Need Help w/ Virus Adware?

Computing.Net > Forums > Security and Virus > Need Help w/ Virus Adware?

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Need Help w/ Virus Adware?

Name: toicy4ya
Date: September 22, 2008 at 16:50:23 Pacific
OS: Windows XP
CPU/Ram: 1.2G
Product: Dell Desktop

Comment:

Hello Everyone,
I believe i have a virus or adware but am not sure. Everytime i open up internet explorer i get spyware & antivirus advertisement popups from "SecureExportCleaner" requesting that i scan my computer. In addition i got a block pop up from Mcafee indicating that i have a Generic PUP.X. I tried doing a virus scan with mcafee, adaware scan, spybot scan and ewido anti-spyware scan on safe mode but I still cant get rid of the pop ups, can someone help me out?

Sponsored Link

Ads by Google

Response Number 1

Name: jabuck
Date: September 22, 2008 at 16:54:08 Pacific

Reply:

Please download Malwarebytes' Anti-Malware from one of these sites:
MalwareBytes1
MalwareBytes2
1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.

Please download and install the latest version of HijackThis v2.0.2:

Download the "HijackThis" Installer from this link:
Hijack This

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Response Number 2

Name: toicy4ya
Date: September 23, 2008 at 04:15:32 Pacific

Reply:

Thanks Jabuck,
I ran malwarebytes, i cant believe all the stuff that adware,spybot, mcafee & ewido left behind. Here is the log Please let me know if there is anything else i need to do.
Malwarebytes' Anti-Malware 1.28
Database version: 1198
Windows 5.1.2600 Service Pack 2
9/23/2008 7:00:32 AM
mbam-log-2008-09-23 (07-00-32).txt
Scan type: Full Scan (C:\|F:\|)
Objects scanned: 131807
Time elapsed: 1 hour(s), 20 minute(s), 53 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 13
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 24
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\mgxfebsq.dll (Trojan.FakeAlert) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\PlayMP3 (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\HID_Layer (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{88445e5a-c238-4629-8ae8-9fd6c39c3dcf} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{cb367c75-6190-4ce0-a255-7c1199f0358e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2f9b1a90-1e69-41eb-ad33-6202aad9a554} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3a412635-30fd-42d0-a704-c9493be88b9c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8b93a89b-7332-4b4b-830c-72eb6323d0db} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8b93a89b-7332-4b4b-830c-72eb6323d0db} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MicroAV (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mgxfebsq (Trojan.FakeAlert) -> Delete on reboot.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\WINDOWS\system32\win32GI (Backdoor.Bifrose) -> Quarantined and deleted successfully.
C:\Program Files\MicroAV (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
Files Infected:
C:\empa.exe (Trojan.Peed) -> Quarantined and deleted successfully.
C:\x (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\eflx.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\YUR1.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\YUR1E.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\YUR2.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\YUR3.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\YUR4.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\win32GI\klog.dat (Backdoor.Bifrose) -> Quarantined and deleted successfully.
C:\Program Files\MicroAV\MicroAV.cpl (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MicroAV\MicroAV.exe (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MicroAV\MicroAV.ooo (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MicroAV\MicroAV1.dat (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\mgxfebsq.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\mqgldfvo.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\vmgspntbvlw.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MicroAV.cpl (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\toicy4ya\Application Data\QNVW601P.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\toicy4ya\Application Data\addon.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\explorer.backup (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSjbnn.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSjjsm.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\TDSSjcxe.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Here is the HijackThis log,
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:08:54 AM, on 9/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Affinity\Affinity VPN Client\cvpnd.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamespot.com/xbox360/ind...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FOR...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.dell.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: MSN (2).lnk = C:\Program Files\MSN\MSNCoreFiles\msn.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd....
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/s...
O16 - DPF: {82B56B47-90DC-4F58-9A7D-D27BA46D3C0F} (MyPhotoAlbum Easy Upload Tool Combo Control) - http://toicy4ya.myphotoalbum.com/Im...
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/download...
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/s...
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.photoworks.com/pixami/Dr...
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - (no file)
O21 - SSODL: dtseqrxk - {49C064E1-07F8-4682-A38D-6B4904E2C048} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Affinity\Affinity VPN Client\cvpnd.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
--
End of file - 8704 bytes

Response Number 3

Name: jabuck
Date: September 23, 2008 at 19:27:46 Pacific

Reply:

Your java is out of date and has been exploited.
Download the latest version of java from this link Java
Click on the JRE 6 Update 7 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
Run Hijack This, close all windows and browsers except Hijack This, place a check to the left of the following items and press "fix checked":
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -

O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - (no file)

O21 - SSODL: dtseqrxk - {49C064E1-07F8-4682-A38D-6B4904E2C048} - (no file)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3
Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
In your case to run Combofix do the following:
1. Go offline turn off your McAfee antivirus, Spybot, Ad-Aware, ewido anti-spyware 4.0 guard and any other antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.

Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.

Response Number 4

Name: toicy4ya
Date: September 24, 2008 at 18:07:23 Pacific

Reply:

Jabuck,

Thanks for all your help its greatly appreciated. I have a question, what exactly is Java and is it necessary to have it activated in start up tab in the system configuration utility.

I followed your instructions, here are the results from the reports you requested;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:45:09 PM, on 9/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamespot.com/xbox360/ind...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FOR...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.dell.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: MSN (2).lnk = C:\Program Files\MSN\MSNCoreFiles\msn.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd....
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/s...
O16 - DPF: {82B56B47-90DC-4F58-9A7D-D27BA46D3C0F} (MyPhotoAlbum Easy Upload Tool Combo Control) - http://toicy4ya.myphotoalbum.com/Im...
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/download...
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/s...
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://wwwphotoworks.com/pixami/Dra...
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 6032 bytes

COMBOFIX 1ST REPORT
ComboFix 08-09-24.07 - toicy4ya 2008-09-24 19:51:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.885 [GMT -4:00]
Running from: C:\Documents and Settings\toicy4ya\Desktop\ComboFix.exe
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\toicy4ya\Application Data\inst.exe
C:\WINDOWS\Fonts\-
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\eventmgr.exe
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_TDSSSERV
-------\Service_NPF
-------\Service_TDSSserv

((((((((((((((((((((((((( Files Created from 2008-08-24 to 2008-09-24 )))))))))))))))))))))))))))))))
.

