win32 / nugel.e

I have read the requirements to get help on removing this nasty thing on my pc, however the hijackthis I downloaded but can not open at all. Please advise in helping me remove this.

OK found out how to run any software that I need including the hijackthis software so others having this problem can try this method. I booted my system up in safe mode and now I can open items.

Here is my log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:25 PM, on 1/17/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Lyn Moreno\Desktop\winlogon.scr

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://cwebart.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: 411BDSM Toolbar -

{0d2b1800-ef08-4e82-9be9-07e5044b5da2} - C:\Program

Files\411BDSM\tb4111.dll
O2 - BHO: 411BDSM Toolbar - {0d2b1800-ef08-4e82-9be9-07e5044b5da2} -

C:\Program Files\411BDSM\tb4111.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -

C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) -

{22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program

Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Windows Live Sign-in Helper -

{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common

Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: JQSIEStartDetectorImpl -

{E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program

Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: 411BDSM Toolbar - {0d2b1800-ef08-4e82-9be9-07e5044b5da2} -

C:\Program Files\411BDSM\tb4111.dll
O4 - HKLM\..\Run: [F5D7050v3] C:\Program

Files\Belkin\F5D7050v3\Belkinwcui.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program

Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program

Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [eqpfjyqt] C:\Documents and Settings\Lyn Moreno\Local

Settings\Application Data\ovixmi\kkjosysguard.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Lyn

Moreno\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe"

/nosplash /minimized
O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files\Pando

Networks\Media Booster\PMB.exe
O4 - HKCU\..\Run: [eqpfjyqt] C:\Documents and Settings\Lyn Moreno\Local

Settings\Application Data\ovixmi\kkjosysguard.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} -

C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer -

{219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows

Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} -

C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer -

{5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program

Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} -

C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo

Uploader 5 Control) -

https://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploa

der5.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash

Object) -

http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object)

-

http://l.yimg.com/jh/games/web_games/popcap/bejeweled2/popcaploader_v6.c

ab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -

http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program

Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software

- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program

Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program

Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program

Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun

Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner -

C:\WINDOWS\system32\GameMon.des.exe (file missing)

--
End of file - 6547 bytes

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that.

OK here it is...took awhile but I got it

ComboFix 10-01-16.04 - Lyn Moreno 01/18/2010 0:41.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.710 [GMT -5:00]
Running from: c:\documents and settings\Lyn Moreno\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100117-1] *On-access scanning enabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Lyn Moreno\Local Settings\Application Data\ovixmi
c:\documents and settings\Lyn Moreno\Local Settings\Application Data\ovixmi\kkjosysguard.exe
c:\documents and settings\Owner\Application Data\02000000d0187c04577C.manifest
c:\documents and settings\Owner\Application Data\02000000d0187c04577O.manifest
c:\documents and settings\Owner\Application Data\02000000d0187c04577P.manifest
c:\documents and settings\Owner\Application Data\02000000d0187c04577S.manifest
c:\program files\Common
c:\recycler\S-1-5-21-4206675551-3995244833-1667161383-1006
c:\recycler\S-1-5-21-4206675551-3995244833-1667161383-1010
c:\recycler\S-1-5-21-4206675551-3995244833-1667161383-500
c:\recycler\S-1-5-21-4206675551-3995244833-1667161383-501
c:\recycler\S-1-5-21-448539723-1972579041-725345543-500
C:\Thumbs.db
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\Cache
c:\windows\system32\drivers\nfjzq.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_plqzg


((((((((((((((((((((((((( Files Created from 2009-12-18 to 2010-01-18 )))))))))))))))))))))))))))))))
.

2010-01-18 02:49 . 2010-01-18 02:49 -------- d-----w- C:\823e6988869b6f29baeefc
2010-01-17 04:47 . 2010-01-18 02:17 -------- d-----w- c:\documents and settings\Lyn Moreno\Local Settings\Application Data\PMB Files
2010-01-17 04:47 . 2010-01-17 04:47 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PMB Files
2010-01-05 11:56 . 2010-01-05 11:56 -------- d-----w- c:\documents and settings\Lyn Moreno\Local Settings\Application Data\magicJack
2010-01-02 08:19 . 2010-01-04 13:50 -------- d-----w- c:\documents and settings\Lyn Moreno\Application Data\Coby Media Manager
2010-01-02 08:19 . 2010-01-02 08:19 -------- d-----w- c:\program files\Coby
2009-12-25 21:55 . 2009-12-25 21:55 -------- d-----w- c:\documents and settings\Lyn Moreno\Application Data\AnvSoft
2009-12-25 21:55 . 2009-12-25 21:55 -------- d-----w- c:\program files\AnvSoft
2009-12-22 04:29 . 2009-12-22 05:05 69 ----a-w- c:\documents and settings\Lyn Moreno\jagex_runescape_preferences2.dat
2009-12-20 22:00 . 2009-12-20 22:02 -------- d-----w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-18 04:12 . 2006-05-18 16:34 -------- d-----w- c:\documents and settings\Lyn Moreno\Application Data\Skype
2010-01-18 01:47 . 2009-08-07 18:52 -------- d-----w- c:\documents and settings\Lyn Moreno\Application Data\mjusbsp
2010-01-17 20:57 . 2009-05-08 21:27 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-17 04:47 . 2006-06-21 01:34 -------- d-----w- c:\program files\Pando Networks
2010-01-15 05:01 . 2007-05-11 01:22 -------- d-----w- c:\program files\Windows Media Connect 2
2009-12-26 08:52 . 2006-05-29 23:11 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-12-26 08:52 . 2006-05-29 23:11 -------- d-----w- c:\program files\DVDVideoSoft
2009-12-22 04:58 . 2006-06-21 00:32 39 ----a-w- c:\documents and settings\Lyn Moreno\jagex_runescape_preferences.dat
2009-12-04 05:22 . 2009-12-04 05:22 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PopCap
2009-12-03 05:06 . 2006-05-18 16:36 -------- d-----w- c:\documents and settings\Lyn Moreno\Application Data\skypePM
2009-11-26 22:26 . 2009-11-26 22:26 -------- d-----w- c:\program files\The Game Creators
2009-11-26 22:26 . 2005-05-22 07:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-26 21:51 . 2009-11-26 21:51 -------- d-----w- c:\program files\LG Electronics
2009-11-25 19:37 . 2009-11-25 19:37 -------- d-----w- c:\program files\Opera
2009-11-24 23:54 . 2009-04-30 20:52 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-04-30 20:53 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2009-04-30 20:53 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2009-04-30 20:53 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2009-04-30 20:53 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2009-04-30 20:53 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-04-30 20:53 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-04-30 20:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-04-30 20:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-06 22:00 . 2009-04-30 21:15 836418 ----a-w- c:\windows\XSitePro2 Uninstaller.exe
2009-11-06 20:23 . 2009-04-30 21:25 36792 ----a-w- c:\documents and settings\Lyn Moreno\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 07:45 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 20:16 . 2009-10-20 20:16 70984 ----a-w- c:\documents and settings\Lyn Moreno\g2mdlhlpx.exe
2009-10-20 16:20 . 2004-08-04 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0d2b1800-ef08-4e82-9be9-07e5044b5da2}"= "c:\program files\411BDSM\tb4111.dll" [2009-11-08 2166296]

[HKEY_CLASSES_ROOT\clsid\{0d2b1800-ef08-4e82-9be9-07e5044b5da2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0d2b1800-ef08-4e82-9be9-07e5044b5da2}]
2009-11-08 21:58 2166296 -c--a-w- c:\program files\411BDSM\tb4111.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{0d2b1800-ef08-4e82-9be9-07e5044b5da2}"= "c:\program files\411BDSM\tb4111.dll" [2009-11-08 2166296]

[HKEY_CLASSES_ROOT\clsid\{0d2b1800-ef08-4e82-9be9-07e5044b5da2}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{0D2B1800-EF08-4E82-9BE9-07E5044B5DA2}"= "c:\program files\411BDSM\tb4111.dll" [2009-11-08 2166296]

[HKEY_CLASSES_ROOT\clsid\{0d2b1800-ef08-4e82-9be9-07e5044b5da2}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Lyn Moreno\Application Data\mjusbsp\cdloader2.exe" [2009-12-24 50520]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-01-17 2937528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"F5D7050v3"="c:\program files\Belkin\F5D7050v3\Belkinwcui.exe" [2007-10-31 1654784]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 14854144]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-23 663552]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-8-26 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\AIM\\AIM Pro\\aimpro.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Documents and Settings\\Lyn Moreno\\temp\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\FRONTPG.EXE"=
"c:\\Documents and Settings\\Lyn Moreno\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57582:TCP"= 57582:TCP:Pando Media Booster
"57582:UDP"= 57582:UDP:Pando Media Booster

S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/30/2009 3:53 PM 114768]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/30/2009 3:53 PM 20560]
S3 Mouhpsgaiwx;Mouhpsgaiwx; [x]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://cwebart.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Lyn Moreno\Application Data\Mozilla\Firefox\Profiles\4ass787b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\documents and settings\Lyn Moreno\Application Data\Mozilla\Firefox\Profiles\4ass787b.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\documents and settings\Lyn Moreno\Application Data\Mozilla\Firefox\Profiles\4ass787b.default\extensions\{eecba28f-b68b-4b3a-b501-6ce12e6b8696}\platform\WINNT_x86-msvc\components\winprocess.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-eqpfjyqt - c:\documents and settings\Lyn Moreno\Local Settings\Application Data\ovixmi\kkjosysguard.exe
HKLM-Run-eqpfjyqt - c:\documents and settings\Lyn Moreno\Local Settings\Application Data\ovixmi\kkjosysguard.exe
AddRemove-HijackThis - c:\documents and settings\Lyn Moreno\Desktop\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-18 00:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1648)
c:\windows\system32\WININET.dll
.
Completion time: 2010-01-18 01:04:57 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-18 06:04

Pre-Run: 12,648,644,608 bytes free
Post-Run: 15,040,102,400 bytes free

- - End Of File - - 1E444868BB2DAC555E40212FB6585A8B

AV: avast! antivirus 4.8.1368 [VPS 100117-1] *On-access scanning enabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

So, ComboFix did not warn you about disabling your antivirus?
That would be why it took a while!

==

Re-running ComboFix to remove infections:

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   SecCenter::
   AV: avast! antivirus 4.8.1368 [VPS 100117-1] *On-access scanning enabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
   
   Registry::
   [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
   "{0d2b1800-ef08-4e82-9be9-07e5044b5da2}"=-
   [-HKEY_CLASSES_ROOT\clsid\{0d2b1800-ef08-4e82-9be9-07e5044b5da2}]
   [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0d2b1800-ef08-4e82-9be9-07e5044b5da2}]
   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
   "{0d2b1800-ef08-4e82-9be9-07e5044b5da2}"=-
   [-HKEY_CLASSES_ROOT\clsid\{0d2b1800-ef08-4e82-9be9-07e5044b5da2}]
   [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
   "{0D2B1800-EF08-4E82-9BE9-07E5044B5DA2}"=-
   [-HKEY_CLASSES_ROOT\clsid\{0d2b1800-ef08-4e82-9be9-07e5044b5da2}]
   
   Folder::
   c:\program files\411BDSM
   
   NetSvc::
   Mouhpsgaiwx
   
   DDS::
   uStart Page = hxxp://cwebart.com/
   uInternet Settings,ProxyServer = http=127.0.0.1:5555
   uInternet Settings,ProxyOverride =

4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.

This will reset your homepage. After your computer is fully clean, feel free to set it back to what it was before.

Yes it warned me about disabling AVAST, and I went to AVAST opened and stopped it, however maybe working only in safe mode it didn't work.I don't know, but I couldn't get it to close at that time. Thought I did till it ran the report.

Here is the new log.


ComboFix 10-01-16.04 - Lyn Moreno 01/18/2010 21:35:42.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.614 [GMT -5:00]
Running from: c:\documents and settings\Lyn Moreno\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Lyn Moreno\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\411BDSM
c:\program files\411BDSM\411BDSMToolbarHelper.exe
c:\program files\411BDSM\INSTALL.LOG
c:\program files\411BDSM\tb4110.dll
c:\program files\411BDSM\tb4111.dll
c:\program files\411BDSM\tb411B.dll
c:\program files\411BDSM\toolbar.cfg
c:\program files\411BDSM\UNWISE.EXE

.
((((((((((((((((((((((((( Files Created from 2009-12-19 to 2010-01-19 )))))))))))))))))))))))))))))))
.

2010-01-18 15:19 . 2009-12-24 16:58 6515976 ---ha-w- c:\documents and settings\Lyn Moreno\Application Data\mjusbsp\in00000\setup.exe
2010-01-18 15:19 . 2009-12-24 16:54 730032 ---ha-w- c:\documents and settings\Lyn Moreno\Application Data\mjusbsp\ar00000\install.exe
2010-01-18 15:19 . 2008-02-29 12:42 386496 ----a-w- c:\documents and settings\Lyn Moreno\Application Data\mjusbsp\ar00000\magicJackSplash.exe
2010-01-18 02:49 . 2010-01-18 02:49 -------- d-----w- C:\823e6988869b6f29baeefc
2010-01-17 04:47 . 2010-01-18 15:49 -------- d-----w- c:\documents and settings\Lyn Moreno\Local Settings\Application Data\PMB Files
2010-01-17 04:47 . 2010-01-17 04:47 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PMB Files
2010-01-17 03:30 . 2007-12-30 10:01 307200 ----a-w- c:\documents and settings\Lyn Moreno\Application Data\Mozilla\Firefox\Profiles\4ass787b.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\psftp.exe
2010-01-17 03:30 . 2007-12-30 10:01 172032 ----a-w- c:\documents and settings\Lyn Moreno\Application Data\Mozilla\Firefox\Profiles\4ass787b.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\puttygen.exe
2010-01-17 03:30 . 2007-12-30 10:01 90112 ----a-w- c:\documents and settings\Lyn Moreno\Application Data\Mozilla\Firefox\Profiles\4ass787b.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
2010-01-05 11:57 . 2009-12-24 16:58 6515976 ---ha-w- c:\documents and settings\Lyn Moreno\Application Data\mjusbsp\Upgrade\setup2.exe
2010-01-05 11:57 . 2009-12-24 16:54 730032 ---ha-w- c:\documents and settings\Lyn Moreno\Application Data\mjusbsp\Upgrade\install2.exe
2010-01-05 11:56 . 2010-01-05 11:56 -------- d-----w- c:\documents and settings\Lyn Moreno\Local Settings\Application Data\magicJack
2010-01-02 08:19 . 2010-01-04 13:50 -------- d-----w- c:\documents and settings\Lyn Moreno\Application Data\Coby Media Manager
2010-01-02 08:19 . 2010-01-02 08:19 50098 ----a-r- c:\documents and settings\Lyn Moreno\Application Data\Microsoft\Installer\{3643EF5F-D28D-4B25-9FA1-8859FC303710}\controlPanelIcon.exe
2010-01-02 08:19 . 2010-01-02 08:19 10134 ----a-r- c:\documents and settings\Lyn Moreno\Application Data\Microsoft\Installer\{3643EF5F-D28D-4B25-9FA1-8859FC303710}\SystemFolder_msiexec.exe
2010-01-02 08:19 . 2010-01-02 08:19 -------- d-----w- c:\program files\Coby
2009-12-25 21:55 . 2009-12-25 21:55 -------- d-----w- c:\documents and settings\Lyn Moreno\Application Data\AnvSoft
2009-12-25 21:55 . 2009-12-25 21:55 -------- d-----w- c:\program files\AnvSoft
2009-12-24 16:59 . 2009-12-24 16:59 93016 ----a-w- c:\documents and settings\Lyn Moreno\Application Data\mjusbsp\ug00000\magicJack.dll
2009-12-24 16:58 . 2009-12-24 16:58 6515976 ----a-w- c:\documents and settings\Lyn Moreno\Application Data\mjusbsp\ug00000\setup.exe
2009-12-24 16:58 . 2009-12-24 16:58 416328 ----a-w- c:\documents and settings\Lyn Moreno\Application Data\mjusbsp\magicJackLoader.exe
2009-12-24 16:58 . 2009-12-24 16:58 480608 ----a-w- c:\documents and settings\Lyn Moreno\Application Data\mjusbsp\octvqe1_apiw.dll
2009-12-24 16:58 . 2009-12-24 16:58 214360 ----a-w- c:\documents and settings\Lyn Moreno\Application Data\mjusbsp\TjVista.dll
2009-12-24 16:58 . 2009-12-24 16:58 337240 ----a-w- c:\documents and settings\Lyn Moreno\Application Data\mjusbsp\TjIpSys.dll
2009-12-24 16:58 . 2009-12-24 16:58 607600 ----a-w- c:\documents and settings\Lyn Moreno\Application Data\mjusbsp\SJHandsetMagicJack.dll
2009-12-24 16:58 . 2009-12-24 16:58 87384 ----a-w- c:\documents and settings\Lyn Moreno\Application Data\mjusbsp\st00000\mjsetup.exe
2009-12-24 16:57 . 2009-12-24 16:57 93016 ----a-w- c:\documents and settings\Lyn Moreno\Application Data\mjusbsp\st00000\magicJack.dll
2009-12-24 16:57 . 2009-12-24 16:57 93016 ----a-w- c:\documents and settings\Lyn Moreno\Application Data\mjusbsp\magicJack.dll
2009-12-24 16:55 . 2009-12-24 16:55 12482904 ----a-w- c:\documents and settings\Lyn Moreno\Application Data\mjusbsp\magicJack.exe
2009-12-24 16:54 . 2009-12-24 16:54 730032 ----a-w- c:\documents and settings\Lyn Moreno\Application Data\mjusbsp\ug00000\install.exe
2009-12-24 16:53 . 2009-12-24 16:53 87384 ----a-w- c:\documents and settings\Lyn Moreno\Application Data\mjusbsp\in00000\mjsetup.exe
2009-12-24 16:53 . 2009-12-24 16:53 93016 ----a-w- c:\documents and settings\Lyn Moreno\Application Data\mjusbsp\in00000\magicJack.dll
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\documents and settings\Lyn Moreno\Application Data\mjusbsp\ug00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\documents and settings\Lyn Moreno\Application Data\mjusbsp\st00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\documents and settings\Lyn Moreno\Application Data\mjusbsp\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\documents and settings\Lyn Moreno\Application Data\mjusbsp\in00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 50520 ----a-w- c:\documents and settings\Lyn Moreno\Application Data\mjusbsp\cdloader2.exe
2009-12-22 04:29 . 2009-12-22 05:05 69 ----a-w- c:\documents and settings\Lyn Moreno\jagex_runescape_preferences2.dat
2009-12-20 22:00 . 2009-12-20 22:02 -------- d-----w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-19 02:33 . 2006-05-18 16:34 -------- d-----w- c:\documents and settings\Lyn Moreno\Application Data\Skype
2010-01-18 15:19 . 2009-08-07 18:52 -------- d-----w- c:\documents and settings\Lyn Moreno\Application Data\mjusbsp
2010-01-17 20:57 . 2009-05-08 21:27 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-17 04:47 . 2006-06-21 01:34 -------- d-----w- c:\program files\Pando Networks
2010-01-15 05:01 . 2007-05-11 01:22 -------- d-----w- c:\program files\Windows Media Connect 2
2009-12-26 08:52 . 2006-05-29 23:11 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-12-26 08:52 . 2006-05-29 23:11 -------- d-----w- c:\program files\DVDVideoSoft
2009-12-22 04:58 . 2006-06-21 00:32 39 ----a-w- c:\documents and settings\Lyn Moreno\jagex_runescape_preferences.dat
2009-12-07 13:39 . 2009-12-18 13:08 57856 ----a-w- c:\documents and settings\Lyn Moreno\Application Data\Mozilla\Firefox\Profiles\4ass787b.default\extensions\{eecba28f-b68b-4b3a-b501-6ce12e6b8696}\platform\WINNT_x86-msvc\components\winprocess.dll
2009-12-04 05:22 . 2009-12-04 05:22 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PopCap
2009-12-03 05:06 . 2006-05-18 16:36 -------- d-----w- c:\documents and settings\Lyn Moreno\Application Data\skypePM
2009-11-26 22:26 . 2009-11-26 22:26 -------- d-----w- c:\program files\The Game Creators
2009-11-26 22:26 . 2005-05-22 07:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-26 21:51 . 2009-11-26 21:51 -------- d-----w- c:\program files\LG Electronics
2009-11-25 19:37 . 2009-11-25 19:37 -------- d-----w- c:\program files\Opera
2009-11-24 23:54 . 2009-04-30 20:52 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-04-30 20:53 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2009-04-30 20:53 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2009-04-30 20:53 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2009-04-30 20:53 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2009-04-30 20:53 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-04-30 20:53 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-04-30 20:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-04-30 20:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-06 22:00 . 2009-04-30 21:15 836418 ----a-w- c:\windows\XSitePro2 Uninstaller.exe
2009-11-06 20:23 . 2009-04-30 21:25 36792 ----a-w- c:\documents and settings\Lyn Moreno\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 07:45 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Lyn Moreno\Application Data\mjusbsp\cdloader2.exe" [2009-12-24 50520]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-01-17 2937528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"F5D7050v3"="c:\program files\Belkin\F5D7050v3\Belkinwcui.exe" [2007-10-31 1654784]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 14854144]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-23 663552]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-8-26 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\AIM\\AIM Pro\\aimpro.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Documents and Settings\\Lyn Moreno\\temp\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\FRONTPG.EXE"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Lyn Moreno\\Application Data\\mjusbsp\\magicJack.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57582:TCP"= 57582:TCP:Pando Media Booster
"57582:UDP"= 57582:UDP:Pando Media Booster

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/30/2009 3:53 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/30/2009 3:53 PM 20560]
S3 Mouhpsgaiwx;Mouhpsgaiwx; [x]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Lyn Moreno\Application Data\Mozilla\Firefox\Profiles\4ass787b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\documents and settings\Lyn Moreno\Application Data\Mozilla\Firefox\Profiles\4ass787b.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\documents and settings\Lyn Moreno\Application Data\Mozilla\Firefox\Profiles\4ass787b.default\extensions\{eecba28f-b68b-4b3a-b501-6ce12e6b8696}\platform\WINNT_x86-msvc\components\winprocess.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-411BDSM Toolbar - c:\progra~1\411BDSM\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-18 21:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
Completion time: 2010-01-18 21:48:40
ComboFix-quarantined-files.txt 2010-01-19 02:48
ComboFix2.txt 2010-01-18 06:04

Pre-Run: 14,972,645,376 bytes free
Post-Run: 14,953,185,280 bytes free

- - End Of File - - 7A9B5DB85ED5DBAED31E23FCF421C003

Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

here is my report after scanning....and I selected all, removed and rebooted.


Malwarebytes' Anti-Malware 1.44
Database version: 3596
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/19/2010 2:14:51 AM
mbam-log-2010-01-19 (02-14-51).txt

Scan type: Full Scan (C:\|)
Objects scanned: 472596
Time elapsed: 2 hour(s), 0 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Owner\My Documents\UseNeXT\wizard\Adobe CS3 Keygens\Adobe Web Premium CS3 Keygen + Activation ZWT.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\My Documents\UseNeXT\wizard\Adobe CS3 Keygens\Audition 2.0 keygen.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\My Documents\UseNeXT\wizard\Adobe CS3 Keygens\Contribute CS3 Keygen VLK.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Lyn Moreno\Local Settings\Application Data\ovixmi\kkjosysguard.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A13E7037-8021-4227-8D12-9D7D11A72F37}\RP304\A0072338.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A13E7037-8021-4227-8D12-9D7D11A72F37}\RP304\A0072478.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A13E7037-8021-4227-8D12-9D7D11A72F37}\RP304\A0072575.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A13E7037-8021-4227-8D12-9D7D11A72F37}\RP305\A0072776.sys (Malware.Trace) -> Quarantined and deleted successfully.

Your computer has keygens, which is a form of software piracy. What is so bad about Cracks, Hacks, Pirated software, warez, or Keygens?

Most popular cracks or keygens I see, are for Adobe CS3, a lot of different games, Nero, Kaspersky antivirus, and much more. All of these cracks and keygens have what is called "cloaked malware," which is a form of spyware or viruses or trojans that hide themselves inside the keygen or crack files. Most hacks for games that come in the form of a program or installer, will also be infected. It is the opportunity for attackers to present a seemingly safe situation where the opportunity to steal something is in play, while the malware infects your system in the process. Yes, it will install what you were looking for, but also allow malware to potentially take control of your computer.

Lastly, it is illegal. I will counsel you that we do not report such incidents. However, it is not good practice to pirate software.

==

Please download Cheetah-Anti-Rogue, and save to your Desktop.

• Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
  
• Double-click on Cheetah-Anti-Rogue.cmd to start.
  
• It will finish quickly and launch a log.
  
• Post the contents of it in your next reply.

I don't know where that came from unless it was from a trial somewhere. I seen that too and wondered where this cs3 was? I only use cs on my pc...looks like there are alot of things hȋdden on here. I will do this other step you recommend and reply back.

Cheetah Anti-Rogue v1.1.1
by DragonMaster Jay

Microsoft Windows XP [Version 5.1.2600]
Date: 01/19/2010 - Time: 3:01:59 - Arch.: x86 - Mode?


-- Known infection --



Extra message: Detection only.


EOF

Please download Rooter and Save it to your desktop

1. Double click it to start the tool.
   
2. Click Scan.
   
3. Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.
   

here it is ....I have been up for 20 hours trying to get rid of this...


Ok here is the report

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 3
[32_bits] - x86 Family 15 Model 3 Stepping 4, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
.
Internet Explorer 8.0.6001.18702
Mozilla Firefox 3.5.7 (en-US)
.
A:\ [Removable]
C:\ [Fixed-NTFS] .. ( Total:74 Go - Free:13 Go )
D:\ [CD_Rom]
E:\ [CD_Rom]
F:\ [Removable]
G:\ [CD_Rom]
H:\ [Removable]
.
Scan : 04:39.37
Path : C:\Documents and Settings\Lyn Moreno\Desktop\Rooter.exe
User : Lyn Moreno ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (584)
______ \??\C:\WINDOWS\system32\csrss.exe (636)
______ \??\C:\WINDOWS\system32\winlogon.exe (660)
______ C:\WINDOWS\system32\services.exe (704)
______ C:\WINDOWS\system32\lsass.exe (740)
______ C:\WINDOWS\system32\svchost.exe (904)
______ C:\WINDOWS\system32\svchost.exe (952)
______ C:\WINDOWS\System32\svchost.exe (1048)
______ C:\WINDOWS\system32\svchost.exe (1088)
______ C:\WINDOWS\system32\svchost.exe (1132)
______ C:\WINDOWS\system32\svchost.exe (1268)
______ C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (1504)
______ C:\Program Files\Alwil Software\Avast4\ashServ.exe (1560)
______ C:\WINDOWS\system32\spoolsv.exe (136)
______ C:\WINDOWS\system32\svchost.exe (232)
______ C:\Program Files\Java\jre6\bin\jqs.exe (364)
______ C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (412)
______ C:\WINDOWS\system32\svchost.exe (508)
______ C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (1292)
______ C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (1316)
______ C:\WINDOWS\System32\alg.exe (1716)
______ C:\WINDOWS\Explorer.EXE (2004)
______ C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe (2212)
______ C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (2220)
______ C:\WINDOWS\RTHDCPL.EXE (2236)
______ C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe (2280)
______ C:\Program Files\Skype\Phone\Skype.exe (2384)
______ C:\Program Files\Pando Networks\Media Booster\PMB.exe (2444)
______ C:\WINDOWS\system32\ctfmon.exe (2464)
______ C:\Program Files\Brother\ControlCenter3\brccMCtl.exe (2492)
______ C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe (2888)
______ C:\Documents and Settings\Lyn Moreno\Application Data\mjusbsp\magicJack.exe (2640)
______ C:\WINDOWS\system32\wuauclt.exe (3512)
______ C:\Program Files\Mozilla Firefox\firefox.exe (1500)
______ C:\Documents and Settings\Lyn Moreno\Desktop\Rooter.exe (2128)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:80023716864)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 04:39.54
.
C:\Rooter$\Rooter_1.txt - (19/01/2010 | 04:39.54)

Time to finish...

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

I have been up for 18 hours already...LOL...but here you go


Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
avast! Antivirus
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
Java(TM) 6 Update 14
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 9.1
``````````````````````````````
Process Check:
objlist.exe by Laurent
Alwil Software Avast4 aswUpdSv.exe
Alwil Software Avast4 ashServ.exe
Alwil Software Avast4 ashDisp.exe
Alwil Software Avast4 ashMaiSv.exe
Alwil Software Avast4 ashWebSv.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

==

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Firewall

• Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
  
• Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
  
• PC Tools Firewall Plus: free and excellent firewall.

AntiSpyware

• SpywareBlaster
  SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
  
• Spybot - Search & Destroy.
  Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).
  

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
  

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

• Firefox may be downloaded from here: http://www.getfirefox.com
  
• Opera is available here: http://www.opera.com/download/
  

See this page for more info about malware and prevention.

Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

I just have one more question....The software in question earlier and as I was scanning reports and watching, I noticed these were on the computer along time ago before I nuked it last year. I remember when I was trying to reinstall windows it asked me to remove all of the partitions...which I did chose yes to override everything. Seems to me that the partition was not overwritten. can this be a cause for some of these problems? if so how do I get rid of that and all files contained there?

Thank you again for all your help!

It is recommended to just delete the files. If you delete a partition, you may erase necessary data.

Unless if you have more than one partition?

now I do. I am sure that when I reloaded windows, it created a parition cause I can not find these other files on my system. Thank you for all your help I will continue to recommend your services.