: C:\WINDOWS\system32\drivers\oreans32.sys
+ Partizan Partizan - Rootkit detector (Not verified) Greatis Software c:\windows\system32\drivers\partizan.sys
+ PCIDump File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys
+ PDCOMP File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys
+ PDFRAME File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys
+ PDRELI File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys
+ PDRFRAME File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys
+ pfc Padus® ASPI Shell (Not verified) Padus, Inc. c:\windows\system32\drivers\pfc.sys
+ psa500 QSound Virtual Engine driver (Not verified) QSound Labs, Inc. c:\windows\system32\drivers\psa500.sys
+ PSSdk23 File not found: C:\WINDOWS\system32\Drivers\PsSdk23.drv
+ PsSdk30 File not found: C:\WINDOWS\system32\Drivers\PsSdk30.drv
+ PxHelp20 Px Engine Device Driver for Windows 2000/XP (Verified) Sonic Solutions c:\windows\system32\drivers\pxhelp20.sys
+ SCDEmu PowerISO Virtual Drive (Not verified) PowerISO Computing, Inc. c:\windows\system32\drivers\scdemu.sys
+ SNPSTD3 PC Camera driver c:\windows\system32\drivers\snpstd3.sys
+ sptd c:\windows\system32\drivers\sptd.sys
+ TPkd InterLok system file (Verified) PACE Anti-Piracy, Inc. c:\windows\system32\drivers\tpkd.sys
+ UacFlt UAC355x Filter/Support Driver (Not verified) Micronas GmbH c:\windows\system32\drivers\uacbflt.sys
+ VET-FILT CA Antivirus File Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\vet-filt.sys
+ VET-REC CA Antivirus File Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\vet-rec.sys
+ VETEBOOT RealTime Anti-Virus Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\veteboot.sys
+ VETEFILE RealTime Anti-Virus Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\vetefile.sys
+ VETFDDNT CA Antivirus File Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\vetfddnt.sys
+ VETMONNT CA Antivirus File Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\vetmonnt.sys
+ wanatw File not found: system32\DRIVERS\wanatw4.sys
+ WDICA File not found: C:\WINDOWS\System32\Drivers\WDICA.sys
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
+ Partizan Partizan - First Bootwatch Anti-Rootkit (Not verified) Greatis Software c:\windows\system32\partizan.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
+ cru629.dat c:\windows\system32\cru629.dat
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+ !SASWinLogon SUPERAntiSpyware WinLogon Processor (Not verified) SUPERAntiSpyware.com c:\program files\superantispyware\saswinlo.dll
+ __c00CAA47 c:\windows\system32\__c00caa47.dat
+ hggfgdb c:\windows\system32\hggfgdb.dll
+ vptjopus c:\windows\system32\vptjopus.dll
+ xxyaxxx File not found: xxyaxxx.dll
+ yjngchdt File not found: yjngchdt.dll
HKCU\Control Panel\Desktop\Scrnsave.exe
+ C:\WINDOWS\system32\bubbles.scr Bubbles Screen Saver (Not verified) Microsoft Corporation c:\windows\system32\bubbles.scr
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9
+ CA ISafe LSP CA ISafe LSP DLL (Verified) Computer Associates International c:\windows\system32\vetredir.dll
+ CA ISafe LSP over [MSAFD Tcpip [RAW/IP]] CA ISafe LSP DLL (Verified) Computer Associates International c:\windows\system32\vetredir.dll
+ CA ISafe LSP over [MSAFD Tcpip [TCP/IP]] CA ISafe LSP DLL (Verified) Computer Associates International c:\windows\system32\vetredir.dll
+ CA ISafe LSP over [MSAFD Tcpip [UDP/IP]] CA ISafe LSP DLL (Verified) Computer Associates International c:\windows\system32\vetredir.dll
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
+ C:\WINDOWS\system32\awtqn.dll c:\windows\system32\awtqn.dll

Backup Your Registry with ERUNT

• Please use the following link and scroll down to ERUNT and download it.
  http://aumha.org/freeware/freeware.php
• For version with the Installer:
  Use the setup program to install ERUNT on your computer
• For the zipped version:
  Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Copy the contents of the following codebox to a notepad window



Save it to the desktop as fix.reg, making sure save as type is set to all files

• Download UnDLL by ESET from here
• Unzip/extact it to a folder on the desktop
• Double click on UNDLL.EXE to start UnDLL
• Click on Select infected DLL
• Locate and select this file:
  c:\windows\system32\vptjopus.dll
• Click Open
• UnDLL will now attempt to delete the DLL file
• If asked to restart your PC, click No
• Repeat the above steps for the following files:
  
  CODE
  c:\windows\system32\__c00caa47.dat
  c:\windows\system32\awtqn.dll
  c:\windows\system32\cru629.dat
  c:\windows\system32\hggfgdb.dll
  c:\windows\system32\iafgkuct.dll
  c:\windows\system32\jfiehayd.dll
• Once you have used UnDLL on all the files:
  • Locate Fix.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt
  • Restart your PC manually

