There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
Virus & Other Malware Removal
Go to first new post Trojan: Win32/Alureon.FK - hijack this l ...
Go to first new post Extremely unresponsive, massive hang-ups ...
Go to first new post System Check problem
Go to first new post Cannot access any google sites - youtube ...
Go to first new post slow computer, downloads over a few mb f ...
Go to first new post Overall Sluggish Performance, Video Hicc ...
Go to first new post Extremely slow computer
Go to first new post RegClean Pro
Go to first new post software will not update
Go to first new post Something is very wrong with pc it takes ...
Go to first new post Black desktop, missing all shortcuts, fi ...
Go to first new post security sheild
Go to first new post We Got System Checked :-(
Go to first new post Trojan infection preventing boot (scvhos ...
Go to first new post "Congratulations, you won" &am ...
Tag Cloud
access acer asus bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory modem monitor motherboard netgear network printer problem ram registry repair router slow software sound toshiba trojan usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless xbox
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Virus & Other Malware Removal >
Crazy Pop Ups (New)

Reply  
Thread Tools
BigBoy26's Avatar
Computer Specs
Junior Member with 13 posts.
  
Join Date: Sep 2007
Experience: Pretty Good
18-Nov-2007, 02:01 PM #1
Crazy Pop Ups
Here is a copy of Hijack Log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:30 AM, on 11/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\winshow.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-sea...ook=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\TIM\Application Data\Mozilla\Profiles\default\2ffar1ju.slt\prefs.js)
O3 - Toolbar: (no name) - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [5c3a8109] rundll32.exe "C:\WINDOWS\system32\cgidbmca.dll",b
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\SpyGuardPro\bm.exe" dm=http://spyguardpro.com; ad=http://spyguardpro.com
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SPYKILLER] C:\Program Files\Anonymizer\sk\SpyWareKiller.exe /BOOT
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/...areControl.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/C...ngineQuery.dll
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.30.16/ttinst.cab
O16 - DPF: {FCEAE646-DCF9-4D59-B994-6BD30A315139} - http://www.mtv.com/overdrive/bin/setup.exe
O20 - AppInit_DLLs: c:\windows\system32\mljggec.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: DomainService - Unknown owner - C:\Documents and Settings\TIM\Application Data\tmpA.tmp.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O24 - Desktop Component 1: Aqua Garden - 6423CD5F-D089-4BF1-88B6-6A359339DAFF
O24 - Desktop Component 2: Aqua Real 3D - 7db39a0d-580f-4be9-9195-8bfcd226f6c2

--
End of file - 8105 bytes
Register for free to hide this ad!
Cheeseball81's Avatar
Moderator & Malware Removal Specialist with 80,157 posts.
  
Join Date: Mar 2004
Location: Long Island, NY
Experience: Advanced
18-Nov-2007, 03:18 PM #2
Download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • ...
--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
__________________
Microsoft MVP - Consumer Security
If we've helped you, please donate to TSG!
BigBoy26's Avatar
Computer Specs
Junior Member with 13 posts.
  
Join Date: Sep 2007
Experience: Pretty Good
27-Nov-2007, 10:47 AM #3
Crazy Pop Ups
Here is the Combo Fix Log


ComboFix 07-11-19.4 - TIM 2007-11-27 8:18:23.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.38 [GMT -6:00]
Running from: C:\Documents and Settings\TIM\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\TIM\Desktop\Live Safety Center.lnk
C:\Documents and Settings\TIM\Desktop\Online Security Guide.lnk
C:\Documents and Settings\TIM\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\bexnlbvt.dllbox
C:\WINDOWS\SYSTEM32\gjkkj.ini
C:\WINDOWS\SYSTEM32\gjkkj.ini2
C:\WINDOWS\system32\iqhigvtk.dllbox
C:\WINDOWS\system32\jkkjg.dll
C:\WINDOWS\system32\jznehsqw.dllbox
C:\WINDOWS\SYSTEM32\mlnmp.ini
C:\WINDOWS\SYSTEM32\mlnmp.ini2
C:\WINDOWS\SYSTEM32\ttstv.ini
C:\WINDOWS\SYSTEM32\ttstv.ini2
C:\WINDOWS\system32\wetqfcqs.dllbox

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 )))))))))))))))))))))))))))))))
.

