grimya,

Welcome to PCHF! There are few entries I'd remove but first let's run both these programs to clean up anything else. Then we'll follow up with a HJT we'll remove entries from.

Run both these programs.


Please download Malwarebytes' Anti-Malware from one of these places:

|MG| Malwarebytes Anti-Malware 1.31

http://www.besttechie.net/tools/mbam-setup.exe


Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, navigate to the Update tab and click Check For Updates. It will then download the latest updates for you
* Now navigate back to the Scan tab
* Select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Please Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


================================================== ===================================

================================================== ===================================


Ok. Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please download from one of these webpages .

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools.

Double-click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Recovery Console can be installed from your disc if you have Vista if you wish.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt, MBAM Log and a new HJT ran after everything in your next reply.

Well I've run all the programs and I have to admit, it is running much faster already! Mbam found 14 infections. Again, thank you so much for your help!
Here are the logs:

**********Hijackthis************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:20:49 PM, on 12/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\system32\hkcmd.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: $McRebootA5E6DEAA56$.lnk = C:\WINDOWS\system32\cmd.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://img.member.yahoo.com/dl/atty/yinst_current.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1229558122265
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/down.../OTOYAX29b.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe...bat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: McAfee Application Installer Cleanup (0093841229733841) (0093841229733841mcinstcleanup) - McAfee, Inc. - C:\DOCUME~1\Owner\LOCALS~1\Temp\009384~1.EXE
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (Award-winning Antivirus and Antispyware Security) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5727 bytes
************************************************** ***

*************MBAM************************
Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

12/19/2008 6:23:00 PM
mbam-log-2008-12-19 (18-23-00).txt

Scan type: Full Scan (C:\|)
Objects scanned: 176533
Time elapsed: 2 hour(s), 40 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\W MPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

************************************************** ***

*******************COMBOFIX*********************

ComboFix 08-12-18.03 - Owner 2008-12-19 18:46:40.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.39 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\IE4 Error Log.txt
c:\windows\system32\_003988_.tmp.dll
c:\windows\system32\_003989_.tmp.dll
c:\windows\system32\_003990_.tmp.dll
c:\windows\system32\_003991_.tmp.dll
c:\windows\system32\_003998_.tmp.dll
c:\windows\system32\_003999_.tmp.dll
c:\windows\system32\_004000_.tmp.dll
c:\windows\system32\_004002_.tmp.dll
c:\windows\system32\_004003_.tmp.dll
c:\windows\system32\_004006_.tmp.dll
c:\windows\system32\_004007_.tmp.dll
c:\windows\system32\_004009_.tmp.dll
c:\windows\system32\_004010_.tmp.dll
c:\windows\system32\_004011_.tmp.dll
c:\windows\system32\_004013_.tmp.dll
c:\windows\system32\_004016_.tmp.dll
c:\windows\system32\_004017_.tmp.dll
c:\windows\system32\_004021_.tmp.dll
c:\windows\system32\_004022_.tmp.dll
c:\windows\system32\_004024_.tmp.dll
c:\windows\system32\_004026_.tmp.dll
c:\windows\system32\_004027_.tmp.dll
c:\windows\system32\_004029_.tmp.dll
c:\windows\system32\_004030_.tmp.dll
c:\windows\system32\_004031_.tmp.dll
c:\windows\system32\_004032_.tmp.dll
c:\windows\system32\_004035_.tmp.dll
c:\windows\system32\_004036_.tmp.dll
c:\windows\system32\_004037_.tmp.dll
c:\windows\system32\_004038_.tmp.dll
c:\windows\system32\_004039_.tmp.dll
c:\windows\system32\_004044_.tmp.dll
c:\windows\system32\_004046_.tmp.dll
c:\windows\system32\_004047_.tmp.dll
c:\windows\system32\_007237_.tmp.dll
c:\windows\system32\_007238_.tmp.dll
c:\windows\system32\_007239_.tmp.dll
c:\windows\system32\_007240_.tmp.dll
c:\windows\system32\_007247_.tmp.dll
c:\windows\system32\_007248_.tmp.dll
c:\windows\system32\_007249_.tmp.dll
c:\windows\system32\_007250_.tmp.dll
c:\windows\system32\_007252_.tmp.dll
c:\windows\system32\_007253_.tmp.dll
c:\windows\system32\_007256_.tmp.dll
c:\windows\system32\_007257_.tmp.dll
c:\windows\system32\_007259_.tmp.dll
c:\windows\system32\_007260_.tmp.dll
c:\windows\system32\_007261_.tmp.dll
c:\windows\system32\_007263_.tmp.dll
c:\windows\system32\_007266_.tmp.dll
c:\windows\system32\_007267_.tmp.dll
c:\windows\system32\_007271_.tmp.dll
c:\windows\system32\_007272_.tmp.dll
c:\windows\system32\_007274_.tmp.dll
c:\windows\system32\_007276_.tmp.dll
c:\windows\system32\_007277_.tmp.dll
c:\windows\system32\_007279_.tmp.dll
c:\windows\system32\_007280_.tmp.dll
c:\windows\system32\_007281_.tmp.dll
c:\windows\system32\_007282_.tmp.dll
c:\windows\system32\_007283_.tmp.dll
c:\windows\system32\_007286_.tmp.dll
c:\windows\system32\_007287_.tmp.dll
c:\windows\system32\_007288_.tmp.dll
c:\windows\system32\_007289_.tmp.dll
c:\windows\system32\_007290_.tmp.dll
c:\windows\system32\_007295_.tmp.dll
c:\windows\system32\_007297_.tmp.dll
c:\windows\system32\_007298_.tmp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2008-11-20 to 2008-12-20 )))))))))))))))))))))))))))))))
.