2008-09-24 19:33 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-23 19:46 . 2008-09-23 19:46 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-09-23 05:08 . 2008-09-23 05:08 <DIR> d-------- C:\Documents and Settings\toicy4ya\Application Data\Malwarebytes
2008-09-23 05:08 . 2008-09-23 05:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-21 20:40 . 2008-09-24 19:24 <DIR> d-------- C:\Program Files\ewido anti-spyware 4.0
2008-09-21 20:38 . 2008-09-21 20:39 <DIR> d-------- C:\Program Files\CCleaner
2008-09-21 15:55 . 2008-09-21 15:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-20 23:25 . 2008-09-20 23:25 <DIR> d-------- C:\Documents and Settings\toicy4ya\Application Data\MSNInstaller
2008-09-20 21:50 . 2008-09-20 21:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-20 17:55 . 2008-09-20 17:55 <DIR> d--h----- C:\WINDOWS\PIF
2008-09-20 17:28 . 2008-09-24 19:56 9,999 --a------ C:\WINDOWS\system32\Config.MPF
2008-09-20 17:24 . 2008-06-27 06:08 79,240 --a------ C:\WINDOWS\system32\drivers\mfeavfksys
2008-09-20 17:24 . 2008-06-27 06:08 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfksys
2008-09-20 17:24 . 2008-06-27 06:08 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopksys
2008-09-20 17:23 . 2008-06-27 06:08 207,656 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-09-20 17:23 . 2008-06-02 14:55 120,136 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-09-20 17:22 . 2008-09-20 17:22 <DIR> d-------- C:\Program Files\McAfee.com
2008-09-20 17:21 . 2008-06-20 05:41 34,152 --a------ C:\WINDOWS\system32\drivers\mferkdksys
2008-09-20 16:54 . 2008-09-20 16:54 342 --a------ C:\WINDOWS\system32\CTHELPER.RPT
2008-09-11 18:59 . 2008-09-11 18:59 <DIR> d-------- C:\Documents and Settings\toicy4ya\Application Data\Carnival Software
2008-09-06 15:09 2008-09-06 15:09 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-09-06 15:09 . 2008-09-06 15:09 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-08-30 09:11 . 2004-05-04 12:53 1,645,320 --a------ C:\WINDOWS\gdiplus.dll
2008-08-30 09:11 . 2006-05-20 17:16 1,184,984 --a------ C:\WINDOWS\system32\wvc1dmod.dll
2008-08-30 09:11 . 2006-05-11 20:21 626,688 --a------ C:\WINDOWS\system32\vp7vfw.dll
2008-08-30 09:11 . 2006-09-29 13:24 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2008-08-30 09:11 . 2006-09-29 13:25 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2008-08-30 09:11 . 2006-09-29 13:26 176,165 --a------ C:\WINDOWS\system32\drv23260.dll
2008-08-30 09:11 . 2007-03-18 21:37 65,602 --a------ C:\WINDOWS\system32\cook3260.dll
2008-08-29 10:18 . 2008-08-29 10:18 87,336 --a------ C:\WINDOWS\system32\dns-sd.exe
2008-08-29 09:53 . 2008-08-29 09:53 61,440 --a------ C:\WINDOWS\system32\dnssd.dll
2008-08-27 18:02 . 2008-08-30 08:45 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-24 23:51 --------- d-----w C:\Documents and Settings\toicy4ya\Application Data\MSN6
2008-09-24 23:33 --------- d-----w C:\Program Files\Java
2008-09-24 23:27 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-24 23:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-24 23:23 --------- d-----w C:\Program Files\Yahoo!
2008-09-21 03:54 --------- d-----w C:\Documents and Settings\toicy4ya\Application Data\Azureus
2008-09-21 02:54 --------- d-----w C:\Program Files\Microsoft Office Outlook Connector
2008-09-21 02:54 --------- d-----w C:\Program Files\Common Files\Verizon Online
2008-09-21 02:35 --------- d-----w C:\Program Files\McAfee
2008-09-21 01:51 --------- d-----w C:\Program Files\iTunes
2008-09-21 01:50 --------- d-----w C:\Program Files\iPod
2008-09-21 01:39 --------- d-----w C:\Program Files\QuickTime Alternative
2008-09-21 01:39 --------- d-----w C:\Program Files\Bonjour
2008-09-21 01:38 --------- d-----w C:\Program Files\Common Files\Apple
2008-09-21 01:21 --------- d-----w C:\Documents and Settings\toicy4ya\Application Data\Vso
2008-09-20 21:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-09-20 21:23 --------- d-----w C:\Program Files\Common Files\McAfee
2008-09-20 20:54 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2008-09-20 20:54 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-09-20 20:34 --------- d-----w C:\Program Files\Pointstone
2008-09-20 20:34 --------- d-----w C:\Program Files\Common Files\Pointstone
2008-09-20 20:32 --------- d-----w C:\Program Files\Kids Cam Show and Share Creativity Center
2008-09-20 20:31 --------- d-----w C:\Program Files\DivX
2008-09-20 20:30 --------- d-----w C:\Program Files\AviSynth 2.5
2008-09-20 20:29 --------- d-----w C:\Program Files\Lavasoft
2008-09-20 20:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-09-09 23:40 --------- d-----w C:\Program Files\Azureus
2008-09-06 14:37 --------- d-----w C:\Documents and Settings\toicy4ya\Application Data\iPhoneRingToneMaker
2008-09-06 10:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
2008-08-30 13:16 47,360 -c--a-w C:\Documents and Settings\toicy4ya\Application Data\pcouffin.sys
2008-08-30 13:11 --------- d-----w C:\Program Files\vso
2008-08-18 23:07 --------- d-----w C:\Program Files\Apple Software Update
2008-08-18 21:51 --------- d-----w C:\Program Files\Safari
2008-08-17 17:54 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-08-14 23:42 --------- d-----w C:\Program Files\DVDFab Decrypter
2008-08-12 00:50 --------- d-----w C:\Program Files\DVDVideoSoft
2008-08-02 19:28 --------- d--h--r C:\Documents and Settings\toicy4ya\Application Data\yahoo!
2008-08-02 01:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-03-22 02:16 4 -csh--r C:\Documents and Settings\All Users\Application Data\sysqcl1129139270.dat
2008-03-12 10:59 39,664 -c--a-w C:\Documents and Settings\toicy4ya\Application Data\GDIPFONTCACHEV1.DAT
2008-02-23 05:51 0 -c--a-w C:\Program Files\AstonWriteTest.txt
2007-10-30 23:36 28,672 -c--a-w C:\Documents and Settings\toicy4ya\update.exe
2006-10-28 04:11 81,920 -c--a-w C:\Documents and Settings\toicy4ya\Application Data\ezpinst.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-11-17 3022848]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\toicy4ya\Start Menu\Programs\Startup\
MSN (2).lnk - C:\Program Files\MSN\MSNCoreFiles\msn.exe [2008-09-20 98816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 23:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JDCT"= jl_jdct.drv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\xwsetup.EXE]
"Debugger"=ntsd -d