2007-11-27 08:33 20,810 ---hs---- C:\WINDOWS\SYSTEM32\jznehsqw.dllbox
2007-11-26 20:21 145,984 --a------ C:\WINDOWS\SYSTEM32\jznehsqw.dll
2007-11-26 20:20 145,984 --a------ C:\WINDOWS\SYSTEM32\rjnnryfh.dll
2007-11-26 20:17 71,232 --a------ C:\WINDOWS\SYSTEM32\rpqmpftb.exe
2007-11-25 20:20 615,978 --ahs---- C:\WINDOWS\SYSTEM32\qtubjldr.ini
2007-11-25 20:18 71,232 --a------ C:\WINDOWS\SYSTEM32\itmibdux.exe
2007-11-25 20:17 145,984 --a------ C:\WINDOWS\SYSTEM32\rfutmvva.dll
2007-11-22 21:35 85,056 --a------ C:\WINDOWS\SYSTEM32\ldrsvpbi.dll
2007-11-22 21:32 79,936 --a------ C:\WINDOWS\SYSTEM32\oprvxwip.dll
2007-11-19 02:02 866,640 --ahs---- C:\WINDOWS\SYSTEM32\uqcroogj.ini
2007-11-19 01:59 145,984 --a------ C:\WINDOWS\SYSTEM32\kocmbeal.dll
2007-11-18 11:04 14,388 --a------ C:\WINDOWS\SYSTEM32\instdump.zip
2007-11-17 13:15 678,280 --ahs---- C:\WINDOWS\SYSTEM32\acmbdigc.ini
2007-11-17 13:12 145,984 --a------ C:\WINDOWS\SYSTEM32\uvkkmgqi.dll
2007-11-17 01:39 <DIR> d-------- C:\Documents and Settings\TIM\Application Data\SpyGuardPro
2007-11-17 01:34 <DIR> d-------- C:\Program Files\SpyGuardPro
2007-11-17 01:31 36,352 --a------ C:\WINDOWS\SYSTEM32\ljjjghg.dll
2007-11-17 01:31 35,840 --a------ C:\WINDOWS\mrofinu77.exe
2007-11-16 20:46 <DIR> d-------- C:\Temp\abW9
2007-11-16 20:46 38,912 --a------ C:\WINDOWS\SYSTEM32\khfdefd.dll
2007-11-16 20:46 35,840 --a------ C:\WINDOWS\mrofinu572.exe
2007-11-16 20:46 35,840 --a------ C:\WINDOWS\mrofinu1000106.exe
2007-11-06 11:55 87,104 --a------ C:\WINDOWS\SYSTEM32\mmesqpjg.dll
2007-11-05 11:55 1,084,350 --ahs---- C:\WINDOWS\SYSTEM32\sryeeoyr.ini
2007-11-04 11:55 1,086,163 --ahs---- C:\WINDOWS\SYSTEM32\tmxqjjyo.ini
2007-11-03 11:55 1,086,085 --ahs---- C:\WINDOWS\SYSTEM32\uecovjyf.ini
2007-11-02 11:55 1,095,405 --ahs---- C:\WINDOWS\SYSTEM32\jeumkmak.ini
2007-10-30 11:53 1,149,592 --ahs---- C:\WINDOWS\SYSTEM32\ncbpdtvr.ini
2007-10-29 11:53 1,192,688 --ahs---- C:\WINDOWS\SYSTEM32\oaivnblp.ini
2007-10-28 11:53 1,164,841 --ahs---- C:\WINDOWS\SYSTEM32\ucplwrns.ini
2007-10-27 11:53 1,170,156 --ahs---- C:\WINDOWS\SYSTEM32\pbditgkn.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-27 02:26 80,960 ----a-w C:\WINDOWS\SYSTEM32\bqlfhexs.dll
2007-11-27 02:23 85,056 ----a-w C:\WINDOWS\SYSTEM32\yxfaqvgy.dll
2007-11-26 02:36 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-11-23 03:29 71,232 ----a-w C:\WINDOWS\SYSTEM32\fenebust.exe
2007-11-23 03:28 145,984 ----a-w C:\WINDOWS\SYSTEM32\xqkfyimt.dll
