Antivirus XP, XP Smart Security

HI, I picked up the antivirus XP, XP Smart security virus. I tried to update Java but when I click on the icon to install it thinks about it but then it stops. I downloaded HijackThis but it doesn't load either. When I click on it it says it is already running. I don't know where to turn next. Thanks for your help

Download OTL by OldTimer to your Desktop.

• Close all windows and double click OTL.exe
  
• Click Run Scan and let the program run uninterrupted
  
• It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  
• You may need to use two posts to get it all.
  

When I run OTL, it comes up with an error
Access violation at address 94DA2C32 Read of address 94DA2C32

That comes up when it is scanning the HKEY_CURRENT_USER\Internet Explorer settings

Please download exeHelper from one of the two links.
Link 1
Link 2

• Double-click on exeHelper.com or exeHelper.scr to run the fix.
  
• A black window should pop up, press any key to close once the fix is completed.
  
• Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
  

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

I ran the exeHelper with no probelms here is the log



exeHelper by Raktor
Build 20100329
Run at 21:23:41 on 04/11/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Killed process ave.exe
Checking for bad files...
Deleting file C:\WINDOWS\fonts\services.exe
Deleting file C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\scandisk.dll
Deleting file C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\scandisk.lnk
Deleting file C:\Documents and Settings\HP_Owner\Local Settings\Application Data\ave.exe
Checking for bad registry entries...
Removing HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\notepad
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\notepad
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32
Deleting file C:\WINDOWS\system32\regedit.exe
Resetting filetype association for .exe
Removing HKCR\secfile
Resetting filetype association for .com
Removing HKCR\secfile
Resetting userinit and shell values...
Resetting policies...
--Finished--

Download OTL by OldTimer to your Desktop.

• Close all windows and double click OTL.exe
  
• Click Run Scan and let the program run uninterrupted
  
• It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  
• You may need to use two posts to get it all.
  

I ran OTL again, it comes up with the same error
Access violation at address 94DA2C32 Read of address 94DA2C32

That comes up when it is scanning the HKEY_CURRENT_USER\Internet Explorer settings

I also wanted to tell you on restarting the computer it said
Can not find C:\WINDOWS\fonts\services.exe
and
Can not load or run C:\WINDOWS\fonts\services.exe

Thanks again

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

I was able (finally) to download the anti-malware software but when it tried to install I got the same access violation message
Access violation at address 94DA2C32 Read of address 94DA2C32

Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

ComboFix 10-04-14.01 - HP_Owner 04/14/2010 21:40:58.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1015.619 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
The following files were disabled during the run:
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server\ydtrxa.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\HP_Owner\LOCALS~1\Temp\csrss.exe
c:\docume~1\HP_Owner\LOCALS~1\Temp\svchost.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Start Menu\Programs\Startup\AntiVirus Plus.lnk
c:\documents and settings\HP_Owner\.COMMgr
c:\documents and settings\HP_Owner\agrsmmsg .exe
c:\documents and settings\HP_Owner\alcxmntr .exe
c:\documents and settings\HP_Owner\Application Data\ACD Systems\ACDSee\ImageDB.ddf
c:\documents and settings\HP_Owner\Application Data\AntiVirus Plus
c:\documents and settings\HP_Owner\Application Data\AntiVirus Plus\AntiVirus Plus.55532.dll
c:\documents and settings\HP_Owner\Application Data\avp.ico
c:\documents and settings\HP_Owner\Application Data\FunWebProducts
c:\documents and settings\HP_Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiVirus Plus.lnk
c:\documents and settings\HP_Owner\Desktop\AntiVirus Plus.lnk
c:\documents and settings\HP_Owner\Local Settings\Application Data\Windows Server
c:\documents and settings\HP_Owner\Local Settings\Application Data\Windows Server\ydtrxa.dll
c:\documents and settings\HP_Owner\ntload.dll
c:\documents and settings\HP_Owner\rundll32 .exe
c:\documents and settings\HP_Owner\rundll32.exe
c:\documents and settings\HP_Owner\Start Menu\Programs\AntiVirus Plus
c:\documents and settings\HP_Owner\Start Menu\Programs\AntiVirus Plus\AntiVirus Plus.lnk
c:\documents and settings\HP_Owner\Start Menu\Programs\AntiVirus Plus\EULA.url
c:\documents and settings\HP_Owner\Start Menu\Programs\AntiVirus Plus\Uninstall.lnk
c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\AntiVirus Plus.lnk
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server\ydtrxa.dll
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server\ydtrxa.dll
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server\ydtrxa.dll.vir
c:\program files\Adobe\acrotray .exe
c:\program files\FunWebProducts
c:\program files\FunWebProducts\ScreenSaver\Images\223A63EF.urr
c:\program files\FunWebProducts\Shared\Cache\AvatarSmallBtn-new.html
c:\program files\FunWebProducts\Shared\Cache\AvatarSmallBtn.html
c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
c:\program files\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html
c:\program files\FunWebProducts\Shared\Cache\MailStampBtn.html
c:\program files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn-new.html
c:\program files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
c:\program files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
c:\program files\FunWebProducts\Shared\Cache\WebfettiBtn.html
c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\msimg32.dll
c:\program files\Internet Explorer\wmpscfgs.exe
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\1.bin\F3BROVLY.DLL
c:\program files\MyWebSearch\bar\1.bin\F3CJpeg.dll
c:\program files\MyWebSearch\bar\1.bin\F3DTactl.dll
c:\program files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HTmlmu.dll
c:\program files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\1.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\M3HTml.dll
c:\program files\MyWebSearch\bar\1.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MSg.dll
c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\1.bin\m3srchmn .exe
c:\program files\MyWebSearch\bar\1.bin\m3srchmn.exe
c:\program files\MyWebSearch\bar\1.bin\MWSBAR.DLL
c:\program files\MyWebSearch\bar\1.bin\mwsoemon .exe
c:\program files\MyWebSearch\bar\1.bin\mwsoemon.exe
c:\program files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Cache\008580B2.bin