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Affinity Health Plan VPN Client.lnk]
backup=C:\WINDOWS\pss\Affinity Health Plan VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^toicy4ya^Start Menu^Programs^Startup^iPhoneRingToneMaker.lnk]
backup=C:\WINDOWS\pss\iPhoneRingToneMaker.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^toicy4ya^Start Menu^Programs^Startup^MSN.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BoostSpeed
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cleanup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LimeShop]
javaw -cp C:\Program Files\LimeShop\System\Code Main lp: [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USSShReg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
--a--c--- 2006-08-18 06:15 471040 C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
--a--c--- 2003-06-18 05:00 45056 C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--a--c--- 2003-09-17 14:43 57344 C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
--a--c--- 2007-03-15 19:16 454784 C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-09-10 17:40 289576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2001-07-09 14:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
-ra--c--- 2003-11-17 11:33 3022848 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
-ra--c--- 2003-11-17 11:33 49152 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 C:\Program Files\QuickTime Alternative\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
--a--c--- 2002-12-03 22:06 45056 C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a--c--- 2008-01-23 19:13 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra--c--- 2006-03-30 17:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
-----c--- 2000-05-11 05:00 90112 C:\WINDOWS\Updreg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a--c--- 2006-11-21 13:38 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
-----c--- 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a--c--- 2003-08-29 08:59 122880 C:\WINDOWS\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a--c--- 2003-10-06 02:57 24576 C:\WINDOWS\system32\CTHELPER.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
-ra--c--- 2003-11-17 11:33 753664 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)
"ose"=3 (0x3)
"gusvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"ewido anti-spyware 4.0 guard"=2 (0x2)
"DTSRVC"=2 (0x2)
"aawservice"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"RichVideo"=2 (0x2)
"CVPND"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
"McAfee Backup"=C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
"MBkLogOnHook"=C:\Program Files\McAfee\MBK\LogOnHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\3.8.9\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12698:TCP"= 12698:TCP:BitComet 12698 TCP
"12698:UDP"= 12698:UDP:BitComet 12698 UDP
"8874:TCP"= 8874:TCP:BitComet 8874 TCP
"8874:UDP"= 8874:UDP:BitComet 8874 UDP

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\[u]0[/u]00.fcl [2006-11-02 17:51 13560]
R2 ONSIO;ONSIO;C:\WINDOWS\SYSTEM32\DRIVERS\ONSIO.SYS [1998-09-14 285216]
R2 PfDetNT;PfDetNT;C:\WINDOWS\System32\drivers\PfModNT.sys [2003-03-05 15840]
S0 SMPLSCSI;SMPLSCSI;C:\WINDOWS\system32\drivers\SMPLSCSI.SYS [1998-08-01 60928]
S3 11f95b7c-ee35-44e6-8527-e1e43774a1d5;11f95b7c-ee35-44e6-8527-e1e43774a1d5;E:\CDS300\cds300.dll [ ]
S3 JL2005C;Dual Mode Camera;C:\WINDOWS\system32\Drivers\jl2005c.sys [ ]
S3 scsiscan;SCSI Scanner Driver;C:\WINDOWS\system32\DRIVERS\scsiscan.sys [2001-08-17 10880]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-!ewido - C:\Program Files\ewido anti-spyware 4.0\ewido.exe
MSConfigStartUp-AAWTray - C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
MSConfigStartUp-AppleSyncNotifier - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
MSConfigStartUp-SiteAdvisor - C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
MSConfigStartUp-SpybotSD TeaTimer - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
MSConfigStartUp-SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.gamespot.com/xbox360/index.html?tag=nav-top;xbox360&navclk=x360
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://support.dell.com/
O8 -: Add to Windows &Live Favorites - http://favorites.live.com/quickadd....
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab

O16 -: {82B56B47-90DC-4F58-9A7D-D27BA46D3C0F} - hxxp://toicy4ya.myphotoalbum.com/ImageUploader4.cab
C:\Program Files\MSN\MSNCoreFiles\unicows.dll

O16 -: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} - hxxp://www.photoworks.com/pixami/DragDropUploader.cab
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-24 19:57:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\[u]0[/u]00.fcl"
.
r Running Proce
.
C:\WINDOWS\system32\CTSVCCDA.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~2\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2008-09-24 20:07:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-25 00:07:16

Pre-Run: 18,110,640,128 bytes free
Post-Run: 18,402,635,776 bytes free

295 --- E O F --- 2008-09-09 23:04:28

Response Number 5

Name: toicy4ya
Date: September 24, 2008 at 18:08:35 Pacific

Reply:

COMBOFIX 2ND REPORT
ComboFix 08-09-24.08 - toicy4ya 2008-09-24 20:52:03.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.819 [GMT -4:00]
Running from: C:\Documents and Settings\toicy4ya\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((( Files Created from 2008-08-25 to 2008-09-25 )))))))))))))))))))))))))))))))
.
2008-09-24 19:33 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-23 19:46 . 2008-09-23 19:46 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-09-23 05:08 . 2008-09-23 05:08 <DIR> d-------- C:\Documents and Settings\toicy4ya\Application Data\Malwarebytes
2008-09-23 05:08 . 2008-09-23 05:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-21 20:40 . 2008-09-24 19:24 <DIR> d-------- C:\Program Files\ewido anti-spyware 4.0
2008-09-21 20:38 . 2008-09-21 20:39 <DIR> d-------- C:\Program Files\CCleaner
2008-09-21 15:55 . 2008-09-21 15:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-20 23:25 . 2008-09-20 23:25 <DIR> d-------- C:\Documents and Settings\toicy4ya\Application Data\MSNInstaller
2008-09-20 21:50 . 2008-09-20 21:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-20 17:55 . 2008-09-20 17:55 <DIR> d--h----- C:\WINDOWS\PIF
2008-09-20 17:28 . 2008-09-24 20:38 9,999 --a------ C:\WINDOWS\system32\Config.MPF
2008-09-20 17:24 . 2008-06-27 06:08 79,240 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-09-20 17:24 . 2008-06-27 06:08 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-09-20 17:24 . 2008-06-27 06:08 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-09-20 17:23 . 2008-06-27 06:08 207,656 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-09-20 17:23 . 2008-06-02 14:55 120,136 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-09-20 17:22 . 2008-09-20 17:22 <DIR> d-------- C:\Program Files\McAfee.com
2008-09-20 17:21 . 2008-06-20 05:41 34,152 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-09-20 16:54 . 2008-09-20 16:54 342 --a------ C:\WINDOWS\system32\CTHELPER.RPT
2008-09-11 18:59 . 2008-09-11 18:59 <DIR> d-------- C:\Documents and Settings\toicy4ya\Application Data\Carnival Software
2008-09-06 15:09 . 2008-09-06 15:09 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-09-06 15:09 . 2008-09-06 15:09 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-08-30 09:11 . 2004-05-04 12:53 1,645,320 --a------ C:\WINDOWS\gdiplus.dll
2008-08-30 09:11 . 2006-05-20 17:16 1,184,984 --a------ C:\WINDOWS\system32\wvc1dmod.dll
2008-08-30 09:11 . 2006-05-11 20:21 626,688 --a------ C:\WINDOWS\system32\vp7vfw.dll
2008-08-30 09:11 . 2006-09-29 13:24 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2008-08-30 09:11 . 2006-09-29 13:25 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2008-08-30 09:11 . 2006-09-29 13:26 176,165 --a------ C:\WINDOWS\system32\drv23260.dll
2008-08-30 09:11 . 2007-03-18 21:37 65,602 --a------ C:\WINDOWS\system32\cook3260.dll
2008-08-29 10:18 . 2008-08-29 10:18 87,336 --a------ C:\WINDOWS\system32\dns-sd.exe
2008-08-29 09:53 . 2008-08-29 09:53 61,440 --a------ C:\WINDOWS\system32\dnssd.dll
2008-08-27 18:02 . 2008-08-30 08:45 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-25 00:42 --------- d-----w C:\Documents and Settings\toicy4ya\Application Data\MSN6
2008-09-24 23:33 --------- d-----w C:\Program Files\Java
2008-09-24 23:27 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-24 23:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-24 23:23 --------- d-----w C:\Program Files\Yahoo!
2008-09-21 03:54 --------- d-----w C:\Documents and Settings\toicy4ya\Application Data\Azureus
2008-09-21 02:54 --------- d-----w C:\Program Files\Microsoft Office Outlook Connector
2008-09-21 02:54 --------- d-----w C:\Program Files\Common Files\Verizon Online
2008-09-21 02:35 --------- d-----w C:\Program Files\McAfee
2008-09-21 01:51 --------- d-----w C:\Program Files\iTunes
2008-09-21 01:50 --------- d-----w C:\Program Files\iPod
2008-09-21 01:39 --------- d-----w C:\Program Files\QuickTime Alternative
2008-09-21 01:39 --------- d-----w C:\Program Files\Bonjour
2008-09-21 01:38 --------- d-----w C:\Program Files\Common Files\Apple
2008-09-21 01:21 --------- d-----w C:\Documents and Settings\toicy4ya\Application Data\Vso
2008-09-20 21:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-09-20 21:23 --------- d-----w C:\Program Files\Common Files\McAfee
2008-09-20 20:54 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2008-09-20 20:54 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-09-20 20:34 --------- d-----w C:\Program Files\Pointstone
2008-09-20 20:34 --------- d-----w C:\Program Files\Common Files\Pointstone
2008-09-20 20:32 --------- d-----w C:\Program Files\Kids Cam Show and Share Creativity Center
2008-09-20 20:31 --------- d-----w C:\Program Files\DivX
2008-09-20 20:30 --------- d-----w C:\Program Files\AviSynth 2.5
2008-09-20 20:29 --------- d-----w C:\Program Files\Lavasoft
2008-09-20 20:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-09-09 23:40 --------- d-----w C:\Program Files\Azureus
2008-09-06 14:37 --------- d-----w C:\Documents and Settings\toicy4ya\Application Data\iPhoneRingToneMaker
2008-09-06 10:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
2008-08-30 13:16 47,360 -c--a-w C:\Documents and Settings\toicy4ya\Application Data\pcouffin.sys
2008-08-30 13:11 --------- d-----w C:\Program Files\vso
2008-08-18 23:07 --------- d-----w C:\Program Files\Apple Software Update
2008-08-18 21:51 --------- d-----w C:\Program Files\Safari
2008-08-17 17:54 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-08-14 23:42 --------- d-----w C:\Program Files\DVDFab Decrypter
2008-08-12 00:50 --------- d-----w C:\Program Files\DVDVideoSoft
2008-08-02 19:28 --------- d--h--r C:\Documents and Settings\toicy4ya\Application Data\yahoo!