2007-11-18 17:04 35,840 ----a-w C:\WINDOWS\17PHolmes572.exe
2007-11-18 17:03 36,352 ----a-w C:\WINDOWS\SYSTEM32\gebbcby.dll
2007-11-18 17:01 36,352 ----a-w C:\WINDOWS\SYSTEM32\vturopo.dll
2007-11-18 16:58 38,912 ----a-w C:\WINDOWS\SYSTEM32\awtttst.dll
2007-11-17 19:18 36,352 ----a-w C:\WINDOWS\SYSTEM32\byxuvwu.dll
2007-11-17 19:09 71,232 ----a-w C:\WINDOWS\SYSTEM32\cdigadsd.exe
2007-11-06 17:52 71,232 ----a-w C:\WINDOWS\SYSTEM32\dndxlhpt.exe
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-10-19 06:13 8 ----a-w C:\WINDOWS\Fonts\avjavcb.dat
2007-10-19 06:13 8 ----a-w C:\WINDOWS\Fonts\avjavbb.dat
2007-10-19 06:13 8 ----a-w C:\WINDOWS\Fonts\avjavab.dat
2007-10-19 06:13 46 ----a-w C:\WINDOWS\Fonts\avjavl.dat
2007-10-19 06:13 1,150 ----a-w C:\WINDOWS\Fonts\avjavs.dat
2007-10-18 17:36 --------- d-----w C:\Program Files\Enigma Software Group
2007-10-18 17:36 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-18 17:35 --------- d-----w C:\Program Files\Anonymizer
2007-10-18 17:12 --------- d-----w C:\Documents and Settings\TIM\Application Data\spweng
2007-10-15 11:57 8 ----a-w C:\WINDOWS\Fonts\avjavp1b.dat
2007-10-06 17:30 --------- d-----w C:\Program Files\Disney
2007-10-01 23:23 --------- d-----w C:\Documents and Settings\TIM\Application Data\AdobeAUM
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{05CB2160-E07F-428F-8B9C-08EF6D1D49ED}]
2007-10-23 12:28 598016 --a------ C:\WINDOWS\security\mxlewb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}]
2007-11-16 20:46 38912 --a------ C:\WINDOWS\system32\khfdefd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40CAE2C9-D932-495F-9CE5-7EC28A6EA9DD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{695512C3-CD30-7730-23D2-022D18E12AE6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E67D360-975B-4CB0-2698-F9AF2366C78D}]
C:\Program Files\MSN\qugata.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88ddfec7-e0d7-49c9-95d3-96de895015ba}]
C:\WINDOWS\system32\abpyaww.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-26 20:21 145984 --a------ C:\WINDOWS\system32\jznehsqw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C13D8AAE-F43E-4D41-87EB-3C8AB2EA78FC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D5FB73DD-1E99-44EA-9E18-B4923360A104}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ee5651e7-dd64-4dcb-a6be-9d1287900f70}]
2007-11-26 20:26 80960 --a------ C:\WINDOWS\system32\bqlfhexs.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\jznehsqw.dll [2007-11-26 20:21 145984]

[HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{4E7BD74F-2B8D-469E-A0E4-EA6FA787AD2D}"= C:\PROGRA~1\POWERS~1\Toolbar\pwrscuz2.dll [ ]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\jznehsqw.dll [2007-11-26 20:21 145984]

[HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-a0e4-ea6fa787ad2d}]
[HKEY_CLASSES_ROOT\pwrscuz2.PWRSCUZ2]

[HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"PRIVANAL"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"SPYKILLER"="C:\Program Files\Anonymizer\sk\SpyWareKiller.exe" []
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 12:00]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-10-26 21:21]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 13:06]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 11:05]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-07-19 23:33]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 16:22]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-04-01 10:24]
"5c3a8109"="C:\WINDOWS\system32\yxfaqvgy.dll" [2007-11-26 20:23]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-01-11 19:45]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
"{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}"= C:\WINDOWS\system32\khfdefd.dll [2007-11-16 20:46 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bexnlbvt]
bexnlbvt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iqhigvtk]
iqhigvtk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jznehsqw]
jznehsqw.dll 2007-11-26 20:21 145984 C:\WINDOWS\SYSTEM32\jznehsqw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfdefd]
khfdefd.dll 2007-11-16 20:46 38912 C:\WINDOWS\SYSTEM32\khfdefd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlkvjtfh]
mlkvjtfh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mxlewb]
C:\WINDOWS\security\mxlewb.dll 2007-10-23 12:28 598016 C:\WINDOWS\SECURITY\mxlewb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wetqfcqs]
wetqfcqs.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\mljggec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkkjg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk
backup=C:\WINDOWS\pss\AT&T Self Support Tool.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
2006-06-17 16:47 230512 --a------ C:\Program Files\Yahoo!\Antivirus\CAVTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
2006-06-17 16:47 185456 --a------ C:\Program Files\Yahoo!\Antivirus\CAVRID.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 01:56 15360 --a--c--- C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\DellSupport\DSAgnt.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2003-08-06 01:04 114741 --a------ C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-04-07 00:07 114688 --a------ C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-12-22 08:38 241664 --a------ C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-16 23:11 49152 --a------ C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2004-03-04 09:46 172032 --a------ C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icq.com]
rundll32.exe C:\WINDOWS\system32\aoodwyft.dll,forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2003-04-07 00:19 155648 --a------ C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-03 20:12 221184 --a------ C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
2005-09-22 17:29 303104 --a------ C:\PROGRA~1\McAfee.com\Agent\McAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
2006-01-11 11:05 212992 --a------ C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2006-01-19 11:06 11776 --a------ C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
2003-12-10 03:52 380928 --a------ C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
2007-01-11 19:45 4898816 --a------ C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2003-08-26 19:47 204800 --------- C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\retadpu2000219.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F 310

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SPYKILLER]
C:\Program Files\Anonymizer\sk\SpyWareKiller.exe /BOOT

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.7.4\webbuying.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]
C:\Program Files\WinTouch\WinTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
2006-07-21 16:19 129536 --a------ C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{ZN}]
C:\WINDOWS\itpb_11.exe SKY004

S3 dwusbdnt;dwusbdnt;C:\WINDOWS\system32\DRIVERS\dwusbdnt.sys
S3 WlanUIG;2Wire 802.11g USB Driver;C:\WINDOWS\system32\DRIVERS\WlanUIG.sys

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 08:36:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-27 8:38:52 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-19 23:35
C:\ComboFix2.txt ... 2007-11-18 13:52
C:\ComboFix3.txt ... 2007-09-19 23:35
.
--- E O F ---

Here is HiJack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:39 AM, on 11/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-sea...ook=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\TIM\Application Data\Mozilla\Profiles\default\2ffar1ju.slt\prefs.js)
O3 - Toolbar: (no name) - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\jznehsqw.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [5c3a8109] rundll32.exe "C:\WINDOWS\system32\yxfaqvgy.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SPYKILLER] C:\Program Files\Anonymizer\sk\SpyWareKiller.exe /BOOT
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/...areControl.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/C...ngineQuery.dll
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.30.16/ttinst.cab
O16 - DPF: {FCEAE646-DCF9-4D59-B994-6BD30A315139} - http://www.mtv.com/overdrive/bin/setup.exe
O20 - AppInit_DLLs: c:\windows\system32\mljggec.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O24 - Desktop Component 1: Aqua Garden - 6423CD5F-D089-4BF1-88B6-6A359339DAFF
O24 - Desktop Component 2: Aqua Real 3D - 7db39a0d-580f-4be9-9195-8bfcd226f6c2

--
End of file - 7444 bytes
Cheeseball81's Avatar
Moderator & Malware Removal Specialist with 80,157 posts.
  
