Windows Media Player (and more) not working due to, I think, some kind of virus

[Crivello]

Hi,

Here is the back story, if you will excuse me: About a week ago I had a lot of viruses (Trojan horses and worms if I remember rightly) and spyware on my computer. I got rid of lots of them using antivirus and anti-spyware programs (Avira for the viruses, Spybot Search and Destroy for the spyware) and then sorted out my registry using a registry cleaner program (Registry Mechanic).

After this I also defragmented my C drive which worked fine except that it said that it could not defrag certain files. (I can retrieve the names of these files for you if there is a need).

Everything seemed to be working fine after this except that windows media player will no longer rip CDs at its usual speed. In fact it is very, very slow and almost impossible to use for ripping CDs. I have also noticed that avira antivirus also takes a very long time to download updates.

Another thing is that Spybot S&D keeps telling me that an important registry has been changed, usually when I turn the computer on and also at seemingly random times throughout the day. Other than this the computer works as usual.

All this leads me to believe that there is still some kind of unsavory file or something running around in my computer. Thus I have come here for the possible help of some experts. Thank you.

here is the DDS log:

DDS (Ver_09-02-01.01) - NTFSx86
Run by Joe at 16:40:22.32 on 23/02/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.204 [GMT 0:00]

AV: avast! antivirus 4.8.1335 [VPS 090223-0] *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\AOL\1216407286\ee\AOLSoftware.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Micronet SP907GK Wireless Network Utility\RtWLan.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Works\wkswp.exe
C:\Program Files\Microsoft Works\WkDStore.exe
C:\Program Files\Microsoft Works\wkgdcach.exe
C:\Documents and Settings\Joe\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
uSearch Bar = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
uDefault_Page_URL = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=4061121
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
uURLSearchHooks: BitZipperSearch Toolbar: {97bceb59-cfcd-4b16-a863-b3f72cf9f196} - c:\program files\bitzippersearch\tbBit0.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Winamp Toolbar BHO: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: BitZipperSearch Toolbar: {97bceb59-cfcd-4b16-a863-b3f72cf9f196} - c:\program files\bitzippersearch\tbBit0.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: NoExplorer - No File
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
TB: BitZipperSearch Toolbar: {97bceb59-cfcd-4b16-a863-b3f72cf9f196} - c:\program files\bitzippersearch\tbBit0.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [EPSON Stylus C62 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HostManager] c:\program files\common files\aol\1216407286\ee\AOLSoftware.exe
mRun: [avast!] "c:\program files\alwil software\avast4\ashDisp.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aol90t~1.lnk - c:\program files\aol 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dslmon.lnk - c:\program files\sagem\sagem f@st 800-840\dslmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lgsync~1.lnk - c:\program files\lg pc suite\lg pc sync\LGSyncManager.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lgsync~2.lnk - c:\program files\lg pc suite\lg pc sync\LGSyncManager.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micronet sp907gk wireless network utility.lnk - c:\program files\micronet sp907gk wireless network utility\RtWLan.exe
IE: &Winamp Toolbar Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Open in new background tab - c:\program files\windows live toolbar\components\en-gb\msntabres.dll.mui/229?aa2581a214914817a2641556328c6cab
IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-gb\msntabres.dll.mui/230?aa2581a214914817a2641556328c6cab
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search & destroy\SDHelper.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll c:\progra~1\google\google~1\GoogleDesktopNetwork3.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joe\applic~1\mozilla\firefox\profiles\apcpt3ma.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1304867&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.10
============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-8-26 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-8-26 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-8-26 138680]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2009-1-5 38144]
R2 hnmwrlspkt;HomeNet Manager Wireless Protocol;c:\windows\system32\drivers\hnm_wrls_pkt.sys [2006-1-12 13696]
R2 wsppkt;Wireless Security Protocol;c:\windows\system32\drivers\wsp_pkt.sys [2006-1-12 13568]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187B.sys [2009-1-5 238976]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-8-26 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-8-26 352920]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-11-21 29744]
S3 k600bus;Sony Ericsson 600i driver (WDM);c:\windows\system32\drivers\k600bus.sys [2005-5-11 52384]
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;c:\windows\system32\drivers\k600mdfl.sys [2005-5-11 6096]
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;c:\windows\system32\drivers\k600mdm.sys [2005-5-11 87456]
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;c:\windows\system32\drivers\k600mgmt.sys [2005-5-11 79248]
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;c:\windows\system32\drivers\k600obex.sys [2005-5-11 77072]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-02-23 16:29 250 a------- c:\windows\gmer.ini
2009-02-22 22:05 900,015 a------- c:\windows\system32\TmpA3345000
2009-02-22 21:05 <DIR> --d----- c:\program files\ACW
2009-02-22 20:53 <DIR> --d----- c:\program files\CCleaner
2009-02-16 12:51 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-16 12:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-16 12:34 <DIR> --d----- c:\docume~1\joe\applic~1\Antispyware
2009-02-16 12:34 <DIR> --d----- c:\program files\Antispyware
2009-02-15 11:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Propellerhead Software
2009-02-15 11:48 233,472 a------- c:\windows\system32\REX Shared Library.dll
2009-02-15 11:48 <DIR> --d----- c:\docume~1\joe\applic~1\Propellerhead Software
2009-02-13 12:33 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{A7D85626-A409-49D8-A79F-BB044F909E62}
2009-02-13 12:14 225,280 a------- c:\windows\system32\rewire.dll
2009-02-13 12:14 <DIR> --d----- c:\program files\VstPlugins
2009-02-13 12:14 1,294,336 a------- c:\windows\system32\vorbis.acm
2009-02-13 12:13 <DIR> --d----- c:\program files\Outsim
2009-02-13 12:10 <DIR> --d----- c:\program files\Image-Line
2009-02-11 19:26 <DIR> --d----- c:\program files\DNA
2009-02-11 19:26 <DIR> --d----- c:\docume~1\joe\applic~1\DNA
2009-02-11 14:42 <DIR> --d----- c:\program files\Mixxx
2009-01-27 17:09 664 a------- c:\windows\system32\d3d9caps.dat
2009-01-26 20:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-01-25 12:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CrucialSoft Ltd