c:\program files\MyWebSearch\bar\Cache\0085842D.bin
c:\program files\MyWebSearch\bar\Cache\00858788.bin
c:\program files\MyWebSearch\bar\Cache\008588A1.bin
c:\program files\MyWebSearch\bar\Cache\06C4EF87.bin
c:\program files\MyWebSearch\bar\Cache\06C505DE.bin
c:\program files\MyWebSearch\bar\Cache\06C50794.bin
c:\program files\MyWebSearch\bar\Cache\06C508AD.bin
c:\program files\MyWebSearch\bar\Cache\0F234E5E
c:\program files\MyWebSearch\bar\Cache\0F235534
c:\program files\MyWebSearch\bar\Cache\0F235747.bin
c:\program files\MyWebSearch\bar\Cache\0F2362A2.bin
c:\program files\MyWebSearch\bar\Cache\0F2365CE.bin
c:\program files\MyWebSearch\bar\Cache\0F23690A.bin
c:\program files\MyWebSearch\bar\Cache\0F236CA4.bin
c:\program files\MyWebSearch\bar\Cache\13BCD360
c:\program files\MyWebSearch\bar\Cache\18EBE82A
c:\program files\MyWebSearch\bar\Cache\files.ini
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\History\search2
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\bar\Settings\setting2.htm
c:\program files\MyWebSearch\bar\Settings\settings.dat
c:\program files\Protection System
c:\program files\Windows NT\Accessories\svchost.exe
c:\recycler\S-1-5-21-2420815842-893142185-2243674053-1003
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Fonts\mlog
c:\windows\Install.txt
c:\windows\sc.exe
c:\windows\SC.INS
c:\windows\system\hpsysdrv .exe
c:\windows\system32\107464.exe
c:\windows\system32\1873416.exe
c:\windows\system32\2079409.exe
c:\windows\system32\2420618.exe
c:\windows\system32\3367578.exe
c:\windows\system32\3573267.exe
c:\windows\system32\4336207.exe
c:\windows\system32\4726633.exe
c:\windows\system32\4763.exe
c:\windows\system32\4F3X
c:\windows\system32\5454218.exe
c:\windows\system32\6216654.exe
c:\windows\system32\6532816.exe
c:\windows\system32\6819682.exe
c:\windows\system32\6to4v32.dll
c:\windows\system32\7582316.exe
c:\windows\system32\7695276.exe
c:\windows\system32\7904917.exe
c:\windows\system32\8021159.exe
c:\windows\system32\9463465.exe
c:\windows\system32\agrsmmsg .exe
c:\windows\system32\ak954.dll
c:\windows\system32\alcxmntr .exe
c:\windows\system32\BtwSvc.dll
c:\windows\system32\C2H3
c:\windows\system32\certstore.dat
c:\windows\system32\ctfmon .exe
c:\windows\system32\davagadu.exe
c:\windows\system32\dibiyowa.dll
c:\windows\system32\dupefomu.dll
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\FInstall.sys
c:\windows\system32\fubatuzo.dll
c:\windows\system32\hamehalu.dll
c:\windows\system32\hemudapa.dll
c:\windows\system32\hkcmd .exe
c:\windows\system32\hovolile.dll
c:\windows\system32\hphmon06 .exe
c:\windows\system32\htmp.030
c:\windows\system32\Install.txt
c:\windows\system32\iphy.dll
c:\windows\system32\jisagade.dll
c:\windows\system32\kopupavo.dll
c:\windows\system32\ms.bin
c:\windows\system32\msejfzrl.dll
c:\windows\system32\msepdlkp.dll
c:\windows\system32\mslgqlaj.dll
c:\windows\system32\msnvkrmf.dll
c:\windows\system32\mssapsmr.dll
c:\windows\system32\msuqddft.dll
c:\windows\system32\notepad.dll
c:\windows\system32\opear.exe
c:\windows\system32\PereSvc.exe
c:\windows\system32\PowerDes.exe
c:\windows\system32\ps2 .exe
c:\windows\system32\regedit .exe
c:\windows\system32\rojisabo.dll
c:\windows\system32\rugozeko.dll
c:\windows\system32\rundll32 .exe
c:\windows\system32\ruwiraje.dll
c:\windows\system32\seagate.sys
c:\windows\system32\so.bin
c:\windows\system32\sohibesi.dll
c:\windows\system32\tawagifi.dll
c:\windows\system32\tofanuwo.dll
c:\windows\system32\w.exe
c:\windows\system32\wuaucldt .exe
c:\windows\system32\wuaucldt.exe
c:\windows\system32\yofabutu.dll
c:\windows\system32\yopopanu.dll
c:\windows\system32\yusodipi.dll
c:\windows\system32\zikedama.dll
c:\windows\Tasks\wgdnypat.job
c:\windows\Temp\log.txt
c:\windows\TEMP\mta13187.dll
D:\Autorun.inf
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://77.74.48.111
hxxp://85.12.18.119
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\userinit.exe