2008-12-19 15:37 . 2008-12-19 15:37 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2008-12-19 15:37 . 2008-12-19 15:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-19 15:37 . 2008-12-03 19:54 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-19 15:37 . 2008-12-03 19:54 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-19 15:36 . 2008-12-19 15:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-19 10:41 . 2008-12-19 10:41 <DIR> d-------- c:\program files\Trend Micro
2008-12-18 23:10 . 2008-12-18 23:10 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-12-18 22:07 . 2008-12-18 22:07 <DIR> d-------- c:\windows\system32\GroupPolicy
2008-12-18 22:07 . 2008-12-19 13:40 <DIR> d-------- c:\program files\Windows Desktop Search
2008-12-18 22:04 . 2008-03-07 12:02 192,000 -----c--- c:\windows\system32\dllcache\offfilt.dll
2008-12-18 22:04 . 2008-03-07 12:02 98,304 -----c--- c:\windows\system32\dllcache\nlhtml.dll
2008-12-18 22:04 . 2008-03-07 12:02 29,696 -----c--- c:\windows\system32\dllcache\mimefilt.dll
2008-12-18 21:55 . 2008-12-18 21:55 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-12-18 21:39 . 2008-12-18 21:39 <DIR> d-------- c:\windows\system32\URTTEMP
2008-12-18 19:22 . 2008-12-18 19:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-12-18 17:34 . 2008-12-19 14:24 <DIR> d-------- c:\windows\system32\CatRoot2
2008-12-18 17:01 . 2008-12-18 17:01 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2008-12-18 16:56 . 2008-12-18 16:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\WebRoot
2008-12-18 16:56 . 2008-12-19 19:05 5,335 --a------ c:\windows\system32\Config.MPF
2008-12-18 16:31 . 2008-12-18 16:53 <DIR> d-------- C:\Chat - 1088063239
2008-12-18 16:23 . 2008-12-18 16:23 <DIR> d-------- c:\documents and settings\Administrator\Application Data\TeamViewer
2008-12-18 16:22 . 2008-12-18 16:22 <DIR> d-------- c:\documents and settings\Administrator\temp
2008-12-18 16:16 . 2008-12-18 16:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Applications
2008-12-18 16:11 . 2008-06-02 14:55 120,136 --a------ c:\windows\system32\drivers\Mpfp.sys
2008-12-18 16:11 . 2008-06-27 06:08 79,240 --a------ c:\windows\system32\drivers\mfeavfk.sys
2008-12-18 16:11 . 2008-06-27 06:08 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2008-12-18 16:11 . 2008-06-27 06:08 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2008-12-18 16:10 . 2008-12-18 16:11 <DIR> d-------- c:\program files\Common Files\McAfee
2008-12-18 16:08 . 2008-12-19 17:22 <DIR> d-------- c:\program files\McAfee
2008-12-18 15:57 . 2008-06-20 05:41 34,152 --a------ c:\windows\system32\drivers\mferkdk.sys
2008-12-18 15:12 . 2008-12-18 15:12 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Yahoo!
2008-12-18 15:10 . 2008-12-18 16:22 <DIR> d-------- c:\documents and settings\Administrator
2008-12-18 12:52 . 2008-12-18 16:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-18 09:48 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-12-18 09:48 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-12-17 21:13 . 2008-04-13 19:12 409,088 --a------ c:\windows\system32\qmgr.dll
2008-12-17 21:13 . 2008-04-13 13:53 264,832 --------- c:\windows\system32\drivers\http.sys
2008-12-17 21:13 . 2008-04-13 13:53 36,608 --------- c:\windows\system32\drivers\ip6fw.sys
2008-12-17 21:13 . 2008-04-13 13:31 36,352 --------- c:\windows\system32\drivers\intelppm.sys
2008-12-17 21:13 . 2008-04-13 13:45 30,208 --a------ c:\windows\system32\drivers\usbehci.sys
2008-12-17 21:13 . 2008-04-13 13:36 15,488 --------- c:\windows\system32\drivers\mssmbios.sys
2008-12-17 21:11 . 2008-04-13 13:32 129,792 --------- c:\windows\system32\drivers\fltmgr.sys
2008-12-17 21:11 . 2008-04-13 13:46 25,600 --------- c:\windows\system32\drivers\hidbth.sys