==================== Find3M ====================

2009-02-22 14:52 58,580 ac------ c:\docume~1\joe\applic~1\wklnhst.dat
2009-02-11 21:32 5,694 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2009-01-05 11:14 21,035 a------- c:\windows\system32\drivers\AegisP.sys
2009-01-04 11:45 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-19 09:10 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 a------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 10:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-09-03 15:33 478,720 a------- c:\documents and settings\joe\_online.exe

============= FINISH: 16:41:31.18 ===============

[Crivello]

Bump please.

[tetonbob]

Hello -

I'm not seeing an active infection, but there are what seem to be inactive remnants.

=============================================

Quote:

then sorted out my registry using a registry cleaner program (Registry Mechanic).

Regarding registry cleaners..

We do not recommend the use of registry cleaners. Our colleague miekiemoes has an excellent writeup here

Another excellent article by Bill Castner is located here.

=============================================

Quote:

Another thing is that Spybot S&D keeps telling me that an important registry has been changed, usually when I turn the computer on and also at seemingly random times throughout the day.

What registry item is changed? Exact location is required to help you. Do you Allow or Deny the change?

=============================================

Regarding BitZipperSearch Toolbar, you may want to read this, as it's listed as Open to Debate.

http://www.systemlookup.com/CLSID/52...bBit1_dll.html

=============================================

Regarding Windows Media Player, it may need a reinstall, or you may wish to seek guidance in the Windows XP support forum once we're done here. The staff and members in that area will be better able to assist you with that. Our focus in this section of the forum is malware removal.

=============================================

There are a few items I'd like a bit more information on.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  
  Code:

  :dir
  c:\Documents and Settings\joe\Application Data\Antispyware /s
  c:\Program Files\Antispyware /s
  C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd /s
  
  :file
  c:\documents and settings\joe\_online.exe

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found at on your Desktop entitled SystemLook.txt

=============================================

Please go to: VirusTotal

• On the page you'll find a "Browse" button.
  
• Next to the browse button you'll see a box to enter text.
• Please copy/paste the following:
  
  c:\documents and settings\joe\_online.exe
  
  
• Then click the "Send File " button just below.
• This will scan the file. Please be patient.
• If you get a message saying File has already been analyzed: click Reanalyze file now
• Once scanned, copy and paste the results in your next reply.
  