Join Date: Mar 2004
Location: Long Island, NY
Experience: Advanced
27-Nov-2007, 08:27 PM #4
1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Quote:

Files to delete:
C:\WINDOWS\SYSTEM32\jznehsqw.dllbox
C:\WINDOWS\SYSTEM32\jznehsqw.dll
C:\WINDOWS\SYSTEM32\rjnnryfh.dll
C:\WINDOWS\SYSTEM32\rpqmpftb.exe
C:\WINDOWS\SYSTEM32\qtubjldr.ini
C:\WINDOWS\SYSTEM32\itmibdux.exe
C:\WINDOWS\SYSTEM32\rfutmvva.dll
C:\WINDOWS\SYSTEM32\ldrsvpbi.dll
C:\WINDOWS\SYSTEM32\oprvxwip.dll
C:\WINDOWS\SYSTEM32\uqcroogj.ini
C:\WINDOWS\SYSTEM32\kocmbeal.dll
C:\WINDOWS\SYSTEM32\instdump.zip
C:\WINDOWS\SYSTEM32\acmbdigc.ini
C:\WINDOWS\SYSTEM32\uvkkmgqi.dll
C:\WINDOWS\SYSTEM32\ljjjghg.dll
C:\WINDOWS\mrofinu77.exe
C:\WINDOWS\SYSTEM32\khfdefd.dll
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\SYSTEM32\mmesqpjg.dll
C:\WINDOWS\SYSTEM32\sryeeoyr.ini
C:\WINDOWS\SYSTEM32\tmxqjjyo.ini
C:\WINDOWS\SYSTEM32\uecovjyf.ini
C:\WINDOWS\SYSTEM32\jeumkmak.ini
C:\WINDOWS\SYSTEM32\ncbpdtvr.ini
C:\WINDOWS\SYSTEM32\oaivnblp.ini
C:\WINDOWS\SYSTEM32\ucplwrns.ini
C:\WINDOWS\SYSTEM32\pbditgkn.ini
C:\WINDOWS\SYSTEM32\bqlfhexs.dll
C:\WINDOWS\SYSTEM32\yxfaqvgy.dll
C:\WINDOWS\SYSTEM32\fenebust.exe
C:\WINDOWS\SYSTEM32\xqkfyimt.dll
C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\SYSTEM32\gebbcby.dll
C:\WINDOWS\SYSTEM32\vturopo.dll
C:\WINDOWS\SYSTEM32\awtttst.dll
C:\WINDOWS\SYSTEM32\byxuvwu.dll
C:\WINDOWS\SYSTEM32\cdigadsd.exe
C:\WINDOWS\SYSTEM32\dndxlhpt.exe
C:\WINDOWS\Fonts\avjavcb.dat
C:\WINDOWS\Fonts\avjavbb.dat
C:\WINDOWS\Fonts\avjavab.dat
C:\WINDOWS\Fonts\avjavl.dat
C:\WINDOWS\Fonts\avjavs.dat
C:\WINDOWS\Fonts\avjavp1b.dat
C:\WINDOWS\security\mxlewb.dll
C:\Program Files\MSN\qugata.dll
C:\windows\system32\mljggec.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

Rescan with Hijack This, close all browser windows except Hijack This, put a checkmark beside these entries and click fix checked.

O3 - Toolbar: (no name) - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - (no file)

O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\jznehsqw.dll

O4 - HKLM\..\Run: [5c3a8109] rundll32.exe "C:\WINDOWS\system32\yxfaqvgy.dll",b

O20 - AppInit_DLLs: c:\windows\system32\mljggec.dll

Reboot and post another Hijack This log please.
__________________
Microsoft MVP - Consumer Security
If we've helped you, please donate to TSG!
BigBoy26's Avatar
Computer Specs
Junior Member with 13 posts.
  
Join Date: Sep 2007
Experience: Pretty Good
28-Nov-2007, 03:46 AM #5
Crazy Pop Ups
Avenger,

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\axmbipru

*******************

Script file located at: \??\C:\WINDOWS\system32\ogfavfdq.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\SYSTEM32\jznehsqw.dllbox deleted successfully.
File C:\WINDOWS\SYSTEM32\jznehsqw.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\rjnnryfh.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\rpqmpftb.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\qtubjldr.ini deleted successfully.
File C:\WINDOWS\SYSTEM32\itmibdux.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\rfutmvva.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\ldrsvpbi.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\oprvxwip.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\uqcroogj.ini deleted successfully.
File C:\WINDOWS\SYSTEM32\kocmbeal.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\instdump.zip deleted successfully.
File C:\WINDOWS\SYSTEM32\acmbdigc.ini deleted successfully.
File C:\WINDOWS\SYSTEM32\uvkkmgqi.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\ljjjghg.dll deleted successfully.
File C:\WINDOWS\mrofinu77.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\khfdefd.dll deleted successfully.
File C:\WINDOWS\mrofinu572.exe deleted successfully.
File C:\WINDOWS\mrofinu1000106.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\mmesqpjg.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\sryeeoyr.ini deleted successfully.
File C:\WINDOWS\SYSTEM32\tmxqjjyo.ini deleted successfully.
File C:\WINDOWS\SYSTEM32\uecovjyf.ini deleted successfully.
File C:\WINDOWS\SYSTEM32\jeumkmak.ini deleted successfully.
File C:\WINDOWS\SYSTEM32\ncbpdtvr.ini deleted successfully.
File C:\WINDOWS\SYSTEM32\oaivnblp.ini deleted successfully.
File C:\WINDOWS\SYSTEM32\ucplwrns.ini deleted successfully.
File C:\WINDOWS\SYSTEM32\pbditgkn.ini deleted successfully.
File C:\WINDOWS\SYSTEM32\bqlfhexs.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\yxfaqvgy.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\fenebust.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\xqkfyimt.dll deleted successfully.
File C:\WINDOWS\17PHolmes572.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\gebbcby.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\vturopo.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\awtttst.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\byxuvwu.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\cdigadsd.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\dndxlhpt.exe deleted successfully.
File C:\WINDOWS\Fonts\avjavcb.dat deleted successfully.
File C:\WINDOWS\Fonts\avjavbb.dat deleted successfully.
File C:\WINDOWS\Fonts\avjavab.dat deleted successfully.
File C:\WINDOWS\Fonts\avjavl.dat deleted successfully.
File C:\WINDOWS\Fonts\avjavs.dat deleted successfully.
File C:\WINDOWS\Fonts\avjavp1b.dat deleted successfully.
File C:\WINDOWS\security\mxlewb.dll deleted successfully.


File C:\Program Files\MSN\qugata.dll not found!
Deletion of file C:\Program Files\MSN\qugata.dll failed!

Could not process line:
C:\Program Files\MSN\qugata.dll
Status: 0xc0000034



File C:\windows\system32\mljggec.dll not found!
Deletion of file C:\windows\system32\mljggec.dll failed!

Could not process line:
C:\windows\system32\mljggec.dll
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.
BigBoy26's Avatar
Computer Specs
Junior Member with 13 posts.
  
Join Date: Sep 2007
Experience: Pretty Good
28-Nov-2007, 03:59 AM #6
Crazy Pop Ups
HiJack Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:56:49 AM, on 11/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-sea...ook=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\TIM\Application Data\Mozilla\Profiles\default\2ffar1ju.slt\prefs.js)
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SPYKILLER] C:\Program Files\Anonymizer\sk\SpyWareKiller.exe /BOOT
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/...areControl.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/C...ngineQuery.dll
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.30.16/ttinst.cab
O16 - DPF: {FCEAE646-DCF9-4D59-B994-6BD30A315139} - http://www.mtv.com/overdrive/bin/setup.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O24 - Desktop Component 1: Aqua Garden - 6423CD5F-D089-4BF1-88B6-6A359339DAFF
O24 - Desktop Component 2: Aqua Real 3D - 7db39a0d-580f-4be9-9195-8bfcd226f6c2

--
End of file - 6921 bytes
Cheeseball81's Avatar
Moderator & Malware Removal Specialist with 80,157 posts.
  
Join Date: Mar 2004
Location: Long Island, NY
Experience: Advanced
28-Nov-2007, 10:20 PM #7
How are things now
BigBoy26's Avatar
Computer Specs
Junior Member with 13 posts.
  
Join Date: Sep 2007
Experience: Pretty Good
29-Nov-2007, 02:46 AM #8
Crazy Pop Ups
They were fine this morning. However when I came back home this evening they were back again and bad. Here is a HiJack Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:12 AM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\system32\jermjgdw.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-sea...ook=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\TIM\Application Data\Mozilla\Profiles\default\2ffar1ju.slt\prefs.js)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\cyyvcegh.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [5c3a8109] rundll32.exe "C:\WINDOWS\system32\vyoujkvv.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SPYKILLER] C:\Program Files\Anonymizer\sk\SpyWareKiller.exe /BOOT
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/...areControl.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/C...ngineQuery.dll
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.30.16/ttinst.cab
O16 - DPF: {FCEAE646-DCF9-4D59-B994-6BD30A315139} - http://www.mtv.com/overdrive/bin/setup.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\jermjgdw.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O24 - Desktop Component 1: Aqua Garden - 6423CD5F-D089-4BF1-88B6-6A359339DAFF
O24 - Desktop Component 2: Aqua Real 3D - 7db39a0d-580f-4be9-9195-8bfcd226f6c2

--
End of file - 7156 bytes
Cheeseball81's Avatar
Moderator & Malware Removal Specialist with 80,157 posts.
  
Join Date: Mar 2004
Location: Long Island, NY
Experience: Advanced
29-Nov-2007, 09:57 PM #9
Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
    • In the Processes group click ALL
    • In the Win32 Services group click ALL
    • In the Driver Services group click ALL
    • In the Registry group click ALL
    • In the Files Created Within group click 60 days Make sure Non-Microsoft only is UNCHECKED
    • In the Files Modified Within group select 30 days Make sure Non-Microsoft only is UNCHECKED
    • In the File String Search group select ALL
    in the Additional scans sections please press select ALL
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Save that notepad file but click on the "Format" menu and make sure that "word wrap" is not checked. If it is then click on it to uncheck it.
Upload the report as an attachment please.
__________________
Microsoft MVP - Consumer Security
If we've helped you, please donate to TSG!
BigBoy26's Avatar
Computer Specs
Junior Member with 13 posts.
  
Join Date: Sep 2007
Experience: Pretty Good
04-Dec-2007, 12:48 AM #10
Crazy Pop Ups
I cannot get it to upload. I have word wrap off on every tab. Should I copy and paste?
Cheeseball81's Avatar
Moderator & Malware Removal Specialist with 80,157 posts.
  
Join Date: Mar 2004
Location: Long Island, NY
Experience: Advanced
04-Dec-2007, 07:46 PM #11
Attaching it is preferred. Can you break it up into separate attachments?
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.
Thread Tools



Facebook Facebook Twitter Twitter TechGuy.tv TechGuy.tv Mobile TSG Mobile
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 11:21 AM.
Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved.

 Powered by Cermak Technologies, Inc.