2008-12-17 21:11 . 2008-04-13 13:46 18,944 --------- c:\windows\system32\drivers\bthusb.sys
2008-12-17 21:11 . 2008-04-13 13:46 17,024 --------- c:\windows\system32\drivers\bthenum.sys
2008-12-17 21:11 . 2008-04-13 19:11 14,143 --------- c:\windows\system32\drivers\atv06nt5.dll
2008-12-17 21:11 . 2008-04-13 13:40 11,904 --------- c:\windows\system32\drivers\sffdisk.sys
2008-12-17 21:11 . 2008-04-13 13:40 11,008 --------- c:\windows\system32\drivers\sffp_sd.sys
2008-12-17 21:11 . 2008-04-13 19:11 3,647 --------- c:\windows\system32\drivers\adv07nt5.dll
2008-12-17 21:08 . 2008-04-13 13:45 19,200 --------- c:\windows\system32\drivers\hidir.sys
2008-12-17 21:06 . 2008-04-13 12:39 2,897,920 --------- c:\windows\system32\xpsp2res.dll
2008-12-17 21:04 . 2008-04-13 13:36 44,928 --------- c:\windows\system32\drivers\agpcpq.sys
2008-12-17 21:04 . 2008-04-13 13:36 42,368 --------- c:\windows\system32\drivers\agp440.sys
2008-12-17 20:57 . 2008-04-13 13:36 43,008 --------- c:\windows\system32\drivers\amdagp.sys
2008-12-17 20:57 . 2008-04-13 13:36 42,752 --------- c:\windows\system32\drivers\alim1541.sys
2008-12-17 20:54 . 2008-04-13 13:36 42,240 --------- c:\windows\system32\drivers\viaagp.sys
2008-12-17 20:54 . 2008-04-13 13:36 40,960 --------- c:\windows\system32\drivers\sisagp.sys
2008-12-17 20:41 . 2008-12-17 20:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-17 20:37 . 2008-12-17 20:37 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-17 20:32 . 2008-08-14 05:11 2,189,184 --a------ c:\windows\system32\ntoskrnl.exe
2008-12-17 17:14 . 2008-12-18 18:31 <DIR> d-------- c:\windows\system32\scripting
2008-12-17 17:14 . 2008-12-18 18:31 <DIR> d-------- c:\windows\system32\en
2008-12-17 17:14 . 2008-12-18 18:31 <DIR> d-------- c:\windows\l2schemas
2008-12-17 17:13 . 2008-12-18 18:31 <DIR> d-------- c:\windows\system32\bits
2008-12-17 16:28 . 2004-08-04 02:00 71,040 --------- c:\windows\system32\drivers\_003966_.tmp.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-12-19 09:46 --------- d-----w c:\program files\Cain
2008-12-18 01:41 --------- d-----w c:\program files\Lavasoft
2008-11-19 18:12 --------- d-----w c:\documents and settings\Owner\Application Data\Yahoo!
2008-10-26 21:57 --------- d-----w c:\documents and settings\Owner\Application Data\Image Zone Express
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:07 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=c:\windows\pss\SBC Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMVU.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\IMVU.lnk
backup=c:\windows\pss\IMVU.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
1 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 10:09 63712 c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2008-06-12 01:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2006-11-07 10:29 50736 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2006-02-19 01:41 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2008-07-11 16:48 641208 c:\progra~1\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2008-11-04 14:01 558808 c:\progra~1\McAfee.com\Agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a--c--- 2005-08-24 07:51 442455 c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-10-24 17:15 77824 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 18:42 1404928 c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-03-14 02:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2006-07-21 16:19 129536 c:\progra~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\browser\\ycommon.exe"=
"c:\\Program Files\\Yahoo! Games\\Bejeweled 2 Deluxe\\WinBej2.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 1 (0x1)
"AllowRedirect"= 1 (0x1)