Infected copy of c:\windows\system32\spoolsv.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\spoolsv.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\explorer.exe

Infected copy of c:\windows\system32\srsvc.dll was found and disinfected
Restored copy from - c:\qoobox\Quarantine\C\WINDOWS\system32\4F3X.vir

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_BTWSVC
-------\Legacy_SEAGATE
-------\Service_6to4
-------\Service_BtwSvc
-------\Service_seagate
-------\Legacy_peresvc
-------\Service_peresvc


((((((((((((((((((((((((( Files Created from 2010-03-15 to 2010-04-15 )))))))))))))))))))))))))))))))
.

2010-04-15 01:56 . 2004-08-04 04:00 170496 ----a-w- c:\windows\system32\srsvc.dll
2010-04-15 01:56 . 2010-04-15 01:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
2010-04-15 01:19 . 2010-04-15 01:19 230912 --sh--w- c:\windows\system32\jivuvomo.exe
2010-04-12 10:42 . 2010-04-12 10:42 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\AntiVirus Plus
2010-04-12 01:20 . 2010-04-15 02:02 61952 ----a-w- c:\windows\system32\hkcmd.exe
2010-04-10 23:25 . 2010-04-10 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\6ea4e22
2010-04-09 02:05 . 2010-04-15 02:02 61952 ----a-w- c:\documents and settings\HP_Owner\alcxmntr.exe
2010-04-09 02:05 . 2010-04-15 02:02 61952 ----a-w- c:\documents and settings\HP_Owner\agrsmmsg.exe
2010-04-07 00:33 . 1999-12-17 14:13 110592 ----a-w- c:\windows\unvise32.exe
2010-04-07 00:33 . 2010-04-07 00:33 -------- d-----w- c:\program files\PCBugFinderPro
2010-04-06 11:06 . 2010-04-06 11:06 -------- d-----w- c:\windows\system32\GroupPolicy
2010-04-06 11:05 . 2010-04-15 01:24 36864 ----a-w- c:\windows\system32\d.bin
2010-04-06 11:05 . 2010-04-15 01:32 61952 ----a-w- c:\windows\system\hpsysdrv.exe
2010-04-06 02:02 . 2010-04-12 01:21 226304 --sha-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\2269221376.dll
2010-04-06 01:47 . 2010-04-15 02:02 61952 ----a-w- c:\windows\system32\ps2.exe
2010-04-06 01:47 . 2010-04-15 02:02 61952 ----a-w- c:\windows\system32\hphmon06.exe
2010-04-06 01:37 . 2010-04-15 01:33 61952 ----a-w- c:\windows\system32\alcxmntr.exe
2010-04-06 01:37 . 2010-04-15 01:32 61952 ----a-w- c:\windows\system32\agrsmmsg.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-15 02:03 . 2010-04-15 02:03 61952 ----a-w- c:\documents and settings\HP_Owner\rundll32.exe
2010-04-15 02:03 . 2010-04-15 02:03 61952 ----a-w- c:\windows\system32\wuaucldt.exe
2010-04-15 02:03 . 2010-04-15 02:03 61952 ----a-w- c:\documents and settings\HP_Owner\rundll32 .exe
2010-04-15 02:03 . 2005-02-26 08:23 -------- d-----w- c:\program files\Microsoft Works
2010-04-15 02:02 . 2005-02-26 08:26 -------- d-----w- c:\program files\QuickTime
2010-04-15 02:02 . 2005-02-26 08:26 -------- d-----w- c:\program files\iTunes
2010-04-15 01:33 . 2010-04-06 01:47 61952 ----a-w- c:\windows\system32\ps2 .exe
2010-04-15 01:32 . 2010-04-06 01:47 61952 ----a-w- c:\windows\system32\hphmon06 .exe
2010-04-15 01:32 . 2010-04-12 01:20 61952 ----a-w- c:\windows\system32\hkcmd .exe
2010-04-14 01:45 . 2010-04-09 02:05 61952 ----a-w- c:\documents and settings\HP_Owner\alcxmntr .exe
2010-04-14 01:45 . 2010-04-09 02:05 61952 ----a-w- c:\documents and settings\HP_Owner\agrsmmsg .exe
2010-04-11 01:48 . 2004-08-04 04:00 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-04-10 23:32 . 2010-04-10 23:32 2307072 ----a-w- c:\documents and settings\All Users\Application Data\6ea4e22\SG6ea4.exe