Locate Fix.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt

Run autoruns again and post the log it produces

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ 2wSysTray HomePortal Monitor Application by 2Wire Engineering (Not verified) 2Wire, Inc. c:\program files\2wire\2portalmon.exe
+ 30ff593c File not found: C:\WINDOWS\system32\nfdcecbm.dll
+ BM33cc6aa0 c:\windows\system32\hoapctic.dll
+ RRT-Auto A tool to remove system restrictions and defend against removable media malware! (Not verified) iSergiwa Software - www.sergiwa.com c:\documents and settings\mitchell\local settings\temp\rar$ex00.219\rrt.exe
+ SoundMAXPnP SMax4PNP MFC Application (Not verified) Analog Devices, Inc. c:\program files\analog devices\core\smax4pnp.exe
+ TkBellExe RealNetworks Scheduler (Verified) RealNetworks, Inc. c:\program files\common files\real\update_ob\realsched.exe
+ WinPatrol WinPatrol System Monitor (Verified) BillP Studios c:\program files\billp studios\winpatrol\winpatrol.exe
+ XboxStat XBoxStat.exe (Not verified) Microsoft Corporation c:\program files\microsoft xbox 360 accessories\xboxstat.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
+ hp psc 2000 Series.lnk HP OfficeJet COM Device Objects (Not verified) Hewlett-Packard Co. c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe
+ hpoddt01.exe.lnk hpotdd01 (Not verified) Hewlett-Packard c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
C:\Documents and Settings\Mitchell\Start Menu\Programs\Startup
+ OpenOffice.org 2.3.lnk c:\program files\openoffice.org 2.3\program\quickstart.exe
+ Thoosje Vista Sidebar.lnk c:\program files\thoosje sidebar v2.3\thoosje vista sidebar.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+ Aim6 AIM (Not verified) AOL LLC c:\program files\aim6\aim6.exe
+ Jnskdfmf9eldfd c:\documents and settings\mitchell\local settings\temp\csrssc.exe
HKLM\SOFTWARE\Classes\Protocols\Filter
+ application/octet-stream Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll
+ application/x-complus Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll
+ application/x-msdownload Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
+ n/a Microsoft .NET IE SECURITY REGISTRATION (Not verified) Microsoft Corporation c:\windows\system32\mscories.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
+ Trend Micro Anti-Spyware Shell Extension Anti-Spyware Shell Extension (Not verified) Trend Micro Incorporated c:\program files\trend micro\tmas\sshook.dll
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers
+ CA_AntiVirus CA Antivirus Shell Extension Handler (Verified) Computer Associates International c:\windows\avshlext.dll
+ PowerISO PowerISOShell DLL (Not verified) PowerISO Computing, Inc. c:\program files\poweriso\pwrisosh.dll
+ SASContextMenu Class SUPERAntiSpyware Context Menu Extension (Not verified) SUPERAntiSpyware.com c:\program files\superantispyware\sasctxmn.dll
+ WinRAR c:\program files\winrar\rarext.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll
+ Yahoo! Mail Yahoo! Mail (Verified) Yahoo! Inc. c:\program files\yahoo!\common\ymmapi.dll
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers
+ CA_AntiVirus CA Antivirus Shell Extension Handler (Verified) Computer Associates International c:\windows\avshlext.dll
+ PowerISO PowerISOShell DLL (Not verified) PowerISO Computing, Inc. c:\program files\poweriso\pwrisosh.dll
+ WinRAR c:\program files\winrar\rarext.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
+ PowerISO PowerISOShell DLL (Not verified) PowerISO Computing, Inc. c:\program files\poweriso\pwrisosh.dll
+ SASContextMenu Class SUPERAntiSpyware Context Menu Extension (Not verified) SUPERAntiSpyware.com c:\program files\superantispyware\sasctxmn.dll
+ WinRAR c:\program files\winrar\rarext.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll
HKCU\Software\Classes\Folder\Shellex\ColumnHandlers
+ {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} (Not verified) Sun Microsystems, Inc. c:\program files\openoffice.org 2.3\program\shlxthdl.dll
HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
+ PDF Shell Extension PDF Shell Extension (Not verified) Adobe Systems, Inc. c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ CA_AntiVirus CA Antivirus Shell Extension Handler (Verified) Computer Associates International c:\windows\avshlext.dll
+ Display Panning CPL Extension File not found: deskpan.dll
+ Fusion Cache Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll
+ iTunes iTunes Mini Player DLL (Verified) Apple Computer, Inc. c:\program files\itunes\itunesminiplayer.dll
+ OpenOffice.org Column Handler (Not verified) Sun Microsystems, Inc. c:\program files\openoffice.org 2.3\program\shlxthdl.dll
+ OpenOffice.org Infotip Handler (Not verified) Sun Microsystems, Inc. c:\program files\openoffice.org 2.3\program\shlxthdl.dll
+ OpenOffice.org Property Sheet Handler (Not verified) Sun Microsystems, Inc. c:\program files\openoffice.org 2.3\program\shlxthdl.dll
+ OpenOffice.org Thumbnail Viewer (Not verified) Sun Microsystems, Inc. c:\program files\openoffice.org 2.3\program\shlxthdl.dll
+ PowerISO PowerISOShell DLL (Not verified) PowerISO Computing, Inc. c:\program files\poweriso\pwrisosh.dll
+ Shell Extensions for RealOne Player RealPlayer Shell Extensions (Verified) RealNetworks, Inc. c:\program files\real\realplayer\rpshell.dll
+ Shell Icon Handler for Application References Application Deployment Support Library (Not verified) Microsoft Corporation c:\windows\system32\dfshim.dll
+ ShellLink for Application References Application Deployment Support Library (Not verified) Microsoft Corporation c:\windows\system32\dfshim.dll
+ Trend Micro Anti-Spyware Shell Extension Anti-Spyware Shell Extension (Not verified) Trend Micro Incorporated c:\program files\trend micro\tmas\sshook.dll
+ WinRAR shell extension c:\program files\winrar\rarext.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL (Not verified) WinZip Computing LP c:\program files\winzip\wzshlstb.dll
+ Yahoo! Mail Yahoo! Mail (Verified) Yahoo! Inc. c:\program files\yahoo!\common\ymmapi.dll
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
+ Yahoo! Toolbar Yahoo! Toolbar (Verified) Yahoo! Inc. c:\program files\yahoo!\companion\installs\cpn2\yt.dll
HKLM\Software\Microsoft\Internet Explorer\Toolbar
+ Yahoo! Toolbar Yahoo! Toolbar (Verified) Yahoo! Inc. c:\program files\yahoo!\companion\installs\cpn2\yt.dll
Task Scheduler
+ FRU Task #Hewlett-Packard#hp psc 2200 series#1201058568.job FRU-Client MFC Application c:\program files\hewlett-packard\digital imaging\bin\hpqfrucl.exe
+ McAfee.com Scan for Viruses - My Computer (1) (MITCHELLS-Mitchell).job File not found: c:\program files\mcafee.com\vso\mcmnhdlr.exe
+ McAfee.com Scan for Viruses - My Computer (MITCHELLS-Administrator).job File not found: c:\program files\mcafee.com\vso\mcmnhdlr.exe
HKLM\System\CurrentControlSet\Services
+ Bonjour Service ##Id_String2.6844F930_1628_4223_B5CC_5BB94B879762## (Not verified) Apple Computer, Inc. c:\program files\bonjour\mdnsresponder.exe
+ CAISafe File not found: C:\Program Files\Yahoo!\Antivirus\ISafe.exe
+ VETMSGNT File not found: C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
HKLM\System\CurrentControlSet\Services
+ Beep c:\windows\system32\drivers\beep.sys
+ BsStor B.H.A Storage Helper Driver (WindowsNT5.x) (Not verified) B.H.A Co.,Ltd. c:\windows\system32\drivers\bsstor.sys
+ Changer File not found: C:\WINDOWS\System32\Drivers\Changer.sys
+ d347bus PnP BIOS Extension (Not verified) c:\windows\system32\drivers\d347bus.sys
+ d347prt SCSI miniport (Not verified) c:\windows\system32\drivers\d347prt.sys
+ DiagnosticScan File not found: C:\Program Files\Adware Away\DiagnosticScan.SYS
+ GEARAspiWDM CD/DVD Class Filter Driver (Verified) GEAR Software Inc. c:\windows\system32\drivers\gearaspiwdm.sys
+ IFP300 iriver Internet Audio Player IFP-300 File not found: system32\DRIVERS\ifp300.sys
+ InCDPass File not found: system32\drivers\InCDPass.sys
+ InCDRm remapper (Not verified) Ahead Software AG c:\windows\system32\drivers\incdrm.sys
+ IPVNMon IPVNMon (Not verified) Visual Networks c:\windows\system32\drivers\ipvnmon.sys
+ lbrtfdc File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys
+ MCSTRM RealNetworks Virtual Path Manager® (Not verified) RealNetworks, Inc. c:\windows\system32\drivers\mcstrm.sys
+ NPF npf (Not verified) CACE Technologies c:\windows\system32\drivers\npf.sys
+ npkcrypt File not found: C:\Program Files\NEXON\MapleStory\npkcrypt.sys
+ nuvaud2 File not found: system32\DRIVERS\nuvaud2.sys
+ oreans32 File not found: C:\WINDOWS\system32\drivers\oreans32.sys
+ Partizan Partizan - Rootkit detector (Not verified) Greatis Software c:\windows\system32\drivers\partizan.sys
+ PCIDump File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys
+ PDCOMP File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys
+ PDFRAME File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys
+ PDRELI File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys
+ PDRFRAME File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys
+ pfc Padus® ASPI Shell (Not verified) Padus, Inc. c:\windows\system32\drivers\pfc.sys
+ psa500 QSound Virtual Engine driver (Not verified) QSound Labs, Inc. c:\windows\system32\drivers\psa500.sys
+ PSSdk23 File not found: C:\WINDOWS\system32\Drivers\PsSdk23.drv
+ PsSdk30 File not found: C:\WINDOWS\system32\Drivers\PsSdk30.drv
+ PxHelp20 Px Engine Device Driver for Windows 2000/XP (Verified) Sonic Solutions c:\windows\system32\drivers\pxhelp20.sys
+ SCDEmu PowerISO Virtual Drive (Not verified) PowerISO Computing, Inc. c:\windows\system32\drivers\scdemu.sys
+ SNPSTD3 PC Camera driver c:\windows\system32\drivers\snpstd3.sys
+ sptd c:\windows\system32\drivers\sptd.sys
+ TPkd InterLok system file (Verified) PACE Anti-Piracy, Inc. c:\windows\system32\drivers\tpkd.sys
+ UacFlt UAC355x Filter/Support Driver (Not verified) Micronas GmbH c:\windows\system32\drivers\uacbflt.sys
+ VET-FILT CA Antivirus File Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\vet-filt.sys
+ VET-REC CA Antivirus File Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\vet-rec.sys
+ VETEBOOT RealTime Anti-Virus Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\veteboot.sys
+ VETEFILE RealTime Anti-Virus Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\vetefile.sys
+ VETFDDNT CA Antivirus File Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\vetfddnt.sys
+ VETMONNT CA Antivirus File Protection Driver (Not verified) Computer Associates International, Inc. c:\windows\system32\drivers\vetmonnt.sys
+ wanatw File not found: system32\DRIVERS\wanatw4.sys
+ WDICA File not found: C:\WINDOWS\System32\Drivers\WDICA.sys
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
+ Partizan Partizan - First Bootwatch Anti-Rootkit (Not verified) Greatis Software c:\windows\system32\partizan.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
+ cru629.dat c:\windows\system32\cru629.dat
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+ !SASWinLogon SUPERAntiSpyware WinLogon Processor (Not verified) SUPERAntiSpyware.com c:\program files\superantispyware\saswinlo.dll
+ xxyaxxx File not found: xxyaxxx.dll
+ yjngchdt File not found: yjngchdt.dll
HKCU\Control Panel\Desktop\Scrnsave.exe
+ C:\WINDOWS\system32\bubbles.scr Bubbles Screen Saver (Not verified) Microsoft Corporation c:\windows\system32\bubbles.scr
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9
+ CA ISafe LSP CA ISafe LSP DLL (Verified) Computer Associates International c:\windows\system32\vetredir.dll
+ CA ISafe LSP over [MSAFD Tcpip [RAW/IP]] CA ISafe LSP DLL (Verified) Computer Associates International c:\windows\system32\vetredir.dll
+ CA ISafe LSP over [MSAFD Tcpip [TCP/IP]] CA ISafe LSP DLL (Verified) Computer Associates International c:\windows\system32\vetredir.dll
+ CA ISafe LSP over [MSAFD Tcpip [UDP/IP]] CA ISafe LSP DLL (Verified) Computer Associates International c:\windows\system32\vetredir.dll

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

ok thank you soo much i can finally get hijackthis to run! yeah the only thing next is that i also have winpatrol and get a new start up program ever 10 seconds and it wont stop when i click no even after the 100 times lol. The first log is the report then second is the hijackthis log file.




SDFix: Version 1.159

Run by Mitchell on Fri 03/21/2008 at 09:34 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name:
pcximg
pzqlp

Path:
\??\C:\WINDOWS\system\pcximg.pif
\??\C:\WINDOWS\Help\pzqlp.chm

pcximg - Deleted
pzqlp - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Resetting AppInit_DLLs value


Rebooting


Infected beep.sys Found!

beep.sys File Locations:

"C:\WINDOWS\SYSTEM32\DLLCACHE\beep.sys" 31232 02/25/2008 08:07 PM
"C:\WINDOWS\SYSTEM32\DRIVERS\BEEP.SYS" 31232 02/25/2008 08:07 PM

Infected File Listed Below:

C:\WINDOWS\system32\DLLCACHE\beep.sys
C:\WINDOWS\system32\DRIVERS\BEEP.SYS

File copied to Backups Folder
Attempting to replace beep.sys with original version


Original beep.sys Restored

"C:\WINDOWS\SYSTEM32\DLLCACHE\beep.sys" 4224 03/21/2008 12:23 AM
"C:\WINDOWS\SYSTEM32\DRIVERS\BEEP.SYS" 4224 03/21/2008 12:23 AM



Checking Files :

Trojan Files Found:

C:\Documents and Settings\All Users\Start Menu\Programs\WinReanimator\Uninstall.lnk - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\WinReanimator\WinReanimator.lnk - Deleted
C:\Documents and Settings\All Users\Desktop\WinReanimator.lnk - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\WinReanimator\WinReanimator.lnk - Deleted
C:\Program Files\Helper\1205557079.dll - Deleted
C:\Program Files\Helper\1205557147.dll - Deleted
C:\Program Files\WinReanimator\htmlayout.dll - Deleted
C:\Program Files\WinReanimator\install.exe - Deleted
C:\Program Files\WinReanimator\pthreadVC2.dll - Deleted
C:\Program Files\WinReanimator\un.ico - Deleted
C:\Program Files\WinReanimator\unzip32.dll - Deleted
C:\Program Files\WinReanimator\WinReanimator.cfg - Deleted
C:\Program Files\WinReanimator\WinReanimator.dll - Deleted
C:\Program Files\WinReanimator\WinReanimator.exe - Deleted
C:\Program Files\WinReanimator\data\daily.cvd - Deleted
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest - Deleted
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\msvcm80.dll - Deleted
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\msvcp80.dll - Deleted
C:\Program Files\WinReanimator\Microsoft.VC80.CRT\msvcr80.dll - Deleted
C:\DOCUME~1\Mitchell\LOCALS~1\Temp\Csrssc.exe - Deleted
C:\WINDOWS\braviax.exe - Deleted
C:\WINDOWS\cru629.dat - Deleted
C:\WINDOWS\system32\braviax.exe - Deleted
C:\WINDOWS\system32\cru629.dat - Deleted
C:\WINDOWS\system32\users32.dat - Deleted
C:\WINDOWS\system32\winistr.exe - Deleted
C:\WINDOWS\help\pzqlp.chm - Deleted
C:\WINDOWS\system\pcximg.pif - Deleted



Folder C:\Documents and Settings\All Users\Start Menu\Programs\WinReanimator - Removed
Folder C:\Program Files\Helper - Removed
Folder C:\Program Files\WinReanimator - Removed


The below files have been patched by Trojan.Agent to load users32.dat and should be replaced:

C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\2Wire\2PortalMon.exe
c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\AIM6\aim6.exe


Removing Temp Files

ADS Check :


C:\WINDOWS\system32
:svchost 686
Total size: 686 bytes.
system32: deleted 686 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS\system32
No streams found.


Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-21 09:42:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]
"khjeh"=hex:20,02,00,00,21,74,73,d9,a1,6c,d5,76,f0,0d,c7,13,53,ab,5f,cd,ca,..
"hj34z0"=hex:99,a5,1b,9a,8c,aa,68,e3,6a,ca,5a,72,0b,42,ea,a7,99,2c,bd,aa,58,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf41]
"khjeh"=hex:20,02,00,00,57,3d,59,d2,a3,14,49,bd,9a,d8,75,b9,65,f6,8d,e5,64,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf42]
"khjeh"=hex:20,02,00,00,bf,39,59,d2,6b,1d,52,c0,22,b7,61,80,ed,63,cc,39,4c,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf43]
"khjeh"=hex:20,02,00,00,ca,27,59,d2,bc,55,b2,fd,af,5f,ac,64,d6,31,15,77,81,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s0"=dword:14c02a52
"s1"=dword:aa5a74b3
"s2"=dword:b35e9d52

