Spyware 2009/BankerFox.A/Win32

I have Spyware 2009 alert popping up every time I log in.
XP Police (which I've never heard of) keeps popping up trying to get me to purchase antivirus software.
I have McAfee and PCSafe Adware installed and have run multiple scans.
McAfee quarantines a file, but doesn't seem to be able to fix the other 2.
I also get pop-ups saying BankerFox.A and Win32/Nuqel.E are trying to infiltrate the system..to which I select "Block Attack" but they continue and continue to pop up.
I googled these viruses for removal help and got directed to your website.
Can you help me?

thank you..I will do that later today when I get home from work.

When I tried last night to download the hijackthis..windows alert blocked it.
The message was this file is potentially harmful and windows will not allow it to be downloaded.
Is this because of the virus?

Hello.
Are you running Vista? or Mcafee/Norton/Nod32 as an AV? AV's can't tell the difference between "good" or "bad", so sometimes they detect them on how they are coded or what they do.

Hijack This can kill entries of malware to disable it, so AV's detect this as a program killing legit stuff and protecting you from harm.

I skipped Hijack This because the bankerfox/nuquel has been known to carry Virut.
DDS will tell me if it's Virut or not.

Viut is unfixable, so if DDS does show Virut, then atleast we found it straight away and haven't wasted time.

Yes..I am running McAfee as AV. Thanks for the info. I will run your download later today and we'll see what kind of shape I'm in.

I can't get the links to download either.
Windows keep blocking it.
I disabled McAfee internet protection and it still got blocked.
What now?

I can get the file to go to my desktop by right clicking the link you gave me and "download linked file" but the file is empty when I try to run.
I obviously don't know what I'm doing?

See here for the list of security programs.
http://www.bleepingcomputer.com/forums/index.php?showtopic=114351
Find Mcafee make sure it's disabled.
If not, we'll go with MBAM.

DDS (Ver_09-02-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 10/18/2005 3:46:01 PM
System Uptime: 2/27/2009 9:19:30 AM (0 hours ago)

Motherboard: Dell Inc. | | 0RD203
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Microprocessor | 2992/800mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 144 GiB total, 101.493 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 2/26/2009 3:17:02 AM - System Checkpoint
RP2: 2/27/2009 4:05:59 AM - System Checkpoint