2010-04-07 00:36 . 2004-08-04 04:00 174592 ----a-w- c:\windows\system32\imapi.exe
2010-04-07 00:19 . 2004-08-11 09:45 63488 ----a-w- c:\windows\system32\wdfmgr.exe
2010-04-06 02:12 . 2004-08-04 04:00 160256 ----a-w- c:\windows\system32\taskmgr.exe
2010-04-06 01:45 . 2009-11-05 02:44 -------- d-----w- c:\program files\McAfee
2010-03-30 00:56 . 2005-04-30 04:13 21008 ----a-w- c:\documents and settings\HP_Owner\Application Data\wklnhst.dat
2010-03-11 12:38 . 2004-08-04 04:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 04:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 04:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-02-28 12:02 . 2010-02-10 08:21 828808 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-18 02:31 . 2010-02-18 02:28 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\LEGO Company
2010-02-18 02:27 . 2010-02-18 02:27 -------- d-----w- c:\program files\LEGO Company
2010-01-30 14:23 . 2010-01-30 14:23 8704 ----a-w- c:\windows\system32\bootexctrl.exe
2010-01-30 14:23 . 2010-01-30 14:23 11264 ----a-w- c:\windows\system32\defrag_native.exe
2010-01-30 14:23 . 2010-01-30 14:23 9216 ----a-w- c:\windows\system32\wgx.dll
2010-01-30 14:23 . 2010-01-30 14:23 20992 ----a-w- c:\windows\system32\udefrag.exe
2010-01-30 14:23 . 2010-01-30 14:23 39424 ----a-w- c:\windows\system32\lua5.1a_gui.exe
2010-01-30 14:23 . 2010-01-30 14:23 91648 ----a-w- c:\windows\system32\lua5.1a.dll
2010-01-30 14:23 . 2010-01-30 14:23 10752 ----a-w- c:\windows\system32\lua5.1a.exe
2010-01-30 14:23 . 2010-01-30 14:23 8704 ----a-w- c:\windows\system32\udefrag.dll
2010-01-30 14:23 . 2010-01-30 14:23 34816 ----a-w- c:\windows\system32\udefrag-kernel.dll
2010-01-30 14:23 . 2010-01-30 14:23 6144 ----a-w- c:\windows\system32\hibernate4win.exe
2010-01-30 14:23 . 2010-01-30 14:23 24576 ----a-w- c:\windows\system32\zenwinx.dll
2010-01-22 16:53 . 2010-01-22 16:53 882 ----a-w- c:\windows\system32\ud-boot-time.cmd
2004-08-04 04:00 . 2004-08-04 04:00 94784 --sh--w- c:\windows\twain.dll
2004-08-04 04:00 . 2004-08-04 04:00 50688 --sh--w- c:\windows\twain_32.dll
2010-01-12 10:41 . 2010-01-12 10:41 113664 --sha-w- c:\windows\system32\bovenage.exe
2010-01-10 23:25 . 2010-01-10 23:25 113664 --sha-w- c:\windows\system32\gigivada.exe
2010-01-06 11:02 . 2010-01-06 11:02 203776 --sha-w- c:\windows\system32\lipewedi.exe
2004-08-04 04:00 . 2004-08-04 04:00 1028096 --sh--w- c:\windows\system32\mfc42.dll
2004-08-04 04:00 . 2004-08-04 04:00 54784 --sh--w- c:\windows\system32\msvcirt.dll
2004-08-04 04:00 . 2004-08-04 04:00 413696 --sh--w- c:\windows\system32\msvcp60.dll
2004-08-04 04:00 . 2004-08-04 04:00 343040 --sh--w- c:\windows\system32\msvcrt.dll
2007-12-04 18:38 . 2004-08-04 04:00 550912 --sh--w- c:\windows\system32\oleaut32.dll
2004-08-04 04:00 . 2004-08-04 04:00 83456 --sh--w- c:\windows\system32\olepro32.dll
2004-08-04 04:00 . 2004-08-04 04:00 36352 --sh--w- c:\windows\system32\regsvr32.exe
2010-01-12 10:41 . 2010-01-12 10:41 225280 --sha-w- c:\windows\system32\takavere.exe
2010-01-12 10:41 . 2010-01-12 10:41 114176 --sha-w- c:\windows\system32\wamejawe.exe
2010-01-10 23:25 . 2010-01-10 23:25 225280 --sha-w- c:\windows\system32\yijokuwu.exe
2010-01-15 01:19 . 2010-01-15 01:19 64512 --sha-w- c:\windows\system32\yivoboki.dll
2010-01-10 23:25 . 2010-01-10 23:25 114176 --sha-w- c:\windows\system32\zumidiba.exe
2010-01-10 00:54 . 2010-01-10 00:54 11 --sha-r- c:\windows\system32\GroupPolicy\User\scripts\Logon\autorun.bat
.


------- Sigcheck -------

[-] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\spoolsv.exe
[7] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 . 410F8A1805EF64C774D67705DF246FBC . 82432 . . [5.1.2600.2696] . . c:\windows\system32\spoolsv.exe
[7] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\system32\dllcache\spoolsv.exe
[7] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB896423$\spoolsv.exe

[-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
[-] 2004-08-04 . 1CE6BC8C02EC15F81991528704474FF7 . 49152 . . [5.1.2600.2180] . . c:\windows\system32\userinit.exe
[7] 2004-08-04 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\userinit.exe

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
[7] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . 5AEBFF2C786DB09B93D635D788816838 . 1057792 . . [6.00.2900.3156] . . c:\windows\explorer.exe
[7] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\system32\dllcache\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe

[-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ctfmon.exe
[-] 2004-08-04 . BF0B3C1773A3AD9EAB3007C0F7315882 . 39936 . . [5.1.2600.2180] . . c:\windows\system32\ctfmon.exe
[7] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2010-04-06 61952]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [N/A]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [N/A]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 39936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2010-04-15 61952]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [2010-04-15 61952]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-15 61952]
"AGRSMMSG"="AGRSMMSG.exe" [2010-04-15 61952]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2010-04-15 61952]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2010-04-15 61952]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-15 61952]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-15 61952]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2010-04-15 61952]
"AlcxMonitor"="ALCXMNTR.EXE" [2010-04-15 61952]
"PS2"="c:\windows\system32\ps2.exe" [2010-04-15 61952]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2010-04-15 61952]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2010-04-15 61952]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2010-04-06 61952]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2010-04-15 61952]
"EPSON PictureMate"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE" [2010-04-15 61952]
"EPSON PictureMate (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE" [2010-04-15 61952]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-04-15 61952]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2010-04-15 61952]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2010-04-15 61952]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2010-04-15 61952]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2010-04-15 61952]
"CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2010-04-15 61952]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2010-04-15 61952]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-15 61952]
"uxvefl"="c:\windows\system32\mssapsmr.dll" [N/A]
"syncman"="c:\windows\system32\wuaucldt.exe" [2010-04-15 61952]
"fzwkht"="c:\windows\system32\msuqddft.dll" [N/A]
"kelowupugo"="yofabutu.dll" [N/A]
"qyfvwm"="c:\windows\system32\msejfzrl.dll" [N/A]
"gbuekc"="c:\windows\system32\mslgqlaj.dll" [N/A]
"rozidilak"="c:\windows\system32\hemudapa.dll" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"O@"="114f4000" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"syncman"="c:\documents and settings\hp_owner\wuaucldt.exe" [N/A]
"AntiVirus Plus"="c:\documents and settings\HP_Owner\Application Data\AntiVirus Plus\AntiVirus Plus.55532.dll" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SGD"="c:\windows\TEMP\takavere.exe" [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"mslivemsn"="c:\program files\Windows NT\Accessories\svchost.exe" [N/A]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
AppSecDll REG_SZ c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server\ydtrxa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2301:TCP"= 2301:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/4/2009 10:51 PM 93320]
.
Contents of the 'Scheduled Tasks' folder

2010-04-15 c:\windows\Tasks\At1.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-15 02:03]

2010-04-15 c:\windows\Tasks\At10.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-15 02:03]

2010-04-15 c:\windows\Tasks\At11.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-15 02:03]

2010-04-15 c:\windows\Tasks\At12.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-15 02:03]

2010-04-15 c:\windows\Tasks\At13.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-15 02:03]

2010-04-15 c:\windows\Tasks\At14.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-15 02:03]

2010-04-15 c:\windows\Tasks\At15.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-15 02:03]

2010-04-15 c:\windows\Tasks\At16.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-15 02:03]

2010-04-15 c:\windows\Tasks\At17.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-15 02:03]

2010-04-15 c:\windows\Tasks\At18.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-15 02:03]

2010-04-15 c:\windows\Tasks\At19.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-15 02:03]

2010-04-15 c:\windows\Tasks\At2.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-15 02:03]

2010-04-15 c:\windows\Tasks\At20.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-15 02:03]

2010-04-15 c:\windows\Tasks\At21.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-15 02:03]

2010-04-15 c:\windows\Tasks\At22.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-15 02:03]

2010-04-15 c:\windows\Tasks\At23.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-15 02:03]

2010-04-15 c:\windows\Tasks\At24.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-15 02:03]

2010-04-15 c:\windows\Tasks\At3.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-15 02:03]

2010-04-15 c:\windows\Tasks\At4.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-15 02:03]

2010-04-15 c:\windows\Tasks\At5.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-15 02:03]

2010-04-15 c:\windows\Tasks\At6.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-15 02:03]

2010-04-15 c:\windows\Tasks\At7.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-15 02:03]

2010-04-15 c:\windows\Tasks\At8.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-15 02:03]

2010-04-15 c:\windows\Tasks\At9.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-04-15 02:03]

2010-03-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-05 17:22]

2010-04-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-05 17:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.windstream.net/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = 166.82.1.110:8080
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant =
uCustomizeSearch =
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
TCP: {1AF07143-BD28-4905-8B88-0E8BEF0E6642} = 83.149.115.157,4.2.2.1,192.168.254.254
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {EFD3EA56-234D-4240-90EA-CC9FA3AF5A01} - hxxps://care.windstream.com/lwp/static/installers/ALLTELControls.cab
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\vjnwy8m5.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{A9BA40A1-74F1-52BD-F431-00B15A2C8953} - c:\windows\system32\ak954.dll
BHO-{d0b28c29-ea33-40a1-8fcd-9f5d9f42a963} - tofanuwo.dll
SharedTaskScheduler-{A9BA40A1-74F1-52BD-F431-00B15A2C8953} - c:\windows\system32\ak954.dll
SharedTaskScheduler-{47d45d94-9798-4d7c-8549-1df24a10c563} - c:\windows\system32\hemudapa.dll
SSODL-lujuyodek-{47d45d94-9798-4d7c-8549-1df24a10c563} - c:\windows\system32\hemudapa.dll
AddRemove-AntiVirus Plus - c:\documents and settings\HP_Owner\Application Data\AntiVirus Plus\AntiVirus Plus.55532.dll
AddRemove-HijackThis - c:\documents and settings\HP_Owner\Desktop\HijackThis.exe
AddRemove-Jay Jay Sky Heroes to the Rescue - c:\program files\The Learning Company\Jay Jay Sky Heroes to the Rescue\uninstall.exe
AddRemove-Silent Package Run-Time Sample - c:\program files\epson\guide\picturemate_e\uninstall.exe
AddRemove-Super Collapse 3 - c:\program files\Yahoo! Games\Super Collapse 3\SuperCollapse3\Uninstall.exe
AddRemove-Super Collapse! 3 - c:\progra~1\YAHOO!~1\SUPERC~1\UNWISE.EXE
AddRemove-UnityWebPlayer - c:\program files\Unity\WebPlayer\Uninstall.exe
AddRemove-ViewpointMediaPlayer - c:\program files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe
AddRemove-ZSNESw - c:\program files\ZSNESw\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-14 22:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\wuaucldt.exe 61952 bytes executable
c:\windows\system32\ps2 .exe 61952 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86EDEAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf77abfc3
\Driver\ACPI -> ACPI.sys @ 0xf771ecb8
\Driver\atapi -> atapi.sys @ 0xf76d67b4
IoDeviceObjectType -> ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
SecurityProcedure -> ntoskrnl.exe @ 0x8059baf0
\Device\Harddisk0\DR0 -> ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
SecurityProcedure -> ntoskrnl.exe @ 0x8059baf0
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf75e3bc3
PacketIndicateHandler -> NDIS.sys @ 0xf75d1a0b
SendHandler -> NDIS.sys @ 0xf75e5b31
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(548)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(608)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(280)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\docume~1\HP_Owner\Desktop\winlogon.scr
c:\progra~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\agent\mcagent .exe
.
**************************************************************************
.
Completion time: 2010-04-14 22:12:07 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-15 02:12

Pre-Run: 54,003,253,248 bytes free
Post-Run: 54,608,273,408 bytes free

- - End Of File - - 2501C0D497B323B38AFFD7C8DF13E20E

I'm afraid I have bad news.

Your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Recent variants also modify htm, html, asp and php files.

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.


For more information, please see Here

Instructions how to format and reinstall Windows can be found Here

Thanks for all of your help. I just finished re formatting this morning. Everything looks great now