Hi
Its seems that i've been infected out of nowhere and would really appreciate some help.
Also i had some programs called "System Defender" and "Anti Virus Pro" recommended to remove the virus, so i downloaded them. But i think the virus recommended them to me =/ and a bubble keeps popin up askin me to download more.
I have uninstalled them manually because i can no longer access the "Add Remover Programs".

Well heres my HighJackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:19 PM, on 1/30/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\shell.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\BCMSMMSG.exe
C:\!xSpeedPro\!xSpeedPro.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HiJack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;*photosite.com;*.dir.untd.com;*.prod.untd.com;*.2mdn.net;cf.netzero.net;qs.netzero.net;<local>
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Module - {B87D203B-B43D-4af9-9E1B-9C20478CBB74} - tardeme2.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!xSpeed] C:\!xSpeedPro\!xSpeedPro.exe reg
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\System32\spoolvs.exe
O4 - Startup: .protected
O4 - Startup: findfast.exe
O4 - Global Startup: .protected
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: autorun.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{87D431DF-8AFE-4B41-9517-0448F1B5EAC1}: NameServer = 64.136.52.73 64.136.44.73
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 5741 bytes


I noticed this "O4 - HKLM\..\Run: [Printer] C:\WINDOWS\System32\printer.exe" i have ever installed one maybe thats the virus?

Hi 99%,

Please download SmitfraudFix

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

I think i did everything correctly... not just the background said i m infected like before but the little pop-up warning me is gone..

Heres the RAPPORT Report.

SmitFraudFix v2.277

Scan done at 12:28:43.12, Thu 01/31/2008
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\.protected Deleted
C:\WINDOWS\shell.exe Deleted
C:\WINDOWS\system32\printer.exe Deleted
C:\WINDOWS\system32\regperf.exe Deleted
C:\WINDOWS\system32\spoolvs.exe Deleted
C:\DOCUME~1\Owner\STARTM~1\Programs\Startup\.protected Deleted
C:\DOCUME~1\Owner\STARTM~1\Programs\Startup\findfast.exe Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\autorun.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



New HiJackThis Log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:35:12 PM, on 1/31/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\BCMSMMSG.exe
C:\!xSpeedPro\!xSpeedPro.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\NetZero\exec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HiJack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.44.66;64.136.52.66;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;*.dir.untd.com;*.prod.untd.com;*.2mdn.net;cf.netzero.net;qs.netzero.net;*.advertising.com;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {8220D7D3-B114-463E-BD1D-B5B07D2AC77E} - C:\WINDOWS\System32\auth.dll
O2 - BHO: Google Module - {B87D203B-B43D-4af9-9E1B-9C20478CBB74} - tardeme2.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!xSpeed] C:\!xSpeedPro\!xSpeedPro.exe reg
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 4515 bytes


Thanks a lot for the help. =)

Hi 99%,

If I am correct, you should be able to change the background to whatever you want. If not, we'll look into it.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Ugrading Java:

• Download the latest version of Java Runtime Environment (JRE) 6.
• Scroll down to where it says "The Java Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.

I see a program that is a password stealer in your log (though it says it is gone). Please check all the passwords you use whether strange things are happening. Also check your bank accounts.



Do you know what this is? I cannot find information on it? If you don't please submit the file at http://www.bleepingcomputer.com/submit-malware.php?channel=7 and I'll take a look at it.

You might want to save this page on your favorites, so you can find it again when you return. You can also click on your name and click on "Find All Posts" to find your thread.

Run HijackThis, click on "Scan" and check the boxes next to all these items.

O2 - BHO: (no name) - {8220D7D3-B114-463E-BD1D-B5B07D2AC77E} - C:\WINDOWS\System32\auth.dll
O2 - BHO: Google Module - {B87D203B-B43D-4af9-9E1B-9C20478CBB74} - tardeme2.dll (file missing)

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Restart your computer in Safe Mode. How do I Safe Boot my computer?

Show hidden files. How do I show hidden files?
At the end if the fix you can return the files to hidden status if you want.

Delete the following files in red (it could be that they are deleted already):

C:\WINDOWS\System32\auth.dll
C:\WINDOWS\System32\tardeme2.dll
C:\WINDOWS\system32\wowfx.dll

Restart your computer and post a new log in this thread.

Bobbi for some time know i haven't had a System32 folder =/ i dont know when, why or how it "deleted" i cant find it... althought highjack and other apps say its there. Any suggestions to opening it?
Also i will post my new log as soon as the java downloads.

Oh and i have no idea what the bluetooth application is doing on my computer i think the virus put it on i never use to have such a thing.

My new log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:32 PM, on 2/2/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\BCMSMMSG.exe
C:\!xSpeedPro\!xSpeedPro.exe
C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HiJack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;*photosite.com;*.dir.untd.com;*.prod.untd.com;*.2mdn.net;cf.netzero.net;qs.netzero.net;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-ABCD-7DD20B8622FF} - C:\Program Files\Helper\1201927460.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!xSpeed] C:\!xSpeedPro\!xSpeedPro.exe reg
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{87D431DF-8AFE-4B41-9517-0448F1B5EAC1}: NameServer = 64.136.52.73 64.136.44.73
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 4516 bytes

Hi 99%,

in my instructions I also showed how to get hidden files and folders to show. Have you done those instructions?

Run HijackThis, click on "Scan" and check the boxes next to all these items.

O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-ABCD-7DD20B8622FF} - C:\Program Files\Helper\1201927460.dll

O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Restart your computer in Safe Mode. How do I Safe Boot my computer?

Show hidden files. How do I show hidden files?
At the end if the fix you can return the files to hidden status if you want.

Delete the following files in red (it could be that they are deleted already):

C:\WINDOWS\System32\auth.dll
C:\WINDOWS\System32\tardeme2.dll
C:\WINDOWS\system32\wowfx.dll

Delete the following folders in red (it could be that they are deleted already):

C:\Program Files\Helper

Restart your computer and post a new log in this thread.

Thanks for the help! =)

Heres my new log.. every time i delete C:\WINDOWS\system32\wowfx.dll it re-creates itself a couple of seconds later..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:07 PM, on 2/5/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Owner\Application Data\antivirus.exe
C:\Program Files\NetZero\exec.exe
C:\!xSpeedPro\!xSpeedPro.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HiJack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;*photosite.com;*.dir.untd.com;*.prod.untd.com;*.2mdn.net;cf.netzero.net;qs.netzero.net;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!xSpeed] C:\!xSpeedPro\!xSpeedPro.exe reg
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\System32\ctfmona.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{87D431DF-8AFE-4B41-9517-0448F1B5EAC1}: NameServer = 64.136.52.73 64.136.44.73
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 4219 bytes

Hi 99%,

Which is why we're going to be a little less nice...

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

When ComboFix is done, please restart the computer, start HijackThis, click on "Scan" and check the boxes next to all these items. It could be that ComboFix took care of them, but just in case they are still here.

O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\System32\ctfmona.exe

O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Restart your computer in Safe Mode. How do I Safe Boot my computer?

Show hidden files. How do I show hidden files?
At the end if the fix you can return the files to hidden status if you want.

Delete the following files in red (it could be that they are deleted already):

C:\WINDOWS\System32\ctfmona.exe <-- Take care not to delete the ctfmon.exe as that is legit. This is the one with the added a, as in ctfmonA.exe
C:\WINDOWS\system32\wowfx.dll
C:\Documents and Settings\Owner\Application Data\antivirus.exe

Restart your computer and post a new log in this thread.

The link to download combofix doesnt work atm.. i d/l'ed from http://www.forospyware.com/sUBs/ComboFix.exe

Well heres my ComboFix Log..

ComboFix 08-02.05.3 - Owner 2008-02-08 0:13:08.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\.protected
C:\Documents and Settings\Owner\Application Data\printer.exe
C:\Program Files\winupdates
C:\WINDOWS\inf\ultra.inf
C:\WINDOWS\system32\ctfmona.exe
C:\WINDOWS\system32\drivers\etc\.protected
C:\WINDOWS\system32\sks~1
C:\WINDOWS\system32\sks~1\scanregw.exe
C:\WINDOWS\system32\strike12.dll
C:\WINDOWS\system32\strike45.dll
C:\WINDOWS\system32\wowfx.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-02-08 00:17 . 67,584 C:\CD Burning Stash File.bin
2008-02-07 23:30 . 2008-02-07 23:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\EasySpywareCleaner.com
2008-02-07 23:29 . 2008-02-07 23:44 <DIR> d-------- C:\Program Files\EasySpywareCleaner
2008-02-07 19:46 . 2008-02-08 00:18 <DIR> d-------- C:\Program Files\NetZero
2008-02-03 23:44 . 2008-02-03 23:44 69,790 --a------ C:\Documents and Settings\Owner\Application Data\32103.exe
2008-02-03 11:11 . 2008-02-03 11:11 269,334 --a------ C:\WINDOWS\system32\knqpsb.bmp
2008-02-03 00:17 . 2008-02-03 00:17 269,334 --a------ C:\WINDOWS\system32\gratcfilsf.bmp
2008-02-02 23:28 . 2008-02-02 23:28 269,334 --a------ C:\WINDOWS\system32\nelsrih.bmp
2008-02-02 10:49 . 2008-02-02 10:49 269,334 --a------ C:\WINDOWS\system32\ormdkbmdonil.bmp
2008-02-02 00:26 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-02 00:24 . 2008-02-02 00:24 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-01 12:27 . 2008-02-01 12:27 269,334 --a------ C:\WINDOWS\system32\dcfmton.bmp
2008-01-31 12:33 . 2008-01-31 12:33 269,334 --a------ C:\WINDOWS\system32\bahsrqtsjit.bmp
2008-01-31 12:28 . 2008-01-31 12:28 1,402 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-31 12:05 . 2008-01-31 12:05 269,334 --a------ C:\WINDOWS\system32\tgnalsb.bmp
2008-01-30 21:30 . 2008-01-30 21:30 269,334 --a------ C:\WINDOWS\system32\elojmlcj.bmp
2008-01-30 20:57 . 2008-01-30 20:57 269,334 --a------ C:\WINDOWS\system32\edgfipgbipsn.bmp
2008-01-30 20:54 . 2008-01-30 20:54 269,334 --a------ C:\WINDOWS\system32\lgbmp.bmp
2008-01-30 17:37 . 2008-01-30 17:37 269,334 --a------ C:\WINDOWS\system32\pkjmd.bmp
2008-01-30 17:11 . 2008-01-30 17:11 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Anti-Virus-Pro.com
2008-01-30 16:33 . 2008-01-30 16:33 269,334 --a------ C:\WINDOWS\system32\nelgjmd.bmp
2008-01-30 16:33 . 2008-01-30 16:33 26,176 --a------ C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
2008-01-30 16:32 . 2005-05-30 16:36 98,709 --a------ C:\Documents and Settings\Owner\Application Data\sysdefender.exe
2008-01-30 16:20 . 2005-06-12 02:33 18,944 --a------ C:\WINDOWS\system32\wowfx.dll
2008-01-19 16:06 . 2008-01-19 16:06 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-01-17 21:39 . 2008-01-17 21:39 <DIR> d-------- C:\Program Files\Soft-Central
2008-01-17 20:10 . 2008-01-17 20:10 <DIR> d-------- C:\ConTemp
2008-01-17 00:02 . 2008-01-17 23:36 <DIR> d-------- C:\Program Files\NewLive All Audio To Mp3 Converter
2008-01-13 22:57 . 2008-01-13 22:59 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Winamp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 08:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\NetZero
2008-02-06 15:10 --------- d-----w C:\Program Files\LimeWire
2008-02-06 03:52 --------- d-----w C:\Program Files\Graffiti Studio 2.0
2008-02-02 08:26 --------- d-----w C:\Program Files\Java
2008-01-14 06:59 --------- d-----w C:\Program Files\Winamp
2008-01-13 08:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\GetRight Pro
2007-12-20 05:20 --------- d-----w C:\Program Files\Aimb0yd
2007-12-19 21:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-19 21:04 --------- d-----w C:\Program Files\NHN USA
2007-12-11 08:00 --------- d-----w C:\Program Files\iTunes
2007-12-09 19:37 --------- d-----w C:\Program Files\WinAce
2007-12-09 19:34 --------- d-----w C:\Program Files\HGI
2007-12-08 09:13 --------- d-----w C:\Program Files\Trend Micro
2006-07-31 05:15 40 ----a-w C:\Documents and Settings\Owner\language.dat
2006-07-19 05:47 3,072 --sha-w C:\Program Files\Thumbs.db
2005-10-16 03:56 280,064 ----a-w C:\Documents and Settings\Owner\Application Data\tizhook.bin
2005-10-16 03:54 297,281 ----a-w C:\Documents and Settings\Owner\Application Data\tizupd.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"NetZero_uoltray"="C:\Program Files\NetZero\exec.exe" [2007-03-06 16:00 1629184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 13:55 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 13:51 118784]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-06-30 14:56 2376928]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 09:58 278528]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 02:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-02-08 18:44 155648]
"!xSpeed"="C:\!xSpeedPro\!xSpeedPro.exe" [2003-10-21 23:29 32256]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"ctfmona"="C:\WINDOWS\System32\ctfmona.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\wowfx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll, wowfx.dll

R3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\System32\DRIVERS\loop.sys [2001-08-17 11:53]
S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\System32\Drivers\BW2NDIS5.sys []
S3 CEDRIVER53;CEDRIVER53;C:\Program Files\Cheat Engine\dbk32.sys []
S3 dump_wmimmc;dump_wmimmc;c:\ijji\ENGLISH\Gunbound Revolution\GameGuard\dump_wmimmc.sys []
S3 kaspersky1;kaspersky1;C:\Documents and Settings\Owner\Desktop\MSHACKS\KASPERSKY\kaspersky.sys []
S3 mqdmbus;Motorola DM Composite Driver (WDM);C:\WINDOWS\System32\DRIVERS\mqdmbus.sys [2006-07-13 12:58]
S3 mqdmmdfl;Motorola USB Modem (Filter);C:\WINDOWS\System32\DRIVERS\mqdmmdfl.sys [2006-07-13 13:02]
S3 mqdmmdm;Motorola USB Modem;C:\WINDOWS\System32\DRIVERS\mqdmmdm.sys [2006-07-13 13:03]
S3 mqdmserd;Motorola USB Diag;C:\WINDOWS\System32\DRIVERS\mqdmserd.sys [2006-07-13 13:03]
S3 Revolution1;Revolution1;C:\Documents and Settings\Owner\Desktop\Game Stuffed\MH\gb\Revolution_Engine_8.3_ShaK3\SHAK3.sys [2007-07-01 22:26]
S3 sejt1;sejt1;C:\Documents and Settings\Owner\Desktop\Akuma Engine\sejt.sys []
S3 SiwvidStart;SiwvidStart;C:\DOCUME~1\Owner\LOCALS~1\Temp\_ISTMP1.DIR\_ISTMP0.DIR\siwvid.sys []
S3 xp1;xp1;C:\Documents and Settings\Owner\Desktop\xpengine\xp.sys []

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 00:17:09
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2800.1106]
-> C:\!xSpeedPro\hook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
**************************************************************************
.
Completion time: 2008-02-08 0:21:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-08 08:21:03


I still cant seem to get rid of that darn wowfx.dll

HJThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:02:16 AM, on 2/8/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\BCMSMMSG.exe
C:\!xSpeedPro\!xSpeedPro.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HiJack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windowsupdate.com;*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;*photosite.com;*.dir.untd.com;*.prod.untd.com;*.2mdn.net;cf.netzero.net;qs.netzero.net;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!xSpeed] C:\!xSpeedPro\!xSpeedPro.exe reg
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{87D431DF-8AFE-4B41-9517-0448F1B5EAC1}: NameServer = 64.136.52.73 64.136.44.73
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 4151 bytes

Hi 99%,

I've updated my link. Thanks.

Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg and save it on your Desktop.

Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

The above Registry file was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Restart your computer and rerun ComboFix. Please post the resulting log.

Heres my ComboFix Log

ComboFix 08-02.05.3 - Owner 2008-02-08 23:10:03.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\wowfx.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-02-08 22:52 . 2008-02-08 22:53 <DIR> d-------- C:\Program Files\NetZero
2008-02-08 00:10 . 2003-07-16 12:25 375,808 --a------ C:\kmd.exe
2008-02-07 23:29 . 2008-02-07 23:44 <DIR> d-------- C:\Program Files\EasySpywareCleaner
2008-02-03 11:11 . 2008-02-03 11:11 269,334 --a------ C:\WINDOWS\system32\knqpsb.bmp
2008-02-03 00:17 . 2008-02-03 00:17 269,334 --a------ C:\WINDOWS\system32\gratcfilsf.bmp
2008-02-02 23:28 . 2008-02-02 23:28 269,334 --a------ C:\WINDOWS\system32\nelsrih.bmp
2008-02-02 10:49 . 2008-02-02 10:49 269,334 --a------ C:\WINDOWS\system32\ormdkbmdonil.bmp
2008-02-02 00:26 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-02 00:24 . 2008-02-02 00:24 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-01 12:27 . 2008-02-01 12:27 269,334 --a------ C:\WINDOWS\system32\dcfmton.bmp
2008-01-31 12:33 . 2008-01-31 12:33 269,334 --a------ C:\WINDOWS\system32\bahsrqtsjit.bmp
2008-01-31 12:28 . 2008-01-31 12:28 1,402 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-31 12:05 . 2008-01-31 12:05 269,334 --a------ C:\WINDOWS\system32\tgnalsb.bmp
2008-01-30 21:30 . 2008-01-30 21:30 269,334 --a------ C:\WINDOWS\system32\elojmlcj.bmp
2008-01-30 20:57 . 2008-01-30 20:57 269,334 --a------ C:\WINDOWS\system32\edgfipgbipsn.bmp
2008-01-30 20:54 . 2008-01-30 20:54 269,334 --a------ C:\WINDOWS\system32\lgbmp.bmp
2008-01-30 17:37 . 2008-01-30 17:37 269,334 --a------ C:\WINDOWS\system32\pkjmd.bmp
2008-01-30 16:33 . 2008-01-30 16:33 269,334 --a------ C:\WINDOWS\system32\nelgjmd.bmp
2008-01-30 16:33 . 2008-01-30 16:33 26,176 --a------ C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
2008-01-30 16:20 . 2005-06-28 04:01 18,944 --a------ C:\WINDOWS\system32\wowfx.dll.bak
2008-01-30 16:20 . 2005-06-10 23:16 18,944 --a------ C:\WINDOWS\system32\wowfx.dll
2008-01-19 16:06 . 2008-01-19 16:06 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-01-17 21:39 . 2008-01-17 21:39 <DIR> d-------- C:\Program Files\Soft-Central
2008-01-17 20:10 . 2008-01-17 20:10 <DIR> d-------- C:\ConTemp
2008-01-17 00:02 . 2008-01-17 23:36 <DIR> d-------- C:\Program Files\NewLive All Audio To Mp3 Converter
2008-01-13 22:57 . 2008-01-13 22:59 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Winamp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-09 02:29 --------- d-----w C:\Program Files\Graffiti Studio 2.0
2008-02-06 15:10 --------- d-----w C:\Program Files\LimeWire
2008-02-02 08:26 --------- d-----w C:\Program Files\Java
2008-01-14 06:59 --------- d-----w C:\Program Files\Winamp
2008-01-13 08:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\GetRight Pro
2007-12-20 05:20 --------- d-----w C:\Program Files\Aimb0yd
2007-12-19 21:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-19 21:04 --------- d-----w C:\Program Files\NHN USA
2007-12-11 08:00 --------- d-----w C:\Program Files\iTunes
2007-12-09 19:37 --------- d-----w C:\Program Files\WinAce
2007-12-09 19:34 --------- d-----w C:\Program Files\HGI
2006-07-31 05:15 40 ----a-w C:\Documents and Settings\Owner\language.dat
2006-07-19 05:47 3,072 --sha-w C:\Program Files\Thumbs.db
2005-10-16 03:56 280,064 ----a-w C:\Documents and Settings\Owner\Application Data\tizhook.bin
2005-10-16 03:54 297,281 ----a-w C:\Documents and Settings\Owner\Application Data\tizupd.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"NetZero_uoltray"="C:\Program Files\NetZero\exec.exe" [2005-11-15 11:12 776704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 13:55 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 13:51 118784]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-06-30 14:56 2376928]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 09:58 278528]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 02:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-02-08 18:44 155648]
"!xSpeed"="C:\!xSpeedPro\!xSpeedPro.exe" [2003-10-21 23:29 32256]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\wowfx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll, wowfx.dll

R3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\System32\DRIVERS\loop.sys [2001-08-17 11:53]
S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\System32\Drivers\BW2NDIS5.sys []
S3 CEDRIVER53;CEDRIVER53;C:\Program Files\Cheat Engine\dbk32.sys []
S3 dump_wmimmc;dump_wmimmc;c:\ijji\ENGLISH\Gunbound Revolution\GameGuard\dump_wmimmc.sys []
S3 kaspersky1;kaspersky1;C:\Documents and Settings\Owner\Desktop\MSHACKS\KASPERSKY\kaspersky.sys []
S3 mqdmbus;Motorola DM Composite Driver (WDM);C:\WINDOWS\System32\DRIVERS\mqdmbus.sys [2006-07-13 12:58]
S3 mqdmmdfl;Motorola USB Modem (Filter);C:\WINDOWS\System32\DRIVERS\mqdmmdfl.sys [2006-07-13 13:02]
S3 mqdmmdm;Motorola USB Modem;C:\WINDOWS\System32\DRIVERS\mqdmmdm.sys [2006-07-13 13:03]
S3 mqdmserd;Motorola USB Diag;C:\WINDOWS\System32\DRIVERS\mqdmserd.sys [2006-07-13 13:03]
S3 Revolution1;Revolution1;C:\Documents and Settings\Owner\Desktop\Game Stuffed\MH\gb\Revolution_Engine_8.3_ShaK3\SHAK3.sys [2007-07-01 22:26]
S3 sejt1;sejt1;C:\Documents and Settings\Owner\Desktop\Akuma Engine\sejt.sys []
S3 SiwvidStart;SiwvidStart;C:\DOCUME~1\Owner\LOCALS~1\Temp\_ISTMP1.DIR\_ISTMP0.DIR\siwvid.sys []
S3 xp1;xp1;C:\Documents and Settings\Owner\Desktop\xpengine\xp.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 23:15:13
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2800.1106]
-> C:\!xSpeedPro\hook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
**************************************************************************
.
Completion time: 2008-02-08 23:18:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-09 07:18:14
ComboFix2.txt 2008-02-08 08:21:14


Thanks so much for the help!

Hi 99%,

Grrrr.... Still not gone. Let's try it a different way

Open Notepad (Start - Run, type notepad and press Enter) and copy/paste the following text into the Notepad textbox:


Save this as "CFScript" (include the "quotation marks" with the name).


Refering to the picture above, drag CFScript.txt into ComboFix.exe

ComboFix will now run as it did before. When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.