• Please repeat for the following files:
  
  • 
    c:\windows\system32\TmpA3345000
    

[Crivello]

Thanks for the help. Having read the article that you linked on registry cleaners I will not use it again. I seem to have wasted quite a bit of money on that...

Anyway. with regards to your question about the registry changes that I am being informed of by spybot S&D: It tells me that ctfmon.exe has been added or deleted in system32. I did some research about this and it seems that if the file is in system32 then it is a normal windows file but if it is elsewhere then it can be spyware etc. Thus far it has only been in system 32 though. There is another registry file that has been coming up but it has not happened for a while and I cannot remember the name. if it comes up again then I will tell you immediately.

I will uninstall the bitzipper toolbar as I have little use for it anyway and if it may cause problems then it is definitely not worth it.

Here is the systemlook log:

SystemLook v1.0 by jpshortstuff (25.02.09)
Log created at 17:15 on 26/02/2009 by Joe (Administrator - Elevation successful)

========== dir ==========

c:\docume~1\joe\Applic~1\Antispyware - Parameters: "/s"

---Files---
None found.

c:\Program Files\Antispyware - Parameters: "/s"

---Files---
None found.

C:\docume~1\alluse~1\Applic~1\CrucialSoft Ltd - Parameters: "/s"

---Files---
None found.

========== file ==========

c:\documents and settings\joe\_online.exe - File found and opened.
MD5: 9106F9FADDCE8B65F736DA5B8951C01E
Created at 15:28 on 03/09/2008
Modified at 15:33 on 03/09/2008
Size: 478720 bytes
Attributes: --a---
No version information available.

-=End Of File=-

Virustotal scan results for c:\documents and settings\joe\_online.exe :

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.02.26 -
AntiVir 7.9.0.93 2009.02.26 -
Authentium 5.1.0.4 2009.02.26 -
Avast 4.8.1335.0 2009.02.25 -
AVG 8.0.0.237 2009.02.26 -
BitDefender 7.2 2009.02.26 -
CAT-QuickHeal 10.00 2009.02.26 -
ClamAV 0.94.1 2009.02.26 -
Comodo 986 2009.02.20 -
DrWeb 4.44.0.09170 2009.02.26 -
eSafe 7.0.17.0 2009.02.26 -
eTrust-Vet 31.6.6375 2009.02.26 -
F-Prot 4.4.4.56 2009.02.26 -
F-Secure 8.0.14470.0 2009.02.26 -
Fortinet 3.117.0.0 2009.02.26 -
GData 19 2009.02.26 -
Ikarus T3.1.1.45.0 2009.02.26 -
K7AntiVirus 7.10.648 2009.02.26 -
Kaspersky 7.0.0.125 2009.02.26 -
McAfee 5536 2009.02.25 -
McAfee+Artemis 5536 2009.02.25 -
Microsoft 1.4306 2009.02.26 -
NOD32 3893 2009.02.26 -
Norman 6.00.06 2009.02.26 -
nProtect 2009.1.8.0 2009.02.26 -
Panda 10.0.0.10 2009.02.26 -
PCTools 4.4.2.0 2009.02.26 -
Prevx1 V2 2009.02.26 -
Rising 21.18.32.00 2009.02.26 -
SecureWeb-Gateway 6.0.0 2009.02.26 -
Sophos 4.39.0 2009.02.26 -
Sunbelt 3.2.1858.2 2009.02.25 -
Symantec 10 2009.02.26 -
TheHacker 6.3.2.5.265 2009.02.25 -
TrendMicro 8.700.0.1004 2009.02.26 -
VBA32 3.12.10.0 2009.02.26 -
ViRobot 2009.2.26.1625 2009.02.26 -
VirusBuster 4.5.11.0 2009.02.26 -

File size: 478720 bytes
MD5...: 9106f9faddce8b65f736da5b8951c01e
SHA1..: 7f80b5dec9462c26017ca644cc00509788f74834
SHA256: 454f59eabf5b306223e34b8eb34993525dc7972924afafe8365f45fcb2a807bb
SHA512: 3548469ebf79c058db35e09cca4560420232bd9fc82528bb42e305d7c97f03dc
58dfe0dfc171f45147a1cad58b07f9a3d42d28bc31497b3f24443999aa931fda
ssdeep: 12288:vleU+ctjdrUq8C6ZYfqRb1X+5XGhfiHSFnG7Ax:vleUlRUq8C4c0bM5XG8
HSn
PEiD..: ASPack v2.12
TrID..: File type identification
ASPack compressed Win32 Executable (generic) (90.1%)
Win32 Executable Generic (5.7%)
Win16/32 Executable Delphi generic (1.3%)
Generic Win/DOS Executable (1.3%)
DOS Executable Generic (1.3%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x53e001
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 10 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x57000 0x24c00 8.00 a9a4942d07ea49fd6afbaba287388c71
DATA 0x58000 0x2000 0xc00 7.68 ac7648fd8f2a0fd2f51c9f3c9cb0c336
BSS 0x5a000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x5b000 0x3000 0xe00 7.60 c0207fcf35f258dcc7ec900c64bad3e2
.tls 0x5e000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x5f000 0x1000 0x200 0.20 a03a95e1573bac8db89f5fc8db64018e
.reloc 0x60000 0x6000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x66000 0xd8000 0x4c600 8.00 7e4a3cc76108d882c051e054fef82503
.aspack 0x13e000 0x2000 0x1c00 6.34 464daf8e5721b76b476878420a228692
.adata 0x140000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

( 11 imports )
> kernel32.dll: GetProcAddress, GetModuleHandleA, LoadLibraryA
> user32.dll: GetKeyboardType
> advapi32.dll: RegQueryValueExA
> oleaut32.dll: SysFreeString
> advapi32.dll: RegQueryValueExA
> gdi32.dll: UnrealizeObject
> user32.dll: WindowFromPoint
> oleaut32.dll: SafeArrayPtrOfIndex
> comctl32.dll: ImageList_SetIconSize
> shell32.dll: ShellExecuteA
> wsock32.dll: WSACleanup

( 0 exports )
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=9106f9faddce8b65f736da5b8951c01e' target='_blank'>http://www.threatexpert.com/report.aspx?md5=9106f9faddce8b65f736da5b8951c01e</a>
packers (Kaspersky): ASPack
packers (F-Prot): Aspack
CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=9106f9faddce8b65f736da5b8951c01e' target='_blank'>http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=9106f9faddce8b65f736da5b8951c01e</a>

Virustotal scan result for c:\windows\system32\TmpA3345000

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.02.26 -
AntiVir 7.9.0.93 2009.02.26 -
Authentium 5.1.0.4 2009.02.26 -
Avast 4.8.1335.0 2009.02.25 -
AVG 8.0.0.237 2009.02.26 -
BitDefender 7.2 2009.02.26 -
CAT-QuickHeal 10.00 2009.02.26 -
ClamAV 0.94.1 2009.02.26 -
Comodo 986 2009.02.20 -
DrWeb 4.44.0.09170 2009.02.26 -
eSafe 7.0.17.0 2009.02.26 -
eTrust-Vet 31.6.6375 2009.02.26 -
F-Prot 4.4.4.56 2009.02.26 -
F-Secure 8.0.14470.0 2009.02.26 -
Fortinet 3.117.0.0 2009.02.26 -
GData 19 2009.02.26 -
Ikarus T3.1.1.45.0 2009.02.26 -
K7AntiVirus 7.10.648 2009.02.26 -
Kaspersky 7.0.0.125 2009.02.26 -
McAfee 5536 2009.02.25 -
McAfee+Artemis 5536 2009.02.25 -
Microsoft 1.4306 2009.02.26 -
NOD32 3893 2009.02.26 -
Norman 6.00.06 2009.02.26 -
nProtect 2009.1.8.0 2009.02.26 -
Panda 10.0.0.10 2009.02.26 -
PCTools 4.4.2.0 2009.02.26 -
Prevx1 V2 2009.02.26 -
Rising 21.18.32.00 2009.02.26 -
SecureWeb-Gateway 6.0.0 2009.02.26 -
Sophos 4.39.0 2009.02.26 -
Sunbelt 3.2.1858.2 2009.02.25 -
Symantec 10 2009.02.26 -
TheHacker 6.3.2.5.265 2009.02.25 -
TrendMicro 8.700.0.1004 2009.02.26 -
VBA32 3.12.10.0 2009.02.26 -
ViRobot 2009.2.26.1625 2009.02.26 -
VirusBuster 4.5.11.0 2009.02.26 -
Additional information
File size: 900015 bytes
MD5...: 12607690e2d7f4a1217316885a9f423d
SHA1..: 445ee8644fdd5d187a94ce49c671e29ba9c77606
SHA256: 331407afd68602fbc65ab998b0f5f022b8ad4584f7be689aa92d9ac174eee4a5
SHA512: a0b18746925f1ef2d725ee7af05a3e7a40c41c5c587664ef61bda5bb9da9f93e
404d24bbfce099e73b6e185281af0cf306b5819f0324c0e7c0d7b2468f782729
ssdeep: 24576:aiZ+F/cF71kSJg4xtBVBMgo7raCsKE3i6GHp:aiya1kuzBVOvfMKE3+p
PEiD..: -
TrID..: File type identification
OGG Vorbis Audio (77.7%)
OGG stream (generic) (22.1%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: -



(I wasn't sure if all the information about antiviruses was relevant but since it came up I posted it in case it is)

[tetonbob]

ctfmon in your case would seem to be related to MS Works and language/advanced text functions.

These folders are empty, likely leftovers from a rogueware install, they can be manually deleted:

c:\Documents and Settings\joe\Application Data\Antispyware
c:\Program Files\Antispyware
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd

You may need to set hidden folders to viewable:

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

=============================================

I'd like to run an online scan, to see if anything is lurking.

First....

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7


These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall these older versions when you update, nor tell you that you should. Going forward, Java will overwrite existing installs, so removing older versions should not be required after this.

Leave Java(TM) 6 Update 11 alone, as it has the most recent security updates.

---------------------------------------------------------------------------------------------

Please perform this online scan to help look for remnants

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on Settings. Uncheck Mail databases.
• Next, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------

[Crivello]

After deleting the old java updates that you told me about the kaspersky online scan will now not work properly. It starts up and then tells me that it could not start java applet and I need to go online to use it. However, I am online.

Do you know why it might be doing this or what I might be able to do to sort this out?

[tetonbob]

If you left j6u11 installed, the online scan should still work.

In IE > Go to Tools > Internet Options > Advanced tab. Click Reset then OK and exit IE 7.

Re-open IE 7 and ensure the Java add-ons are enabled.



==================

If still no joy, try using one of these scanners.

Perform an online scan with Panda ActiveScan

• Click on Scan Your PC Now
• A "pop up" window will appear, or a new tab will open.
• Click on Register
• Choose the option you like most, but we recommend the Free Registration.
• Click on Register
• Enter your e-mail address, and create a password.
• Select "I do not want to receive any type of information". (unless you want to receive such information)
• Click on Send
• Confirm registration, and continue by entering your user name and password, then click on Enter
• Select Full Scan, then Click on Scan Now
• Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
• If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
• Please ignore the offer to buy the program. Click on Export To
  
• Export the log and save it to your desktop.
• Please attach the contents of that log to your reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic.

[Crivello]

I ran the Panda scan. You can find the results attached.

It found 14 problems of low danger. Most if not all were cookies.

[tetonbob]

Have you intentionally installed Zumie Search? It's also known as adware.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.


Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[Crivello]

Here is the combofix log:

ComboFix 09-02-28.01 - Joe 2009-03-01 10:37:47.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.108 [GMT 0:00]
Running from: c:\documents and settings\Joe\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090227-0] *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Performanceoptimizer (Free)
c:\windows\system32\x64
F:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PACKET
-------\Legacy_ZUMIE_SEARCH_SERVICE
-------\Service_Packet


((((((((((((((((((((((((( Files Created from 2009-02-01 to 2009-03-01 )))))))))))))))))))))))))))))))
.

2009-02-28 12:03 . 2009-02-28 12:03 23,392 --a------ c:\windows\system32\nscompat.tlb
2009-02-28 12:03 . 2009-02-28 12:03 16,832 --a------ c:\windows\system32\amcompat.tlb
2009-02-27 07:55 . 2008-06-19 16:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-02-26 19:13 . 2009-02-26 19:13 <DIR> d-------- c:\program files\Panda Security
2009-02-25 17:52 . 2009-02-25 17:52 <DIR> d-------- c:\program files\Security Task Manager
2009-02-25 17:52 . 2009-02-25 17:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-02-24 15:50 . 2009-02-24 15:50 <DIR> d-------- c:\documents and settings\Joe\Application Data\MAGIX
2009-02-24 15:48 . 2009-02-24 15:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\MAGIX
2009-02-24 15:48 . 2003-04-18 15:29 44,544 --a------ c:\windows\system32\msxml4a.dll
2009-02-24 15:45 . 2009-02-24 15:45 <DIR> d-------- c:\program files\Common Files\MAGIX Shared
2009-02-24 15:45 . 2004-08-11 19:53 38,912 --a------ c:\windows\system32\mgxasio.dll
2009-02-24 15:45 . 2004-03-11 15:49 14,182 --a------ c:\windows\system32\DLLAV32.lib
2009-02-24 15:42 . 2009-02-24 15:49 <DIR> d-------- c:\windows\system32\MAGIX
2009-02-24 15:42 . 1998-10-15 16:28 85,504 --a------ c:\windows\system32\HtmlWH.dll
2009-02-23 16:29 . 2009-02-23 16:29 250 --a------ c:\windows\gmer.ini
2009-02-22 22:05 . 2009-02-22 22:05 900,015 --a------ c:\windows\system32\TmpA3345000
2009-02-22 21:05 . 2009-02-22 21:05 <DIR> d-------- c:\program files\ACW
2009-02-22 20:53 . 2009-02-22 20:53 <DIR> d-------- c:\program files\CCleaner
2009-02-16 12:51 . 2009-02-16 13:02 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-16 12:51 . 2009-02-25 18:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-15 11:48 . 2009-02-15 11:48 <DIR> d-------- c:\documents and settings\Joe\Application Data\Propellerhead Software
2009-02-15 11:48 . 2009-02-15 11:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Propellerhead Software
2009-02-15 11:48 . 2009-02-15 11:48 233,472 --a------ c:\windows\system32\REX Shared Library.dll
2009-02-13 12:33 . 2009-02-13 12:33 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{A7D85626-A409-49D8-A79F-BB044F909E62}
2009-02-13 12:14 . 2009-02-22 22:02 <DIR> d-------- c:\program files\VstPlugins
2009-02-13 12:14 . 2002-07-07 22:14 1,294,336 --a------ c:\windows\system32\vorbis.acm
2009-02-13 12:14 . 2006-06-20 08:56 225,280 --a------ c:\windows\system32\rewire.dll
2009-02-13 12:13 . 2009-02-13 12:13 <DIR> d-------- c:\program files\Outsim
2009-02-13 12:10 . 2009-02-22 22:05 <DIR> d-------- c:\program files\Image-Line
2009-02-11 19:26 . 2009-02-19 13:07 <DIR> d-------- c:\program files\DNA
2009-02-11 19:26 . 2009-02-19 13:05 <DIR> d-------- c:\documents and settings\Joe\Application Data\DNA
2009-02-11 14:42 . 2009-02-22 22:04 <DIR> d-------- c:\program files\Mixxx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-01 10:44 --------- d-----w c:\documents and settings\Joe\Application Data\skypePM
2009-03-01 10:43 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-28 11:59 --------- d-----w c:\documents and settings\Joe\Application Data\foobar2000
2009-02-28 11:55 --------- d-----w c:\program files\Windows Media Connect 2
2009-02-28 11:06 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-28 11:02 --------- d-----w c:\documents and settings\Joe\Application Data\Skype
2009-02-27 13:20 58,442 -c--a-w c:\documents and settings\Joe\Application Data\wklnhst.dat
2009-02-26 18:19 --------- d-----w c:\program files\BitZipperSearch
2009-02-25 18:32 --------- d-----w c:\program files\Java
2009-02-23 16:23 --------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-02-16 14:24 --------- d-----w c:\program files\Free Offers from Freeze.com
2009-02-11 21:32 5,694 -csha-w c:\windows\system32\KGyGaAvL.sys
2009-01-28 22:06 11,342 -c--a-w c:\documents and settings\Josie\Application Data\wklnhst.dat
2009-01-28 21:57 --------- d-----w c:\documents and settings\Josie\Application Data\Corel
2009-01-24 11:40 --------- d-----w c:\documents and settings\Joe\Application Data\dvdcss
2009-01-18 17:09 --------- d-----w c:\documents and settings\Joe\Application Data\ScanSoft
2009-01-18 17:09 --------- d-----w c:\documents and settings\All Users\Application Data\ScanSoft
2009-01-18 17:08 --------- d-----w c:\program files\Common Files\ScanSoft Shared
2009-01-18 17:07 --------- d-----w c:\program files\ScanSoft
2009-01-18 17:05 --------- d-----w c:\program files\Common Files\CANON
2009-01-18 17:05 --------- d-----w c:\program files\Canon
2009-01-18 17:02 --------- d--h--w c:\program files\CanonBJ
2009-01-18 17:02 --------- d--h--w c:\documents and settings\All Users\Application Data\CanonBJ
2009-01-16 21:35 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-01-16 17:12 --------- d-----w c:\program files\iTunes
2009-01-16 17:10 --------- d-----w c:\program files\Last.fm
2009-01-05 11:14 21,035 ----a-w c:\windows\system32\drivers\AegisP.sys
2009-01-05 11:14 --------- d-----w c:\program files\Micronet SP907GK Wireless Network Utility
2009-01-05 11:13 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-05 11:13 --------- d-----w c:\documents and settings\Joe\Application Data\InstallShield
2009-01-04 11:45 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-19 09:10 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-09-03 15:33 478,720 ----a-w c:\documents and settings\Joe\_online.exe
2008-05-02 17:47 574 -c--a-w c:\documents and settings\Camilla\Application Data\wklnhst.dat
2008-09-06 22:21 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-08-29 10:29 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082920080830\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-28 395776]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-29 21755688]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 71008]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-06 29744]
"EPSON Stylus C62 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE" [2002-07-01 74752]
"Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2006-08-14 462336]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-10-10 36352]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HostManager"="c:\program files\Common Files\AOL\1216407286\ee\AOLSoftware.exe" [2006-09-26 50736]
"avast!"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2009-02-05 81000]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-04 136600]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AOL 9.0 Tray Icon.lnk - c:\program files\AOL 9.0\aoltray.exe [2006-11-21 156784]
DSLMON.lnk - c:\program files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-04-05 966756]
LG Sync Manager.lnk - c:\program files\LG PC Suite\LG PC Sync\LGSyncManager.exe [2004-04-09 282624]
LG SyncManager.lnk - c:\program files\LG PC Suite\LG PC Sync\LGSyncManager.exe [2004-04-09 282624]
Micronet SP907GK Wireless Network Utility.lnk - c:\program files\Micronet SP907GK Wireless Network Utility\RtWLan.exe [2009-01-05 794624]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\AOL\\1216407286\\ee\\aolsoftware.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-02-27 28544]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-08-26 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-08-26 20560]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2009-01-05 38144]
R2 hnmwrlspkt;HomeNet Manager Wireless Protocol;c:\windows\system32\drivers\hnm_wrls_pkt.sys [2006-01-12 13696]
R2 wsppkt;Wireless Security Protocol;c:\windows\system32\drivers\wsp_pkt.sys [2006-01-12 13568]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187B.sys [2009-01-05 238976]
S3 k600bus;Sony Ericsson 600i driver (WDM);c:\windows\system32\drivers\k600bus.sys [2005-05-11 52384]
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;c:\windows\system32\drivers\k600mdfl.sys [2005-05-11 6096]
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;c:\windows\system32\drivers\k600mdm.sys [2005-05-11 87456]
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;c:\windows\system32\drivers\k600mgmt.sys [2005-05-11 79248]
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;c:\windows\system32\drivers\k600obex.sys [2005-05-11 77072]

--- Other Services/Drivers In Memory ---

*Deregistered* - ALG
*Deregistered* - AOL ACS
*Deregistered* - Apple Mobile Device
*Deregistered* - aswUpdSv
*Deregistered* - AudioSrv
*Deregistered* - avast! Antivirus
*Deregistered* - avast! Mail Scanner
*Deregistered* - avast! Web Scanner
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - Creative Service for CDROM Access
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - EPSONStatusAgent2
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - gusvc
*Deregistered* - helpsvc
*Deregistered* - HTTPFilter
*Deregistered* - IAANTMON
*Deregistered* - iPod Service
*Deregistered* - JavaQuickStarterService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WudfSvc
*Deregistered* - WZCSVC
.
Contents of the 'Scheduled Tasks' folder

2009-02-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-03-01 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-02-27 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (DGZXSL2J-admin).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{97bceb59-cfcd-4b16-a863-b3f72cf9f196} - (no file)
MSConfigStartUp-CTFMON - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
FF - ProfilePath - c:\documents and settings\Joe\Application Data\Mozilla\Firefox\Profiles\apcpt3ma.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1304867&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.10.
.
------- File Associations -------
.
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-01 10:43:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-01 10:52:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-01 10:52:02

Pre-Run: 27,513,028,608 bytes free
Post-Run: 30,002,515,968 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

314 --- E O F --- 2009-02-25 13:21:44

[tetonbob]

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

[Crivello]

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Advanced WindowsCare Personal
Antispyware
AOL Coach Version 1.0(Build:20040229.1 uk)
AOL Uninstaller (Choose which Products to Remove)
AOL You've Got Pictures Screensaver
Apple Mobile Device Support
Apple Software Update
ARTEuro
Audacity 1.2.6
avast! Antivirus
BitZipper 5.0.4
Bonjour
Canon MP Navigator EX 1.0
Canon MP210 series
Canon My Printer
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Solution Menu
CCG Maker
CCleaner (remove only)
Cinergy MPPS
Corel Paint Shop Pro Photo XI
Corel Snapfire Plus
Creative MediaSource 5
Creative Removable Disk Manager
Creative System Information
Creative ZEN V Series (R2)
Dell CinePlayer
Dell Driver Reset Tool
Dell Network Assistant
Dell Support 3.2.1
Dell System Restore
DivX Web Player
DNA
EPSON Printer Software
Eusing Free Registry Cleaner
Firebird SQL Server - MAGIX Edition (US)
foobar2000 v0.9.5.6
Google Desktop
Google Earth
Google Photos Screensaver
Google Updater
High Definition Audio Driver Package - KB835221
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Intel(R) Graphics Media Accelerator Driver
Intel(R) Matrix Storage Manager
Intel(R) PRO Network Connections
iTunes
Java(TM) 6 Update 11
Last.fm 1.5.2.38918
Learn2 Player (Uninstall Only)
LG PC Suite
LG PC Sync
LiveUpdate 2.6 (Symantec Corporation)
MAGIX Music Manager 2006 (US)
MAGIX Photo Manager 2006 (US)
MCU
Micronet SP907GK Wireless Network Utility
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
Microsoft XML Parser
Mozilla Firefox (3.0.6)
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
OpenMG Limited Patch 3.4-04-17-06-01
OpenMG Secure Module 3.4.01
OpenOffice.org Installer 1.0
Orange Preload
Panda ActiveScan 2.0
Picasa 2
Power Tab Editor 1.7
QuickTime
RealPlayer
Registry Mechanic 8.0
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
SAGEM F@st 800-840
ScanSoft OmniPage SE 4
SearchAssist
Security Task Manager 1.7g
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960715)
Skype™ 3.8
Smart Menus (Windows Live Toolbar)
Sonic Activation Module
Sonic Update Manager
SonicStage 2.0.06
Sony Ericsson PC Suite
Spybot - Search & Destroy
Switch Sound File Converter
Tabbed Browsing (Windows Live Toolbar)
Text-To-Speech-Runtime
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
URL Assistant
VideoLAN VLC media player 0.8.6f
Viewpoint Media Player
WebFldrs XP
Winamp
Winamp Toolbar
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Media Format 11 runtime
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
WinRAR archiver
Yahoo! Install Manager
Yahoo! Toolbar
ZENcast Organizer

[tetonbob]

How is the machine behaving now?

[Crivello]

I have not noticed any problems with it recently apart from the aforementioned media player being slow (which I will take to the relevant section after we have finished with this as you suggested).

The combofix might well have done the job. Thank you for the help. If there is anything else that needs doing then please tell me.

[tetonbob]

From a malware perspective, we should be done here. For the Windows Media Player issue, please follow up in the Windows XP section of the forum.

A few housekeeping details and protection information for you to take forward:


Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.
  
• Winpatrol
  
  Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.
  
  You can get a free copy of Winpatrol or use the Plus version for more features.
  
  You can read Winpatrol's FAQ if you run into problems.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    
  • Once updated you should see another prompt that the task was completed.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  
• Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
  
  
• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• How did I get infected in the first place?
• PC Safety and Security--What Do I Need?

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[Crivello]

Thanks again for the help. I will be sure to protect my computer better in the future.

[tetonbob]

Glad to help.

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.