==== Installed Programs ======================

2 Player Chess
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
AdwareFilter
AIM 6.0
Alchemist Special Edition
Animals of Africa
AnswerWorks 4.0 Runtime - English
AOL Instant Messenger
AOL Toolbar 2.0
AOLIcon
Apple Mobile Device Support
Apple Software Update
ArcSoft Panorama Maker 3
Balloon Kaboom
Balloon Pop Special Edition
Banctec Service Agreement
Basketball
Bingo Master Special Edition
Blast Thru Special Edition
Block Rox
Bonjour
Bowling Mania Special Edition
CCScore
Chess Swappers
Chinese Checkers
Collector's Edition 251
Comcast High-Speed Internet Install Wizard
Comcast Rhapsody
Comcast Toolbar
Compaq IJ650 Inkjet Printer
Dart Mania
Deal or No Deal
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Picture Studio v3.0
Dell Support Center (Support Software)
Dell System Restore
DellSupport
Desktop Doctor
Diamond Fall
EducateU
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
Family Feud
Gems 3D
Geo Jump
Go-Moku
Google Earth
Google Toolbar for Internet Explorer
Google Updater
High Definition Audio Driver Package - KB835221
HLPPDOCK
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
iPod for Windows 2005-03-23
iPod for Windows 2005-09-23
iPod for Windows 2005-11-17
iPod for Windows 2006-01-10
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1
kgcbase
KODAK EASYSHARE Gallery Upload ActiveX Control
Kodak EasyShare software
KSU
Macromedia Flash Player
Malwarebytes' Anti-Malware
Mary Kate and Ashley Crush Course
Maze Cube
McAfee SecurityCenter
McAfee Shredder
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Library 9 - Blocker
Microsoft Encarta Encyclopedia Standard 2005
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Picture It! Library 10
Microsoft Picture It! Premium 10
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Streets and Trips 2005
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Word 2002
Microsoft Works
Microsoft Works 2005 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Mini Golf Master 2 Special Edition
Modem Event Monitor
Modem Helper
Modem On Hold
Move Networks Media Player for Internet Explorer
MS Access 97 SP2
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Musicmatch for Windows Media Player
Musicmatch Jukebox
MyWay Search Assistant
Netflix Movie Viewer
Network Play System (Patching)
Nikon Message Center
Notifier
OfotoXMI
OTtBP
OTtBPSDK
Otto
Perfect Scrapbook Maker Express
PictureProject
Pinball Master Special Edition
PowerDVD 5.5
QuickBooks Simple Start Special Edition
QuickTime
RealPlayer Basic
Reversi
Rifle Range
Safari
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960715)
SFR
SFR2
SHASTA
Shockwave
SierraAddressBook 3.0
SierraHome Print Artist 15.0
SKIN0001
SKINXSDK
Snake Arena Special Edition
Sonic Audio module
Sonic DLA
Sonic Encoders
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
staticcr
Superball Challenge Special Edition
The Sims 2
The Sims 2 Family Fun Stuff
The Sims 2 Glamour Life Stuff
The Sims 2 Nightlife
The Sims 2 Open For Business
The Sims 2 Pets
The Sims 2 H&M Fashion Stuff
TurboTax Deluxe 2005
TurboTax Deluxe 2007
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2005
TurboTax ItsDeductible 2006
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
Vertical Tic Tac Toe
Viewpoint Manager (Remove Only)
Viewpoint Media Player
VPRINTOL
Walmart MP3 Music Downloads
WebCyberCoach 3.2 Dell
WebFldrs XP
WexTech AnswerWorks
Wild Wheels Special Edition
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Media Center Edition 2005 KB895198
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
WIRELESS
Works Upgrade
Yahoo! Install Manager
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

2/22/2009 2:03:16 PM, error: Service Control Manager [7022] - The Bonjour Service service hung on starting.
2/22/2009 2:02:26 PM, error: Service Control Manager [7000] - The Viewpoint Manager Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/22/2009 2:02:26 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Viewpoint Manager Service service to connect.
2/22/2009 2:02:26 PM, error: Service Control Manager [7001] - The Media Center Extender Service service depends on the SSDP Discovery Service service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
2/21/2009 10:17:29 AM, error: Service Control Manager [7000] - The McAfee SystemGuards service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/21/2009 10:17:29 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee SystemGuards service to connect.
2/21/2009 10:16:49 AM, error: Service Control Manager [7000] - The COM+ System Application service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/21/2009 10:16:49 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the COM+ System Application service to connect.
2/21/2009 10:16:22 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service COMSysApp with arguments "" in order to run the server: {ECABAFBC-7F19-11D2-978E-0000F8757E2A}

==== End Of File ===========================

Hello.
That's attach.txt, I also need to see DDS.txt, so please post that too.
Please leave attach.txt there, because there's a few things that need to be removed from the log.

DDS (Ver_09-02-01.01) - NTFSx86
Run by Rachel at 14:27:18.76 on Fri 02/27/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.450 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\X3watch\x3watch.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AdwareFilter\adwarefilter.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Safari\Safari.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Documents and Settings\Rachel\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
uStart Page = hxxp://comcast.net/
mURLSearchHooks: N/A: {4d25f926-b9fe-4682-bf72-8ab8210d6d75} - c:\program files\mywaysa\srchasde\deSrcAs.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: : {4d25f921-b9fe-4682-bf72-8ab8210d6d75} - c:\program files\mywaysa\srchasde\deSrcAs.dll
BHO: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~2\COMCAS~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Viewpoint Toolbar BHO: {a7327c09-b521-4edb-8509-7d2660c9ec98} - c:\program files\viewpoint\viewpoint toolbar\3.8.0\ViewBarBHO.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: BHO: {c9c42510-9b21-41c1-9dcd-8382a2d07c61} - c:\windows\system32\iehelper.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~2\COMCAS~1.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [CMPDPSRV] c:\windows\system32\spool\drivers\w32x86\3\CMPDPSRV.EXE
mRun: [tgcmd] c:\program files\support.com\bin\tgcmd.exe /server /startmonitor /deaf
mRun: [mmtask] "c:\program files\musicmatch\musicmatch jukebox\mmtask.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [x3watch] c:\program files\x3watch\x3watch.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.6.0_05\bin\jusched.exe
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adware~1.lnk - c:\program files\adwarefilter\adwarefilter.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodaks~1.lnk - c:\program files\kodak\kodak software updater\7288971\program\Kodak Software Updater.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\office2k\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-5 213640]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-26 206096]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-2-5 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-2-5 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-2-5 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-5 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-5 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-5 40552]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-2-28 24652]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-5 34216]

=============== Created Last 30 ================

2009-02-27 10:47 10,240 a------- c:\windows\system32\iehelper.dll
2009-02-26 15:26 --d-h--- c:\windows\PIF
2009-02-21 18:07 16,896 a------- c:\windows\svcho.exe
2009-02-21 18:07 16,896 a------- c:\windows\syssvc.exe
2009-02-21 16:34 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-21 16:34 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-21 16:34 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-21 16:34 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-21 14:41 --d----- c:\program files\XPPoliceAntivirus
2009-02-21 14:40 21,446 a------- c:\windows\system32\sf.ico
2009-02-21 14:40 13,942 a------- c:\windows\system32\m3.ico
2009-02-21 14:40 13,942 a------- c:\windows\system32\c.ico
2009-02-21 14:40 11,062 a------- c:\windows\system32\p.ico
2009-02-21 14:40 7,662 a------- c:\windows\system32\m.ico
2009-02-21 14:40 4,286 a------- c:\windows\system32\s.ico
2009-02-21 14:40 364,044 a------- c:\windows\sysguard.exe
2009-02-09 16:20 54,156 a---h--- c:\windows\QTFont.qfn
2009-02-09 16:20 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2009-02-27 10:51 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLec.DAT
2009-02-25 21:40 29,542 a------- c:\docume~1\rachel\applic~1\wklnhst.dat
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2009-01-09 12:03 213,640 a------- c:\windows\system32\drivers\mfehidk.sys
2009-01-09 12:03 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-01-09 12:03 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-01-09 12:03 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-01-09 12:03 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2009-01-02 12:16 193,948 a------- c:\windows\system32\rn.tmp
2008-12-19 03:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 03:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-18 23:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-18 23:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 04:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2007-02-27 15:30 87,720 a------- c:\docume~1\rachel\applic~1\GDIPFONTCACHEV1.DAT
2006-02-24 10:38 342,716 a--sh--- c:\windows\system32\aybeg.bak1
2006-03-01 20:36 559,030 a--sh--- c:\windows\system32\aybeg.bak2
2006-03-01 20:52 558,910 a--sh--- c:\windows\system32\aybeg.ini2
2008-08-20 09:04 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082020080821\index.dat

============= FINISH: 14:28:34.96 ===============

Question: I ran this from another user on our home computer because the pop ups don't come up when logged in to this username. Do I need to run this from the user that's having all the pop ups? I guess I figured the infected files would be shared amongst users...so it wouldn't matter which username I logged in under.

Hello. So two user accounts are infected? I see one account called "Rachel", what's the other user account called?

The DDS log was taken from Rachel, so run this on the Rachel account.

Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it.
  
• Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :files
  c:\program files\XPPoliceAntivirus
  c:\windows\system32\sf.ico
  c:\windows\system32\m3.ico
  c:\windows\system32\c.ico
  c:\windows\system32\p.ico
  c:\windows\system32\m.ico
  c:\windows\system32\s.ico
  c:\windows\sysguard.exe
  c:\windows\svcho.exe
  c:\windows\syssvc.exe
  c:\windows\system32\iehelper.dll
  c:\windows\system32\rn.tmp
  c:\windows\system32\aybeg.bak1
  c:\windows\system32\aybeg.bak2
  c:\windows\system32\aybeg.ini2
  c:\program files\mywaysa
  
  :reg
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c9c42510-9b21-41c1-9dcd-8382a2d07c61}]
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4d25f921-b9fe-4682-bf72-8ab8210d6d75}]
  
  
  
• Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

The spyware 2009, xp police, and all the pop-ups are coming under the user name "Kim"

Every time I try to run the links you originally gave me under "kim" windows blocks it from running..even with McAfee completely disabled..so i tried under the username "rachel" and it worked..so that's what I sent you.

Ah.
Okay, we'll clean that too, but run the OTMoveIt script on Rachel, because there is signs of malware on that account and the Rachel account doesn't seem to be too bad.

Once the OTMoveIt result is done, log-off Rachel and onto Kim and we'll see what we can do about that.

========== FILES ==========
c:\program files\XPPoliceAntivirus\sounds moved successfully.
c:\program files\XPPoliceAntivirus\plugins moved successfully.
c:\program files\XPPoliceAntivirus moved successfully.
c:\windows\system32\sf.ico moved successfully.
c:\windows\system32\m3.ico moved successfully.
c:\windows\system32\c.ico moved successfully.
c:\windows\system32\p.ico moved successfully.
c:\windows\system32\m.ico moved successfully.
c:\windows\system32\s.ico moved successfully.
c:\windows\sysguard.exe moved successfully.
c:\windows\svcho.exe moved successfully.
c:\windows\syssvc.exe moved successfully.
c:\windows\system32\iehelper.dll unregistered successfully.
c:\windows\system32\iehelper.dll moved successfully.
c:\windows\system32\rn.tmp moved successfully.
c:\windows\system32\aybeg.bak1 moved successfully.
c:\windows\system32\aybeg.bak2 moved successfully.
c:\windows\system32\aybeg.ini2 moved successfully.
c:\program files\MyWaySA\SrchAsDe moved successfully.
c:\program files\MyWaySA moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c9c42510-9b21-41c1-9dcd-8382a2d07c61}\\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4d25f921-b9fe-4682-bf72-8ab8210d6d75}\\ deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02272009_145610

Okay, logon to Kim now and see if this will run.

Please download SilentRunners from here:
http://www.silentrunners.org/Silent%20Runners.zip
Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, a message will pop up and a logfile will have been created on the desktop. The log will be quite big, so you may need to split it up into several posts.

OK..I am logged on as "kim" and did the download. Saved to desktop. Double clicked to run and windows blocked it. i have mcafee completely disabled.

Hello.
Completely uninstall Mcafee, because it's so annoying when it interferes, because it blocks soooo many tools.

There were no pop-ups or spyware 2009 garbage this time when I logged in under "kim" after running that clean-up on user "rachel"..fyi.

How come McAfee interferes with one user and not another on the same computer?

Dunno.
Go to Start > Control Panel > Add/Remove Programs and remove any Mcafee products.

OK..you want me to go to add/remove programs and get rid of mcafee?

sorry..i was asking this same question as you were telling me.

Haha.
Once Mcafee is uninstalled, see if DDS will run.

new problem.i now cannot even log in. i'm on my son's laptop now. no user will log in now...it just sits saying 'loading personal setting. now what?i

Looking on Google for an answer.
Was the OS Windows XP/2000 server?

sorry. I don't know what you're asking me.

i turned the computer off and tried to reboot again...now all i get is a black screen..can't even get to the windows starting up and user names. Am i totally screwed now?

OS=Operating system.
The system running.

The preference window is usually only on XP/2000/2003 server.

About this infection, if it was or is Virut, it could have caused this.

The new variant of Virut I see a lot of edits the userinit value to add it's own file, if mcafee changed anything of userinit while uninstalling, it could explain it situation.

See here:
http://forums.spybot.info/blog.php?b=14

Look at method 1. If you can get the machine to get to the "loading personal preferences" window again, you may be able to edit the machines registry from your sons laptop.
All info for this is on the method 1.