2008-08-02 01:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 -c--a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 -c--a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-03-22 02:16 4 -csh--r C:\Documents and Settings\All Users\Application Data\sysqcl1129139270.dat
2008-03-12 10:59 39,664 -c--a-w C:\Documents and Settings\toicy4ya\Application Data\GDIPFONTCACHEV1.DAT
2008-02-23 05:51 0 -c--a-w C:\Program Files\AstonWriteTest.txt
2007-10-30 23:36 28,672 -c--a-w C:\Documents and Settings\toicy4ya\update.exe
2006-10-28 04:11 81,920 -c--a-w C:\Documents and Settings\toicy4ya\Application Data\ezpinst.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-11-17 3022848]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 C:\WINDOWS\system32\narrator.exe]
C:\Documents and Settings\toicy4ya\Start Menu\Programs\Startup\
MSN (2).lnk - C:\Program Files\MSN\MSNCoreFiles\msn.exe [2008-09-20 98816]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 23:34 24576 C:\Program Files\AlienGUIse\fastload.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JDCT"= jl_jdct.drv
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Affinity Health Plan VPN Client.lnk]
backup=C:\WINDOWS\pss\Affinity Health Plan VPN Client.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^toicy4ya^Start Menu^Programs^Startup^iPhoneRingToneMaker.lnk]
backup=C:\WINDOWS\pss\iPhoneRingToneMaker.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^toicy4ya^Start Menu^Programs^Startup^MSN.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BoostSpeed
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cleanup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LimeShop]
javaw -cp C:\Program Files\LimeShop\System\Code Main lp: [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USSShReg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
--a--c--- 2006-08-18 06:15 471040 C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
--a--c--- 2003-06-18 05:00 45056 C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--a--c--- 2003-09-17 14:43 57344 C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
--a--c--- 2007-03-15 19:16 454784 C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-09-10 17:40 289576 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2001-07-09 14:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
-ra--c--- 2003-11-17 11:33 3022848 C:\WINDOWS\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
-ra--c--- 2003-11-17 11:33 49152 C:\WINDOWS\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 C:\Program Files\QuickTime Alternative\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
--a--c--- 2002-12-03 22:06 45056 C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a--c--- 2008-01-23 19:13 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra--c--- 2006-03-30 17:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
-----c--- 2000-05-11 05:00 90112 C:\WINDOWS\Updreg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a--c--- 2006-11-21 13:38 35328 C:\Program Files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
-----c--- 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\wmpnscfg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a--c--- 2003-08-29 08:59 122880 C:\WINDOWS\BCMSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a--c--- 2003-10-06 02:57 24576 C:\WINDOWS\system32\CTHELPER.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
-ra--c--- 2003-11-17 11:33 753664 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)
"ose"=3 (0x3)
"gusvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"ewido anti-spyware 4.0 guard"=2 (0x2)
"DTSRVC"=2 (0x2)
"aawservice"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"RichVideo"=2 (0x2)
"CVPND"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
"McAfee Backup"=C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
"MBkLogOnHook"=C:\Program Files\McAfee\MBK\LogOnHook.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\3.8.9\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12698:TCP"= 12698:TCP:BitComet 12698 TCP
"12698:UDP"= 12698:UDP:BitComet 12698 UDP
"8874:TCP"= 8874:TCP:BitComet 8874 TCP
"8874:UDP"= 8874:UDP:BitComet 8874 UDP
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\[u]0[/u]00.fcl [2006-11-02 17:51 13560]
R2 ONSIO;ONSIO;C:\WINDOWS\SYSTEM32\DRIVERS\ONSIO.SYS [1998-09-14 285216]
R2 PfDetNT;PfDetNT;C:\WINDOWS\System32\drivers\PfModNT.sys [2003-03-05 15840]
S0 SMPLSCSI;SMPLSCSI;C:\WINDOWS\system32\drivers\SMPLSCSI.SYS [1998-08-01 60928]
S3 11f95b7c-ee35-44e6-8527-e1e43774a1d5;11f95b7c-ee35-44e6-8527-e1e43774a1d5;E:\CDS300\cds300.dll [ ]
S3 JL2005C;Dual Mode Camera;C:\WINDOWS\system32\Drivers\jl2005c.sys [ ]
S3 scsiscan;SCSI Scanner Driver;C:\WINDOWS\system32\DRIVERS\scsiscan.sys [2001-08-17 10880]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.gamespot.com/xbox360/index.html?tag=nav-top;xbox360&navclk=x360
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://support.dell.com/
O8 -: Add to Windows &Live Favorites - http://favorites.live.com/quickadd....
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
O16 -: {82B56B47-90DC-4F58-9A7D-D27BA46D3C0F} - hxxp://toicy4ya.myphotoalbum.com/ImageUploader4.cab
C:\Program Files\MSN\MSNCoreFiles\unicows.dll
O16 -: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} - hxxp://www.photoworks.com/pixami/DragDropUploader.cab
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-24 20:54:14
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\[u]0[/u]00.fcl"
.
Completion time: 2008-09-24 20:56:57
ComboFix-quarantined-files.txt 2008-09-25 00:56:26
ComboFix2.txt 2008-09-25 00:07:26
Pre-Run: 19,237,347,328 bytes free
Post-Run: 19,223,830,528 bytes free
271 --- E O F --- 2008-09-09 23:04:28