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs 0bbc.sys [2008-08-09 29808]

*Newly Created Service* - 0158081229725774MCINSTCLEANUP
.
Contents of the 'Scheduled Tasks' folder

2008-12-19 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (ROBERT-KFLNRVGV-Owner).job
- c:\progra~1\mcafee.com\vso\mcmnhdlr.exe []

2008-12-18 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]

2008-12-18 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SpySweeper - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe
MSConfigStartUp-VirusScan Online - c:\progra~1\mcafee.com\vso\mcvsshld.exe
MSConfigStartUp-VSOCheckTask - c:\progra~1\mcafee.com\vso\mcmnhdlr.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = 127.0.0.1
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk -
Trusted Zone: *.sbcglobal.net
Trusted Zone: *.yahoo.com

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\a4fxm2vm.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-19 19:14:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3632)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\program files\Windows Media Player\wmpband.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\McAfee\SiteAdvisor\McSACore.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\HPZipm12.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\windows\system32\verclsid.exe
.
************************************************** ************************
.
Completion time: 2008-12-19 19:23:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-20 00:22:41

Pre-Run: 23,646,752,768 bytes free
Post-Run: 24,302,161,920 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Micro soft Windows XP Home Edition" /fastdetect /safeboot:network

345 --- E O F --- 2008-12-19 14:48:52
************************************************** ******

That's all clean. MBAM and ComboFix picked up a TON of files and deleted them. Just do me a favor and reboot then post another HJT to confirm all the malware is gone.

Crush

That was from after the reboot. However I did get a pop up from mcafee saying that a program was trying to pop up. I can't find the event log now, but I looked it up and it was one that allows registry changes without using an interface. Is there something else I should be looking into?

I am pretty sure you are clean. See if you can get a screenshot of or copy down that mcafee popup though. I'm interested in seeing that. Let's hold off on completing the thread and removing ComboFix (since that will create a restore point and we don't want an infected one) until that mcafee popup is sorted.

Crush

Hello again,

Just following up here. Do you still require assistance in removing your malware infections or can I put this thread to bed? Please advise us as to the situation.

Regards,

Crush
PCHF Security Team