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPager.exe"="C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"="C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1137290213\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1137290213\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1137290213\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1137290213\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Best Buy Rhapsody\\rhapsody.exe"="C:\\Program Files\\Best Buy Rhapsody\\rhapsody.exe:*:Enabled:RealNetworks Rhapsody"
"C:\\Program Files\\Atari-Infogrames\\Roller Coaster Tycoon 2\\rct2.exe"="C:\\Program Files\\Atari-Infogrames\\Roller Coaster Tycoon 2\\rct2.exe:*:Enabled:rct2"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"="C:\\Program Files\\Yahoo!\\browser\\ybrowser.exe:*:Enabled:Yahoo! Browser"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Morpheus\\Morpheus.exe"="C:\\Program Files\\Morpheus\\Morpheus.exe:*:Enabled:M5Shell"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"="C:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe:*:Enabled:Microsoft Flight Simulator"
"C:\\WINDOWS\\SYSTEM32\\DPNSVR.EXE"="C:\\WINDOWS\\SYSTEM32\\DPNSVR.EXE:*:Enabled:Microsoft DirectPlay8 Server"
"G:\\GAME\\FS9.EXE"="G:\\GAME\\FS9.EXE:*:Enabled:Microsoft Flight Simulator"
"C:\\Program Files\\BitComet\\Downloads\\Flight Simulator 2004\\No CD Crack\\fs9.exe"="C:\\Program Files\\BitComet\\Downloads\\Flight Simulator 2004\\No CD Crack\\fs9.exe:*:Enabled:Microsoft Flight Simulator"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\TimHillOne\\H264WebCamPro\\H264WebCamPro.exe"="C:\\Program Files\\TimHillOne\\H264WebCamPro\\H264WebCamPro.exe:*:Enabled:H264WebCam Microsoft MFC Class Application"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX04.000\\mem86control.exe"="C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX04.000\\mem86control.exe:*:Enabled:mem86control"
"C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX08.484\\opserver.exe"="C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX08.484\\opserver.exe:*:Enabled:opserver"
"C:\\Program Files\\JetCast Server\\JCSERVER.exe"="C:\\Program Files\\JetCast Server\\JCSERVER.exe:*:Enabled:jetCast Server"
"C:\\Program Files\\JetAudio\\JcServer.exe"="C:\\Program Files\\JetAudio\\JcServer.exe:*:Enabled:jcServer"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Icecast2 Win32\\Icecast2.exe"="C:\\Program Files\\Icecast2 Win32\\Icecast2.exe:*:Enabled:Icecast2win"
"C:\\Program Files\\Counter-Strike 1.6\\hl.exe"="C:\\Program Files\\Counter-Strike 1.6\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX03.125\\opserver.exe"="C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX03.125\\opserver.exe:*:Enabled:opserver"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\EA games\\Battlefield 2\\Bf2_w32ded.exe"="C:\\Program Files\\EA games\\Battlefield 2\\Bf2_w32ded.exe:*:Enabled:Bf2_w32ded"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"
"C:\\Program Files\\XBC\\XBC_NS.exe"="C:\\Program Files\\XBC\\XBC_NS.exe:*:Enabled:XBConnect"
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE"="C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE:*:Enabled:Yahoo! Messenger"
"C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX07.437\\PiMPStreamer\\PimpStreamer.exe"="C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\Rar$EX07.437\\PiMPStreamer\\PimpStreamer.exe:*:Enabled:PimpStreamer, Streams video from PC to PSP Realtime!"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\.ttA.tmp"="C:\\Documents and Settings\\Mitchell\\Local Settings\\Temp\\.ttA.tmp:*:Enabled:enable"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 25 Jan 2008 211 A.SHR --- "C:\BOOT.BAK"
Tue 24 Aug 2004 155,648 A..H. --- "C:\DELL\PRIMOSDK.DLL"
Tue 24 Aug 2004 360,448 A..H. --- "C:\DELL\PX.DLL"
Tue 27 Jul 2004 56,832 A..H. --- "C:\DELL\PXCPYA64.EXE"
Tue 27 Jul 2004 108,544 A..H. --- "C:\DELL\PXCPYI64.EXE"
Tue 17 Aug 2004 389,120 A..H. --- "C:\DELL\PXDRV.DLL"
Sun 1 Aug 2004 20,576 A..H. --- "C:\DELL\PXHELP20.SYS"
Sun 1 Aug 2004 54,976 A..H. --- "C:\DELL\PXHELP64.SYS"
Sun 1 Aug 2004 32,272 A..H. --- "C:\DELL\PXHELPER.SYS"
Sun 1 Aug 2004 26,720 A..H. --- "C:\DELL\PXHLPA64.SYS"
Sun 1 Aug 2004 57,344 A..H. --- "C:\DELL\PXHPINST.EXE"
Sun 1 Aug 2004 53,760 A..H. --- "C:\DELL\PXINSA64.EXE"
Sun 1 Aug 2004 104,960 A..H. --- "C:\DELL\PXINSI64.EXE"
Tue 24 Aug 2004 159,744 A..H. --- "C:\DELL\PXMAS.DLL"
Tue 27 Jul 2004 57,344 A..H. --- "C:\DELL\PXSETUP.EXE"
Tue 24 Aug 2004 339,968 A..H. --- "C:\DELL\PXWAVE.DLL"
Wed 19 May 2004 28,672 A..H. --- "C:\DELL\VXBLOCK.DLL"
Tue 24 Aug 2004 155,648 A..H. --- "C:\DELL\MEDIAEXE\PRIMOSDK.DLL"
Tue 24 Aug 2004 360,448 A..H. --- "C:\DELL\MEDIAEXE\PX.DLL"
Tue 27 Jul 2004 56,832 A..H. --- "C:\DELL\MEDIAEXE\PXCPYA64.EXE"
Tue 27 Jul 2004 108,544 A..H. --- "C:\DELL\MEDIAEXE\PXCPYI64.EXE"
Tue 17 Aug 2004 389,120 A..H. --- "C:\DELL\MEDIAEXE\PXDRV.DLL"
Sun 1 Aug 2004 20,576 A..H. --- "C:\DELL\MEDIAEXE\PXHELP20.SYS"
Sun 1 Aug 2004 54,976 A..H. --- "C:\DELL\MEDIAEXE\PXHELP64.SYS"
Sun 1 Aug 2004 32,272 A..H. --- "C:\DELL\MEDIAEXE\PXHELPER.SYS"
Sun 1 Aug 2004 26,720 A..H. --- "C:\DELL\MEDIAEXE\PXHLPA64.SYS"
Sun 1 Aug 2004 57,344 A..H. --- "C:\DELL\MEDIAEXE\PXHPINST.EXE"
Sun 1 Aug 2004 53,760 A..H. --- "C:\DELL\MEDIAEXE\PXINSA64.EXE"
Sun 1 Aug 2004 104,960 A..H. --- "C:\DELL\MEDIAEXE\PXINSI64.EXE"
Tue 24 Aug 2004 159,744 A..H. --- "C:\DELL\MEDIAEXE\PXMAS.DLL"
Tue 27 Jul 2004 57,344 A..H. --- "C:\DELL\MEDIAEXE\PXSETUP.EXE"
Tue 24 Aug 2004 339,968 A..H. --- "C:\DELL\MEDIAEXE\PXWAVE.DLL"
Wed 19 May 2004 28,672 A..H. --- "C:\DELL\MEDIAEXE\VXBLOCK.DLL"
Fri 14 Mar 2008 16,384 ..SH. --- "C:\Program Files\Internet Explorer\setupapi.dll"
Mon 12 Feb 2007 848 A.SH. --- "C:\WINDOWS\SYSTEM32\KGyGaAvL.sys"
Fri 30 Dec 2005 338,891 A.SH. --- "C:\WINDOWS\SYSTEM32\nmllm.tmp"
Sun 25 Dec 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 7 Sep 2007 145,920 ..SHR --- "C:\Program Files\BillP Studios\WinPatrol\Setup.exe"
Sun 19 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp"
Sun 25 Dec 2005 4,348 A..H. --- "C:\Documents and Settings\Mitchell\My Documents\My Music\License Backup\drmv1key.bak"
Sat 25 Mar 2006 20 A..H. --- "C:\Documents and Settings\Mitchell\My Documents\My Music\License Backup\drmv1lic.bak"
Sun 25 Dec 2005 400 A.SH. --- "C:\Documents and Settings\Mitchell\My Documents\My Music\License Backup\drmv2key.bak"
Wed 27 Apr 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Wed 27 Apr 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Sat 12 Nov 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Sat 12 Nov 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"
Thu 13 Dec 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"

Finished!




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:10 AM, on 3/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Trend Micro\bunny\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 12.193.196.81:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [30ff593c] rundll32.exe "C:\WINDOWS\system32\nfdcecbm.dll",b
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RRT-Auto] C:\DOCUME~1\Mitchell\LOCALS~1\Temp\Rar$EX00.219\RRT.exe auto
O4 - HKLM\..\Run: [BM33cc6aa0] Rundll32.exe "C:\WINDOWS\system32\hoapctic.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Startup: Thoosje Vista Sidebar.lnk = C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/Activ...ldsDownload.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h20264.www2.hp.com/ediags/hpfix/sj/.../qdiagh.cab?326
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: xxyaxxx - xxyaxxx.dll (file missing)
O20 - Winlogon Notify: yjngchdt - yjngchdt.dll (file missing)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Unknown owner - C:\Program Files\Yahoo!\Antivirus\ISafe.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 7526 bytes

These files are legit, but they've been infected, so you'll need to reinstall the programs after this fix:


C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\2Wire\2PortalMon.exe
c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\AIM6\aim6.exe

Backup Your Registry with ERUNT

• Please use the following link and scroll down to ERUNT and download it.
  http://aumha.org/freeware/freeware.php
• For version with the Installer:
  Use the setup program to install ERUNT on your computer
• For the zipped version:
  Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Copy the contents of the following codebox to a notepad window



Save it to the desktop as fix.reg, making sure save as type is set to all files

Locate Fix.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt
Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  CODE
  C:\WINDOWS\system32\nfdcecbm.dll
  C:\WINDOWS\system32\hoapctic.dll
  C:\Program Files\Analog Devices\Core\smax4pnp.exe
  C:\Program Files\2Wire\2PortalMon.exe
  c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
  C:\Program Files\AIM6\aim6.exe
  
  
• Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

O4 - HKLM\..\Run: [30ff593c] rundll32.exe "C:\WINDOWS\system32\nfdcecbm.dll",b
O4 - HKLM\..\Run: [RRT-Auto] C:\DOCUME~1\Mitchell\LOCALS~1\Temp\Rar$EX00.219\RRT.exe auto
O4 - HKLM\..\Run: [BM33cc6aa0] Rundll32.exe "C:\WINDOWS\system32\hoapctic.dll",s
O20 - Winlogon Notify: xxyaxxx - xxyaxxx.dll (file missing)
O20 - Winlogon Notify: yjngchdt - yjngchdt.dll (file missing)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O24 - Desktop Component 0: (no name) - (no file)

Then close all windows except HijackThis and click Fix Checked

Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems

this is my ot log and the second is the log from the online scanner

File/Folder C:\WINDOWS\system32\nfdcecbm.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\hoapctic.dll
C:\WINDOWS\system32\hoapctic.dll NOT unregistered.
C:\WINDOWS\system32\hoapctic.dll moved successfully.
C:\Program Files\Analog Devices\Core\smax4pnp.exe moved successfully.
C:\Program Files\2Wire\2PortalMon.exe moved successfully.
c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe moved successfully.
C:\Program Files\AIM6\aim6.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03212008_114518












# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2966 (20080321)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=094e458ae4794642906fcdc59fa3aeab
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-03-21 08:15:36
# local_time=2008-03-21 01:15:36 (-0800, Pacific Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=475373
# found=29
# scan_time=4913
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IBEOGWWV\sdferw[1].htm Win32/BHO.NCI trojan B88D8A8AE94EE4986D6FA57ADE5989EE
C:\Documents and Settings\Mitchell\Local Settings\Temporary Internet Files\Content.IE5\UQ0ZR7RN\Installer[1].exe Win32/Adware.WinReanimator application 05D2E2D567DFE2B2F00C2DF7A57F1443
C:\Documents and Settings\Mitchell\Local Settings\Temporary Internet Files\Content.IE5\YM1K16J3\Binaries1[1].zip Win32/Adware.WinReanimator application 828A14150262A6A18A31B046AA350CA0
C:\Documents and Settings\Mitchell\Local Settings\Temporary Internet Files\Content.IE5\YM1K16J3\Binaries1[1].zip »ZIP »WinReanimator.exe Win32/Adware.WinReanimator application 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-817955303-2890540678-2661541813-1006\Dc7.exe Win32/Adware.WinFixer application 2D1580425AF8FB4318D6304A14F46012
C:\SDFix\backups\backups.zip multiple infiltrations 8762AD9788FC12518C97509DA1EB75E9
C:\SDFix\backups\backups.zip »ZIP »backups/1205557079.dll Win32/BHO.NCV trojan 00000000000000000000000000000000
C:\SDFix\backups\backups.zip »ZIP »backups/1205557147.dll Win32/BHO.NCI trojan 00000000000000000000000000000000
C:\SDFix\backups\backups.zip »ZIP »backups/BEEP.SYS a variant of Win32/Adware.UltimateDefender application 00000000000000000000000000000000
C:\SDFix\backups\backups.zip »ZIP »backups/braviax.exe a variant of Win32/Adware.UltimateDefender application 00000000000000000000000000000000
C:\SDFix\backups\backups.zip »ZIP »backups/cru629.dat Win32/TrojanProxy.Agent.NDN trojan 00000000000000000000000000000000
C:\SDFix\backups\backups.zip »ZIP »backups/csrssc.exe probably a variant of Win32/TrojanDownloader.Small.CYF trojan 00000000000000000000000000000000
C:\SDFix\backups\backups.zip »ZIP »backups/install.exe Win32/Adware.WinReanimator application 00000000000000000000000000000000
C:\SDFix\backups\backups.zip »ZIP »backups/winistr.exe Win32/Adware.WinReanimator application 00000000000000000000000000000000
C:\SDFix\backups\backups.zip »ZIP »backups/WinReanimator.exe Win32/Adware.WinReanimator application 00000000000000000000000000000000
C:\SDFix\backups\catchme.zip multiple infiltrations 04EFB26704921C27A4B3FDFB97876E89
C:\SDFix\backups\catchme.zip »ZIP »beep.sys a variant of Win32/Adware.UltimateDefender application 00000000000000000000000000000000
C:\SDFix\backups\catchme.zip »ZIP »beep.sys.1 a variant of Win32/Adware.UltimateDefender application 00000000000000000000000000000000
C:\SDFix\backups\catchme.zip »ZIP »pcximg.pif Win32/TrojanDownloader.Agent.JMZ trojan 00000000000000000000000000000000
C:\WINDOWS\SYSTEM32\ayaeqwxi.dll Win32/BHO.NCC trojan 4DBD8803064CE7BB50B3F020301256B5
C:\WINDOWS\SYSTEM32\BRAVIAX.EXE.del a variant of Win32/Adware.UltimateDefender application 254C82FBC79956B7D1B492E16AFE82C7
C:\WINDOWS\SYSTEM32\cwqbnjwf.dll Win32/Adware.AdMedia application FFD39115CA3A41A8D8D7D330CC83591F
C:\WINDOWS\SYSTEM32\dwkvnnbj.dll Win32/Adware.Virtumonde application BD36712C0944EB8BD3CF0A3086C12960
C:\WINDOWS\SYSTEM32\ecoklfbk.dll Win32/Adware.SecToolbar application 0B3F2E02AC5C2EE57D677D63362B56F7
C:\WINDOWS\SYSTEM32\kokbthgc.dll Win32/Adware.AdMedia application FFD39115CA3A41A8D8D7D330CC83591F
C:\WINDOWS\SYSTEM32\rvnhenvj.dll Win32/BHO.NCC trojan 4DBD8803064CE7BB50B3F020301256B5
C:\WINDOWS\SYSTEM32\UIFKMUKH.DLL.del Win32/Adware.AdMedia application 032EE9E686094FCB812C8BE4C7E3F4CA
C:\WINDOWS\SYSTEM32\windows Win32/Adware.SecToolbar application AD249B316368039C91BC2B6B3DDFFF64
C:\WINDOWS\SYSTEM32\yjyqgici.dll Win32/Adware.Virtumonde application 0202C561364D2E57E2D277B7F70B14E4

• Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  CODE
  C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IBEOGWWV\sdferw[1].htm
  C:\Documents and Settings\Mitchell\Local Settings\Temporary Internet Files\Content.IE5\UQ0ZR7RN\Installer[1].exe
  C:\Documents and Settings\Mitchell\Local Settings\Temporary Internet Files\Content.IE5\YM1K16J3\Binaries1[1].zip
  C:\Documents and Settings\Mitchell\Local Settings\Temporary Internet Files\Content.IE5\YM1K16J3\Binaries1[1].zip
  C:\RECYCLER\S-1-5-21-817955303-2890540678-2661541813-1006\Dc7.exe
  C:\WINDOWS\SYSTEM32\ayaeqwxi.dll
  C:\WINDOWS\SYSTEM32\BRAVIAX.EXE.del
  C:\WINDOWS\SYSTEM32\cwqbnjwf.dll
  C:\WINDOWS\SYSTEM32\dwkvnnbj.dll
  C:\WINDOWS\SYSTEM32\ecoklfbk.dll
  C:\WINDOWS\SYSTEM32\kokbthgc.dll
  C:\WINDOWS\SYSTEM32\rvnhenvj.dll
  C:\WINDOWS\SYSTEM32\UIFKMUKH.DLL.del
  C:\WINDOWS\SYSTEM32\windows
  C:\WINDOWS\SYSTEM32\yjyqgici.dll
  
  
• Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post, along with a new HijackThis log.

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IBEOGWWV\sdferw[1].htm moved successfully.
C:\Documents and Settings\Mitchell\Local Settings\Temporary Internet Files\Content.IE5\UQ0ZR7RN\Installer[1].exe moved successfully.
C:\Documents and Settings\Mitchell\Local Settings\Temporary Internet Files\Content.IE5\YM1K16J3\Binaries1[1].zip moved successfully.
File/Folder C:\Documents and Settings\Mitchell\Local Settings\Temporary Internet Files\Content.IE5\YM1K16J3\Binaries1[1].zip not found.
C:\RECYCLER\S-1-5-21-817955303-2890540678-2661541813-1006\Dc7.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\ayaeqwxi.dll
C:\WINDOWS\SYSTEM32\ayaeqwxi.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\ayaeqwxi.dll moved successfully.
C:\WINDOWS\SYSTEM32\BRAVIAX.EXE.del moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\cwqbnjwf.dll
C:\WINDOWS\SYSTEM32\cwqbnjwf.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\cwqbnjwf.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\dwkvnnbj.dll
C:\WINDOWS\SYSTEM32\dwkvnnbj.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\dwkvnnbj.dll moved successfully.
C:\WINDOWS\SYSTEM32\ecoklfbk.dll unregistered successfully.
C:\WINDOWS\SYSTEM32\ecoklfbk.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\kokbthgc.dll
C:\WINDOWS\SYSTEM32\kokbthgc.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\kokbthgc.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\rvnhenvj.dll
C:\WINDOWS\SYSTEM32\rvnhenvj.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\rvnhenvj.dll moved successfully.
C:\WINDOWS\SYSTEM32\UIFKMUKH.DLL.del moved successfully.
C:\WINDOWS\SYSTEM32\windows moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\yjyqgici.dll
C:\WINDOWS\SYSTEM32\yjyqgici.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\yjyqgici.dll moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03222008_084955

Please also post a new HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:30:26 PM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\YBrowser.exe
C:\Program Files\Trend Micro\bunny\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 12.193.196.81:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [30ff593c] rundll32.exe "C:\WINDOWS\system32\nfdcecbm.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\SWHELP~1.EXE -Update -1020022 -YBrowser.exe2006.8
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Startup: Thoosje Vista Sidebar.lnk = C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/Activ...ldsDownload.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h20264.www2.hp.com/ediags/hpfix/sj/.../qdiagh.cab?326
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Unknown owner - C:\Program Files\Yahoo!\Antivirus\ISafe.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 7701 bytes

Right click here and click save link as
Save it as resetteatimer.bat to your desktop

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

Double click on resetteatimer.bat and wait for it to finish

Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Uncheck and delete everything you find in there. (except for "My current home page")

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

O4 - HKLM\..\Run: [30ff593c] rundll32.exe "C:\WINDOWS\system32\nfdcecbm.dll",b
O24 - Desktop Component 0: (no name) - (no file)

Then close all windows except HijackThis and click Fix Checked

Then post a new HijackThis log & let me know how your PC is running now

thank you everything is running great and smoothly the only thing is when i start my computer and load my account i get 2 pop error windows one saying could not run ...nfdcecbm.dll",b
and could not run .....hoapctic.dll",s . Also becuase by default i get winpatrol to runn on startup i get an message saying C:\WINDOWS\system32\hoapctic.dll",s is being added to your start up programes . I keep clicking deny cuz i dont know if it is good or bad?




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:21:52 AM, on 3/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Trend Micro\bunny\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 12.193.196.81:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Startup: Thoosje Vista Sidebar.lnk = C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/Activ...ldsDownload.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h20264.www2.hp.com/ediags/hpfix/sj/.../qdiagh.cab?326
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Unknown owner - C:\Program Files\Yahoo!\Antivirus\ISafe.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 7135 bytes

C:\WINDOWS\system32\hoapctic.dll is bad

Download RegSearch by Bobbi Flekman.

• Create a folder in your C: drive C:\Regsearch, and extract all the files from the zip archive into that folder.
• Double click regsearch.exe to launch the programme.
• Copy/Paste the following into the Search Box nfdcecbm.dll
• Click OK.

Regsearch will now search your Registry for the required strings, when it is finished it will open a Notepad file RegSearch.txt, saved to the Regsearch folder.

Copy/Paste that file into your next post.

Repeat for this search term: hoapctic.dll

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 3/24/2008 8:15:35 AM for strings:
; 'nfdcecbm.dll'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_CURRENT_USER\Software\BillP Studios\Detected\Startup]
"C:\\WINDOWS\\SYSTEM32\\NFDCECBM.DLL"="03/20/2008 8:20 PM"

[HKEY_CURRENT_USER\Software\BillP Studios\WinPatrol\Run]
"C:\\WINDOWS\\system32\\nfdcecbm.dll,b"="1"

; End Of The Log...





Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 3/24/2008 8:23:25 AM for strings:
; 'hoapctic.dll '
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...



here is a hijack log too










Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:35 AM, on 3/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Trend Micro\bunny\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Startup: Thoosje Vista Sidebar.lnk = C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/Activ...ldsDownload.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h20264.www2.hp.com/ediags/hpfix/sj/.../qdiagh.cab?326
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Unknown owner - C:\Program Files\Yahoo!\Antivirus\ISafe.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 8619 bytes

Right click on the Winpatrol icon in the system tray and click Exit Program

Copy the contents of the following codebox to a notepad window



Save it to the desktop as fix.reg, making sure save as type is set to all files

Locate Fix.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt

Restart and let me know of any remaining problems

thanks everything is good and great the only other question i have is when i go to my computer i have a red X on my drive C , also when i go to my documents i clicked properties and changed to dont show hidden files and the files that are usually hidden are still showing up even though i dont want them to show up. Also quick note on the X on the drive C, i attached a photo of what it looks like.

o another note it looks like im running vista but im not its a conversion pack i used on my windows XP service pack 2

OK!!! scratch that last post! i cant turn my computer on now . It loads dell... then loads something else then i get an error message saying that my hal.dll is corrupt and must re-install for the computer to boot up. This is after the dell logo loads and before the XP loading page. i cant even turn it on? im on the second computer in my house. Ok well how do i get that file to run or put that file back on my computer without the windows XP cd because when i bought my dell through dell the windows xp service pack 2 was pre-installed . thanks

I've not come across this before, so I've asked some other experts for help.

I have a couple of suggestions for you to try:

Restart he PC. The messages are sometimes just a fluke

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process.

• Turn the computer on.
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
• Ensure that the Last known good configuration option is selected.
• Press Enter. The computer then begins to start

Let me know if either of these work

ok i posted a topic on another part of bleeping computer and now im back on my original computer. now im the only problems i am having are the ones i mentioned in this post above thanks sooo much for helping me!

• Go to Start > My Computer
• Go to Tools > Folder Options
• Click on the View tab
• Make sure this option is selected:
  • Do not show hidden files and folders
• Click Apply and then click OK

Backup Your Registry with ERUNT

• Please use the following link and scroll down to ERUNT and download it.
  http://aumha.org/freeware/freeware.php
• For version with the Installer:
  Use the setup program to install ERUNT on your computer
• For the zipped version:
  Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Copy the contents of the following codebox to a notepad window



Save it to the desktop as fix2.reg, making sure save as type is set to all files

Locate Fix2.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt

Let me know if this solves your problems.

ok thanks ya that got rid of my x on my C drive. This is just an example but when i go to my documents i have like pos1A00 through posFFF. Its like 200 files that used to be hidden but arnt now? O and dont know if this helps with the problem i had used RRT (Remove Restrictions Tool) because a while back when you told me to edit some regestry file i couldnt cuz the virus i did have disabled my regestry editing.

Those files are malware related. The following instructions will delete them.

• Open a new notepad window (Start>All Programs>Accessories>Notepad)
• Copy & paste the contents of the following codebox into the notepad window
  
  CODE
  del /a /f /s /q "C:\pos???.tmp"
  del /a /f /s /q "C:\pos????.tmp"
• Click File > Save as
• In the box labelled File name copy and paste cleanup.bat
• Change Save as type to All Files
• Save it to your desktop
• Close the notepad window
• Double click on cleanup.bat
• A DOS window will come up briefly and then disappear, this is normal

Let me know if this works

ok thankz my computer is all fixed my only next question is that if i run Ad-aware, Spybot , and SuperAnti-Virus(free edition) do you think this is good enough to keep my computer from getting anything else?

No. You also need to have at a minimum an antivirus and a firewall. You appear to have Yahoo! antivirus installed, so you should be OK for antivirus, but I don't see any sign of a firewall in your log.

You now appear to be clean. Congratulations!

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented

1. • Turn System Restore off
   • On the Desktop, right click on the My Computer icon.
     
   • Click Properties.
   • Click the System Restore tab.
   • Check Turn off System Restore.
   • Click Apply, and then click OK.
   Restart
   • Turn System Restore on
   • On the Desktop, right click on the My Computer icon.
   • Click Properties.
   • Click the System Restore tab.
   • Uncheck *Turn off System Restore*.
   • Click Apply, and then click OK.
   Note: only do this once, and not on a regular basis
2. Download and install an antivirus program, and make sure that you keep it updated
   New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software
   Two good antivirus programs free for non-commercial home use are Avast! and Antivir
   Two good paid for antivirus programs are NOD32 and Bitdefender
   Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
3. Install and use a firewall with outbound protection
   While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
   I therefore strongly recommend that you install one of the following free firewalls: Comodo Firewall or Online armor
   See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here
   Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
4. Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
   Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
   Go here to check for & install updates to Microsoft applications
   Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
5. Keep your non-Microsoft applications updated as well
   Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
6. Make Internet Explorer more secure
   Click Start > Run
   Type Inetcpl.cpl & click OK
   Click on the Security tab
   Click Reset all zones to default level
   Make sure the Internet Zone is selected & Click Custom level
   In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
   Next Click OK, then Apply button and then OK to exit the Internet Properties page.
7. Install SpywareBlaster & make sure to update it regularly
   SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
   If you don't know what activex controls are, see here
   You can download SpywareBlaster from here
8. Install and use Spybot Search & Destroy
   Instructions are located here
   Make sure you update, reimmunize & scan regularly
9. Make use of the HOSTS file included with Spybot Search & Destroy
   Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
   Spybot Search & Destroy has a good HOSTS file built in, to enable the HOSTS file in Spybot Search & Destroy
   • Run Spybot Search & Destroy
   • Click on Mode, and then place a tick next to Advanced mode
   • Click Yes
   • In the left hand pane of Spybot Search & Destroy, click on Tools, and then on Hosts File
   • Click on Add Spybot-S&D hosts list
   Note: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
   • Click Start > Run
   • Type services.msc & click OK
   • In the list, find the service called DNS Client & double click on it.
   • On the dropdown box, change the setting from automatic to manual.
   • Click OK & then close the Services window
   For a more detailed explanation of the HOSTS file, click here
10. Install a-squared Free & update and scan with it regularly
    a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here
    Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers
11. Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date

ok i installed and updated all the programes you mentioned and will keep up with them i going to schedual them to run at night on different days at least every 2 1/2 weeks. Also how do i get tea timer to run if i already have it installed?

Winpatrol does everything TeaTimer does +more, so I'd recommend you keep that, but if you want to use TeaTimer I suggest you uninstall or disable Winpatrol, as the two may conflict.

If you do want to use TeaTimer, you can enable it by doing the following:

Run Spybot S & D
Click on the Mode menu and make sure that Advanced mode is ticked
Click on Tools to expand it
Click on Resident
Put a tick next to Resident "TeaTimer (Protection of over-all system settings) active.

TeaTimer is now enabled