generic pup.x generic pup.z rootkit.tdss	generic PUP.x generic PUP.x QNVW601P.dll
See More

Response Number 6

Name: jabuck
Date: September 24, 2008 at 19:03:13 Pacific

Reply:

Looks much better,
Java is a programing language used by many companies, just do a google search for it. you can always uncheck it, give it a try then recheck it if you don't like the results. I run mine.
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner
Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

Response Number 7

Name: toicy4ya
Date: September 26, 2008 at 02:25:07 Pacific

Reply:

Thanks jabuck,
I updated Java.
Here is the Kaspersky Scan Report:
----------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, September 26, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, September 26, 2008 00:52:21
Records in database: 1261917
----------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
Scan statistics:
Files scanned: 88953
Threat name: 3
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 02:21:28

File name / Threat name / Threats count
C:\Documents and Settings\toicy4ya\My Documents\My Downloads\WD Sync Passport External Hardrive Software\libeay32.dll Infected: Trojan.Win32.Agent.xvy 1
C:\Documents and Settings\toicy4ya\update.exe Infected: Trojan-Downloader.Win32.VB.gxv 1
F:\WD External Passport\libeay32.dll Infected: Trojan.Win32.Agent.xvy 1
F:\My Downloads\Mcafee\McAfee 2007 Plus & Norton Antivirus 2007 Incl SERIAL & KEY & UPDATES AVAILABLE.zip Infected: not-a-virus:Monitor.Win32.Ardamax.k 1
F:\My Downloads\WD Sync Passport External Hardrive Software\libeay32.dll Infected: Trojan.Win32.Agent.xvy 1
The selected area was scanned.

Response Number 8

Name: jabuck
Date: September 26, 2008 at 14:30:14 Pacific

Reply:

Those appear to be false positives. How is the computer operating?

