BDS/Agent

Hi

Re-running ComboFix to remove infections:

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   KillAll::
   
   File::
   c:\documents and settings\All Users\Application Data\Weemi\weemi121.exe
   c:\program files\Weemi\weemi.dll
   

4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.

ComboFix 09-10-11.01 - HP_Owner 10/11/2009 15:44.15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.353 [GMT -7:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FILE ::
"c:\documents and settings\All Users\Application Data\Weemi\weemi121.exe"
"c:\program files\Weemi\weemi.dll"
.

((((((((((((((((((((((((( Files Created from 2009-09-11 to 2009-10-11 )))))))))))))))))))))))))))))))
.

2009-10-10 06:45 . 2009-10-10 06:45 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2009-10-09 16:20 . 2009-10-09 16:20 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\WeatherBug
2009-10-09 16:20 . 2009-10-09 16:20 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\WeatherBug
2009-10-09 16:18 . 2009-10-10 12:55 -------- d-----w- c:\program files\Weemi
2009-10-09 16:18 . 2009-10-10 22:53 -------- d-----w- c:\program files\Free Offers from Freeze.com
2009-10-09 05:26 . 2009-10-09 05:26 -------- d-----w- c:\program files\Games
2009-09-22 08:07 . 2009-09-22 08:07 691420 ----a-w- c:\windows\system32\Client.exe
2009-09-21 02:11 . 2009-09-21 02:11 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\V-Games
2009-09-18 21:19 . 2009-09-18 21:22 -------- d-----w- c:\program files\Nancy Drew Dossier - Resorting to Danger
2009-09-18 03:36 . 2009-10-03 04:01 45 ----a-w- c:\documents and settings\HP_Owner\jagex_runescape_preferences2.dat
2009-09-18 03:36 . 2009-10-03 04:06 38 ----a-w- c:\documents and settings\HP_Owner\jagex_runescape_preferences.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-11 04:24 . 2009-03-01 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-10 22:18 . 2009-03-01 00:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-10 09:46 . 2008-12-09 01:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-09 22:58 . 2008-12-09 10:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Soulseek
2009-10-09 05:29 . 2008-10-05 22:01 -------- d-----w- c:\program files\Diablo II
2009-10-09 02:23 . 2008-12-09 01:19 -------- d-----w- c:\program files\bfgclient
2009-10-09 02:22 . 2008-12-09 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-10-09 00:43 . 2009-04-06 06:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-03 10:47 . 2009-04-02 09:55 -------- d-----w- c:\program files\support.com
2009-09-20 02:51 . 2009-07-01 00:35 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\ERS G-Studio
2009-09-18 07:26 . 2009-01-06 03:46 -------- d-----w- c:\documents and settings\All Users\Application Data\MumboJumbo
2009-09-17 23:32 . 2009-08-29 22:39 -------- d-----w- c:\program files\Princess Isabella A Witch's Curse
2009-09-10 21:54 . 2009-04-06 06:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-04-06 06:05 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 00:47 . 2009-03-03 01:22 -------- d-----w- c:\program files\Google
2009-09-07 02:00 . 2009-01-07 02:06 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Big Fish Games
2009-09-05 00:44 . 2009-09-17 23:38 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-05 00:44 . 2009-09-17 23:38 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-05 00:44 . 2009-09-17 23:38 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-05 00:29 . 2009-09-17 23:38 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-05 00:29 . 2009-09-17 23:38 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-05 00:29 . 2009-09-17 23:38 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-05 00:29 . 2009-09-17 23:38 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-05 00:29 . 2009-09-17 23:38 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-08-26 11:13 . 2005-02-22 00:34 33968 -c--a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 04:27 . 2004-12-29 22:03 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Apple Computer
2009-08-26 04:26 . 2008-08-29 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-08-26 04:24 . 2009-08-26 04:23 -------- d-----w- c:\program files\iTunes
2009-08-26 04:24 . 2009-08-26 04:24 -------- d-----w- c:\program files\iPod
2009-08-26 04:24 . 2008-08-29 22:01 -------- d-----w- c:\program files\Common Files\Apple
2009-08-26 04:21 . 2009-08-26 04:20 -------- d-----w- c:\program files\QuickTime
2009-08-25 03:08 . 2009-08-25 03:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Princess Isabella
2009-08-22 03:20 . 2009-08-22 03:20 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Batovi
2009-08-14 22:35 . 2009-08-14 22:35 -------- d-----w- c:\program files\MSBuild
2009-08-14 22:35 . 2009-08-14 22:35 -------- d-----w- c:\program files\Reference Assemblies
2009-08-14 03:45 . 2009-08-14 03:45 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\she_is_a_shadow
2009-08-13 01:12 . 2009-08-13 01:12 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\SulusGames
2009-08-13 01:12 . 2009-08-13 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SulusGames
2009-08-07 02:24 . 2004-09-20 02:21 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2004-09-20 02:21 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2005-05-26 11:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2004-12-30 03:09 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2004-09-20 02:21 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2004-09-20 03:11 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2004-09-20 02:21 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2008-06-10 02:37 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 02:23 . 2008-06-10 02:37 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 02:23 . 2004-09-20 02:21 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 20:12 . 2009-04-14 18:57 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:01 . 2004-09-20 02:19 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 12:23 . 2008-12-22 15:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-09-20 03:11 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2004-09-20 02:21 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2005-12-16 16:11 . 2005-12-16 16:11 996968 ----a-w- c:\program files\aolsetup.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2005-05-28 02:15 . 2005-05-28 02:15 0 -csha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-10-11_12.04.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-11 22:54 . 2009-10-11 22:54 16384 c:\windows\temp\Perflib_Perfdata_7d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=c:\windows\pss\HP Organize.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/14/2009 12:10 PM 108289]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [5/12/2006 11:33 PM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [5/12/2006 11:33 PM 3904]
S2 gupdate1c99b9e8f903320;Google Update Service (gupdate1c99b9e8f903320);c:\program files\Google\Update\GoogleUpdate.exe [3/2/2009 6:22 PM 133104]
S2 Weemi Service;Weemi Service;"c:\documents and settings\All Users\Application Data\Weemi\weemi121.exe" "c:\program files\Weemi\weemi.dll" Service --> c:\documents and settings\All Users\Application Data\Weemi\weemi121.exe [?]
S3 BCM42U;USB HPNA 10 Mbps Network Adapter Driver;c:\windows\system32\drivers\bcm42u.sys [4/4/2008 1:04 AM 66557]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 rtl8180;Realtek RTL8180 Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\drivers\RTL8180.sys [3/18/2004 1:26 PM 185216]
.
Contents of the 'Scheduled Tasks' folder

2009-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-10-11 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-03 01:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\6rwwrgi5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=18&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-11 15:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2528)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\nexon\Mabinogi\npkcmsvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\wanmpsvc.exe
.
**************************************************************************
.
Completion time: 2009-10-11 16:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-11 23:03
ComboFix2.txt 2009-10-11 12:12
ComboFix3.txt 2009-04-13 23:03

Pre-Run: 8,782,032,896 bytes free
Post-Run: 8,743,329,792 bytes free

209 --- E O F --- 2009-09-10 05:02

Hi, let's try again.

Re-running ComboFix to remove infections:

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   KillAll::
   
   Rootkit::
   c:\documents and settings\All Users\Application Data\Weemi\weemi121.exe
   c:\program files\Weemi\weemi.dll
   

4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.

ComboFix 09-10-11.01 - HP_Owner 10/11/2009 23:41.16.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.284 [GMT -7:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((( Files Created from 2009-09-12 to 2009-10-12 )))))))))))))))))))))))))))))))
.

2009-10-10 06:45 . 2009-10-10 06:45 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2009-10-09 16:20 . 2009-10-09 16:20 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\WeatherBug
2009-10-09 16:20 . 2009-10-09 16:20 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\WeatherBug
2009-10-09 16:18 . 2009-10-10 12:55 -------- d-----w- c:\program files\Weemi
2009-10-09 16:18 . 2009-10-10 22:53 -------- d-----w- c:\program files\Free Offers from Freeze.com
2009-10-09 05:26 . 2009-10-09 05:26 -------- d-----w- c:\program files\Games
2009-09-22 08:07 . 2009-09-22 08:07 691420 ----a-w- c:\windows\system32\Client.exe
2009-09-21 02:11 . 2009-09-21 02:11 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\V-Games
2009-09-18 21:19 . 2009-09-18 21:22 -------- d-----w- c:\program files\Nancy Drew Dossier - Resorting to Danger
2009-09-18 03:36 . 2009-10-03 04:01 45 ----a-w- c:\documents and settings\HP_Owner\jagex_runescape_preferences2.dat
2009-09-18 03:36 . 2009-10-03 04:06 38 ----a-w- c:\documents and settings\HP_Owner\jagex_runescape_preferences.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-12 04:08 . 2008-12-09 01:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-11 04:24 . 2009-03-01 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-10 22:18 . 2009-03-01 00:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-09 22:58 . 2008-12-09 10:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Soulseek
2009-10-09 05:29 . 2008-10-05 22:01 -------- d-----w- c:\program files\Diablo II
2009-10-09 02:23 . 2008-12-09 01:19 -------- d-----w- c:\program files\bfgclient
2009-10-09 02:22 . 2008-12-09 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-10-09 00:43 . 2009-04-06 06:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-03 10:47 . 2009-04-02 09:55 -------- d-----w- c:\program files\support.com
2009-09-20 02:51 . 2009-07-01 00:35 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\ERS G-Studio
2009-09-18 07:26 . 2009-01-06 03:46 -------- d-----w- c:\documents and settings\All Users\Application Data\MumboJumbo
2009-09-17 23:32 . 2009-08-29 22:39 -------- d-----w- c:\program files\Princess Isabella A Witch's Curse
2009-09-10 21:54 . 2009-04-06 06:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-04-06 06:05 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 00:47 . 2009-03-03 01:22 -------- d-----w- c:\program files\Google
2009-09-07 02:00 . 2009-01-07 02:06 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Big Fish Games
2009-09-05 00:44 . 2009-09-17 23:38 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-05 00:44 . 2009-09-17 23:38 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-05 00:44 . 2009-09-17 23:38 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-05 00:29 . 2009-09-17 23:38 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-05 00:29 . 2009-09-17 23:38 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-05 00:29 . 2009-09-17 23:38 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-05 00:29 . 2009-09-17 23:38 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-05 00:29 . 2009-09-17 23:38 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-08-26 11:13 . 2005-02-22 00:34 33968 -c--a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 04:27 . 2004-12-29 22:03 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Apple Computer
2009-08-26 04:26 . 2008-08-29 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-08-26 04:24 . 2009-08-26 04:23 -------- d-----w- c:\program files\iTunes
2009-08-26 04:24 . 2009-08-26 04:24 -------- d-----w- c:\program files\iPod
2009-08-26 04:24 . 2008-08-29 22:01 -------- d-----w- c:\program files\Common Files\Apple
2009-08-26 04:21 . 2009-08-26 04:20 -------- d-----w- c:\program files\QuickTime
2009-08-25 03:08 . 2009-08-25 03:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Princess Isabella
2009-08-22 03:20 . 2009-08-22 03:20 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Batovi
2009-08-14 22:35 . 2009-08-14 22:35 -------- d-----w- c:\program files\MSBuild
2009-08-14 22:35 . 2009-08-14 22:35 -------- d-----w- c:\program files\Reference Assemblies
2009-08-14 03:45 . 2009-08-14 03:45 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\she_is_a_shadow
2009-08-07 02:24 . 2004-09-20 02:21 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2004-09-20 02:21 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2005-05-26 11:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2004-12-30 03:09 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2004-09-20 02:21 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2004-09-20 03:11 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2004-09-20 02:21 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2008-06-10 02:37 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 02:23 . 2008-06-10 02:37 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 02:23 . 2004-09-20 02:21 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 20:12 . 2009-04-14 18:57 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:01 . 2004-09-20 02:19 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 12:23 . 2008-12-22 15:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-09-20 03:11 58880 ----a-w- c:\windows\system32\atl.dll
2005-12-16 16:11 . 2005-12-16 16:11 996968 ----a-w- c:\program files\aolsetup.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2005-05-28 02:15 . 2005-05-28 02:15 0 -csha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-10-11_12.04.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-12 06:51 . 2009-10-12 06:51 16384 c:\windows\temp\Perflib_Perfdata_b4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=c:\windows\pss\HP Organize.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/14/2009 12:10 PM 108289]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [5/12/2006 11:33 PM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [5/12/2006 11:33 PM 3904]
S2 gupdate1c99b9e8f903320;Google Update Service (gupdate1c99b9e8f903320);c:\program files\Google\Update\GoogleUpdate.exe [3/2/2009 6:22 PM 133104]
S2 Weemi Service;Weemi Service;"c:\documents and settings\All Users\Application Data\Weemi\weemi121.exe" "c:\program files\Weemi\weemi.dll" Service --> c:\documents and settings\All Users\Application Data\Weemi\weemi121.exe [?]
S3 BCM42U;USB HPNA 10 Mbps Network Adapter Driver;c:\windows\system32\drivers\bcm42u.sys [4/4/2008 1:04 AM 66557]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 rtl8180;Realtek RTL8180 Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\drivers\RTL8180.sys [3/18/2004 1:26 PM 185216]
.
Contents of the 'Scheduled Tasks' folder

2009-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-10-12 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-03 01:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\6rwwrgi5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=18&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-11 23:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2148)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\nexon\Mabinogi\npkcmsvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\wanmpsvc.exe
.
**************************************************************************
.
Completion time: 2009-10-12 23:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-12 06:59
ComboFix2.txt 2009-10-11 23:03
ComboFix3.txt 2009-10-11 12:12
ComboFix4.txt 2009-04-13 23:03

Pre-Run: 8,753,082,368 bytes free
Post-Run: 8,714,100,736 bytes free

204 --- E O F --- 2009-09-10 05:02

Hi

This is being rather difficult. Weemi is malicious software, and ComboFix is not able to remove it. So it must be done manually.

Please print these instructions or copy and paste them to Notepad and save to your Desktop.

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Enable the viewing of hȋdden files

• Click Start.
  
• Open My Computer.
  
• Select the Tools menu and click Folder Options.
  
• Select the View tab.
  
• Select the Show hȋdden files and folders option.
  
• Deselect the Hide file extensions for known types option.
  
• Deselect the Hide protected operating system files option.
  
• Click Yes to confirm.
  
• Click OK.
  

Navigate to and delete these folders:

C:\Program Files\Weemi
c:\documents and settings\All Users\Application Data\Weemi

If it gives you any issues on deleting them, follow this tutorial to take ownership of them, so then you can delete them: http://support.microsoft.com/kb/308421

Reboot your computer back to Normal Mode and please tell me if you are experiencing the same issues.

Everything seems fine, I am no longer receiving pop-ups after rebooting.

Edit: Just received this from Avira...

Virus or unwanted program 'BDS/Agent.fhh [backdoor]'
detected in file 'C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP206\A0037117.exe.
Action performed: Deny access

Hi

That can be gotten rid of easily by clearing System Restore:

Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

• Select Start > All Programs > Accessories > System tools > System Restore.
  
• On the dialogue box that appears select Create a Restore Point
  
• Click NEXT
  
• Enter a name e.g. Clean
  
• Click CREATE

You now have a clean restore point, to get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  
• In the Drop down box that appears select your main drive e.g. C
  
• Click OK
  
• The System will do some calculation and the display a dialogue box with TABS
  
• Select the More Options Tab.
  
• At the bottom will be a system restore box with a CLEANUP button click this
  
• Accept the Warning and select OK again, the program will close and you are done
  

==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Results of screen317's Security Check version 0.99.0
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Avira AntiVir Personal - Free Antivirus
Avira updated!
``````````````````````````````
Anti-malware/Other Utilities Check:
Spybot - Search & Destroy
CCleaner (remove only)
Java(TM) 6 Update 15
Java(TM) SE Development Kit 6 Update 14
Java DB 10.4.2.1
Adobe Flash Player 10
Adobe Reader 9.1
``````````````````````````````
Process Check:
objlist.exe by Laurent
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Cool.

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

AntiSpyware

• SpywareBlaster
  SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
  
• Spybot - Search & Destroy.
  Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).
  

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
  

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

• Firefox may be downloaded from here: http://www.getfirefox.com
  
• Opera is available here: http://www.opera.com/download/
  

Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

Noticed Weemi is still listed on HijackThis, should I ignore this?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:07 PM, on 10/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Go%20Go%20Gourmet%20-%20Chef%20of%20the%20Year/Images/stg_drm.ocx
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mystery%20Case%20Files%20-%20Ravenhearst/Images/armhelper.ocx
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c99b9e8f903320) (gupdate1c99b9e8f903320) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Unknown owner - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Weemi Service - Unknown owner - C:\Documents and Settings\All Users\Application Data\Weemi\weemi121.exe (file missing)

--
End of file - 6356 bytes

It seems there is no file there to help the program run any more, which is good. To be safe, fix that entry.

Open HijackThis, and Do a System Scan only. Place a checkmark next to this entry:
O23 - Service: Weemi Service - Unknown owner - C:\Documents and Settings\All Users\Application Data\Weemi\weemi121.exe (file missing)

Click Fix Checked. Close HijackThis.

Reboot your computer. Then, that should disappear. How is your computer running?

It's great, thank you. I really appreciate all you've done.