Response Number 9

Name: toicy4ya
Date: September 26, 2008 at 16:21:10 Pacific

Reply:

False positives? The computer is running ok however i'm surprised that Kaspersky scan found 5 infections. Some of which are Trojans. I thought with all the scans i performed my system would have been clean by now. I retraced all the replies you offered to confirm that i was doing everything correctly. Did I do something wrong?

Response Number 10

Name: jabuck
Date: September 26, 2008 at 20:57:39 Pacific

Reply:

A false positive is a file that has been tagged as infected when actually it is not infected and it is not unusual for any antivirus to report an infection falsely, especially an online scanner.
This file:
WD Sync Passport External Hardrive Software\libeay32.dll
actually came with your external hard drive but because it is located in an unusual place it was tagged as infected, most likely.
I don't think you are infected. If your computer is operating properly then you should have no concerns about the report from Kaspersky.
Glad we could help.

Response Number 11

Name: toicy4ya
Date: October 3, 2008 at 02:52:44 Pacific

Reply:

jabuck i noticed two strange things happening since i ran all the scans and removed the suggested items, when i open up my msn premium broswer and try to open up an additional new window by going to file and selecting new windoe my msn freezes then i get an msn error message and when i click ok it closes my msn. The other thing i noticed is with my mcafee, it appears to be operating however when i double click on the mcafee icon to get the security center box to open once it opens up there is nothing in the box. It just shows a blank Mcafee box, therefore i cannot adjust the setting or perform a virus scan?
jabuck i noticed two strange things happening since i ran all the scans and removed the suggested items, when i open up my msn premium broswer and try to open up an additional new window by going to file and selecting new windoe my msn freezes then i get an msn error message and when i click ok it closes my msn. The other thing i noticed is with my mcafee, it appears to be operating however when i double click on the mcafee icon to get the security center box to open once it opens up there is nothing in the box. It just shows a blank Mcafee box, therefore i cannot adjust the setting or perform a virus scan?
I have tried unistalling and reinstalling MSN and Mcafee several times but nothing seems to work.

Response Number 12

Name: jabuck
Date: October 5, 2008 at 18:20:41 Pacific

Reply:

McAfee may have been damaged if the following file is a crack:
F:\My Downloads\Mcafee\McAfee 2007 Plus & Norton Antivirus 2007 Incl SERIAL & KEY & UPDATES AVAILABLE.zip Infected:
As it shows to be infected by the Kaspersky scan and may have reinfected the computer Malwarebytes may have trid to remove it and damaged it being unsuccessful.
If McAfee is a cracked version uninstall it an install this AVG free or Avast free.
As for MSN it may be an update problem.
Go to start> run> type in regedit . Now browse to the following key by expanding the folders:

HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows NT > CurrentVersion
To expand the folders click the + sign to the left of each key until you get to "CurrentVersion" then click on the "CurrentVersion" folder to open it.

In the right pane, you should find: ProductId> to the right of ProductID should be a "group of numbers" or "Virus Alert" or “nothing at all”.
Let me known what is listed.
To exit just click the - signs beside the keys you opened until you get back to "HKEY_LOCAL_MACHINE" then click the X at the top right of the page.

Response Number 13

Name: toicy4ya
Date: October 5, 2008 at 18:22:15 Pacific

Reply:

jabuck i found the cause.This happens with the installation of Internet Explorer 8 beta 2. I uninstalled it and everythings back to normal.
Thanks for all your help, it was greatly appreciated.

Response Number 14

Name: jabuck
Date: October 5, 2008 at 18:39:59 Pacific

Reply:

Thanks for the follow-up.

Sponsored Link

Ads by Google

Virus in IE?

Malware/Trojan - Help -

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Need Help w/ Virus Adware?

Need help w/ virus!

Summary

www.computing.net/answers/security/need-help-w-virus/19383.html

Need Help Trojan Virus

Summary

www.computing.net/answers/security/need-help-trojan-virus/7946.html

Need help with virus

Summary

www.computing.net/answers/security/need-help-with-virus/1461.html

From the Geek Dictionary
Urban Dictionary - A place on the Internet to help old-timers understand the convoluted langua...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 6 Days.
Discuss in The Lounge
Poll History

Recent Posts
Keys dont work

How to Install Mac OS X 10.5.1

dotnet books

cd rom problem

Lost Applications File

All Awaiting Reply

Tom's News
Woman Tracks Down Club Attacker on Facebook

Geolocation Functions Come to Twitter

New Craigslist Trend: Trade Sex for Rent?

Law Firm Investigates MS Over Xbox Live Bans

Amazon Charges $25 for Palm Pixi and $80 for Pre

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE