windows detecting spyware been anoying :S

[AlbertWesker]

well this problems just happend today without no reason, this message keeps showing up when i start windows all the time, its a red cruz saying all thetime "windows has detecting spyware blablabla", im trying to remove this thing but AVG seems taht dosent remove this thing completely, so any advice to remove this anoying message?

an other thing, when this thing appears , my homepage on mozilla is now ask.com :S, how i can get back google as my homepage?

[BigE4u]

You gots hyjaked by spyware, use malwarebytes... http://www.malwarebytes.org/mbam.php

[sandeepb]

It'll help what the file it is trying to remove is, we may be able to help.

[MrObvious]

This is the wrong section. Post a HJT log (see the sticky in the virus section) and a MalwareBytes log.

[AlbertWesker]

Quote:

Originally Posted by BigE4u

You gots hyjaked by spyware, use malwarebytes... http://www.malwarebytes.org/mbam.php

tahnks , gonna try taht if it works..because taht pop up message its anoying :S

ok i tested and this is what the scan results

Malwarebytes' Anti-Malware 1.40
Versión de la Base de Datos: 2728
Windows 5.1.2600 Service Pack 2

01/09/2009 07:39:10 p.m.
mbam-log-2009-09-01 (19-39-10).txt

Tipo de examen : Examen Rápido
Objetos examinados: 97587
Tiempo transcurrido: 3 minute(s), 14 second(s)

Procesos en Memoria Infectados: 0
Módulos en Memoria Infectados: 0
Claves del Registro Infectadas: 0
Valores del Registro Infectados: 5
Elementos de Datos del Registro Infectados: 6
Carpetas Infectadas: 0
Ficheros Infectados: 10

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
(No se han detectado elementos maliciosos)

Valores del Registro Infectados:
HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\Explorer\ForceClassicControlPan el (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\Regedit32 (Trojan.Agent) -> Quarantined and deleted successfully.

Elementos de Datos del Registro Infectados:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Carpetas Infectadas:
(No se han detectado elementos maliciosos)

Ficheros Infectados:
D:\WINDOWS\system32\drivers\beep.sys (Trojan.KillAV) -> Not selected for removal.
D:\Documents and Settings\Jonathan\Datos de programa\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\dllcache\figaro.sys (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\wisdstr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
D:\Documents and Settings\Jonathan\Configuración local\Temp\BN1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Documents and Settings\Jonathan\Configuración local\Temp\BN2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Documents and Settings\Jonathan\Configuración local\Temp\BN3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Documents and Settings\Jonathan\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
D:\Documents and Settings\Jonathan\oashdihasidhasuidhiasdhiashdiuas dhasd (Malware.Trace) -> Quarantined and deleted successfully.



well it dint work, the message its still there...and for some reason when i scan with the malware program, the installation of some PCspyware program start :S, im loosing my mind with this thing

[henrythe9th]

Hello, you need to remove the slected items at the bottom
this:
Ficheros Infectados:
D:\WINDOWS\system32\drivers\beep.sys (Trojan.KillAV) -> Not selected for removal.
D:\Documents and Settings\Jonathan\Datos de programa\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\dllcache\figaro.sys (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\wisdstr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
D:\Documents and Settings\Jonathan\Configuración local\Temp\BN1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Documents and Settings\Jonathan\Configuración local\Temp\BN2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Documents and Settings\Jonathan\Configuración local\Temp\BN3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Documents and Settings\Jonathan\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
D:\Documents and Settings\Jonathan\oashdihasidhasuidhiasdhiashdiuas dhasd (Malware.Trace) -> Quarantined and deleted successfully.

chekc them and hit remove then reboot and run it again

[MrObvious]

Can you also do a full scan and not just a quick one?

[crunchie]

After doing a full scan and removing what is found, do the following;

Download HijackThis Executable from here. Save it to your desktop.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and then go to the format Tab and make sure that wordwrap is unchecked. Copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

[AlbertWesker]

it seems taht the red x its gone but when i initiate windows he appears and then disapears , like he stil there but i blocked him XD, this is the result for Hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:09:08 a.m., on 02/09/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Archivos de programa\Microsoft IntelliType Pro\itype.exe
D:\Archivos de programa\Microsoft IntelliPoint\ipoint.exe
D:\WINDOWS\system32\Rundll32.exe
D:\WINDOWS\RTHDCPL.EXE
D:\ARCHIV~1\AVG\AVG8\avgtray.exe
D:\Archivos de programa\Java\jre6\bin\jusched.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\sys32_nov.exe
D:\Archivos de programa\Messenger\msmsgs.exe
D:\Documents and Settings\Jonathan\sys32_nov.exe
D:\Documents and Settings\Jonathan\sys32_nov.exe
D:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
D:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe
D:\Archivos de programa\Java\jre6\bin\jqs.exe
D:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\system32\PnkBstrA.exe
D:\WINDOWS\system32\PnkBstrB.exe
D:\WINDOWS\System32\TUProgSt.exe
D:\ARCHIV~1\AVG\AVG8\avgemc.exe
D:\ARCHIV~1\AVG\AVG8\avgam.exe
D:\ARCHIV~1\AVG\AVG8\avgrsx.exe
D:\ARCHIV~1\AVG\AVG8\avgnsx.exe
D:\Archivos de programa\AVG\AVG8\avgcsrvx.exe
D:\Archivos de programa\AVG\AVG8\avgcsrvx.exe
D:\WINDOWS\system32\wbem\wmiapsrv.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Archivos de programa\Mozilla Firefox\firefox.exe
D:\Archivos de programa\AVG\AVG8\avgupd.exe
D:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe
D:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - *{C94E154B-1459-4A47-966B-4B843BEFC7DB} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - D:\Archivos de programa\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Archivos de programa\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Archivos de programa\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - D:\Archivos de programa\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - D:\Archivos de programa\Ask.com\GenericAskToolbar.dll (file missing)
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Persistence] D:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [itype] "D:\Archivos de programa\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "D:\Archivos de programa\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] D:\ARCHIV~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Archivos de programa\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] D:\Archivos de programa\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "D:\Archivos de programa\RivaTuner v2.24\RivaTuner.exe" /S
O4 - HKLM\..\Run: [sys32_nov] D:\WINDOWS\system32\sys32_nov.exe
O4 - HKLM\..\Run: [Regedit32] D:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "D:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "D:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "D:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [sys32_nov] D:\Documents and Settings\Jonathan\sys32_nov.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-21-1993962763-1292428093-725345543-500\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Administrador')
O4 - HKUS\S-1-5-21-1993962763-1292428093-725345543-500\..\RunOnce: [NeroHomeFirstStart] D:\Archivos de programa\Archivos comunes\Ahead\Lib\NMFirstStart.exe (User 'Administrador')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: RocketDock.lnk = D:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://D:\Archivos de programa\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://D:\ARCHIV~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://D:\Archivos de programa\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/229?e3458c0451214e889a40812a87a772c6
O8 - Extra context menu item: Open in new foreground tab - res://D:\Archivos de programa\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/230?e3458c0451214e889a40812a87a772c6
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\ARCHIV~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Archivos de programa\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: avgrsstarter - D:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\ARCHIV~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Archivos de programa\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - D:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - D:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - D:\WINDOWS\System32\TUProgSt.exe

--
End of file - 8615 bytes

[BigE4u]

Your still using InternetExplorer6 and havent upgraded to InternetExplorer8?

[AlbertWesker]

Quote:

Originally Posted by BigE4u

Your still using InternetExplorer6 and havent upgraded to InternetExplorer8?

no i dont use internet explorer, i use mozilla all the time, i dint upgrade internet explorer because i dont use it XD

[crunchie]

Can you please do the following.

===============

You will have to disable Spybot's Teatimer before we begin, as it will interfere with the fix. To do this can you start Spybot and go to the Mode button and select Advanced. Go to Tools > Resident and uncheck the box next to Tea-Timer. Make sure that the icon in the system tray is no longer there. If it is, just right click on it and select "Exit".
Download ResetTeaTimer.zip
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.
Do not forget to re-enable teatimer when we are done .
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.


===============

Run HiJackThis then:

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

D:\WINDOWS\system32\sys32_nov.exe
D:\Documents and Settings\Jonathan\sys32_nov.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Scan with HijackThis and then place a check next to all the following, if present:


R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - *{C94E154B-1459-4A47-966B-4B843BEFC7DB} - (no file)

O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - D:\Archivos de programa\Ask.com\GenericAskToolbar.dll (file missing)

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [sys32_nov] D:\WINDOWS\system32\sys32_nov.exe
O4 - HKCU\..\Run: [sys32_nov] D:\Documents and Settings\Jonathan\sys32_nov.exe

O20 - AppInit_DLLs: cru629.dat


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

D:\WINDOWS\system32\sys32_nov.exe
D:\Documents and Settings\Jonathan\sys32_nov.exe

Search for...

ALCMTR.EXE

...using "Start | Search...".

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear.

Select the first option to run Windows in Safe Mode hit enter.

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

[AlbertWesker]

this si the file taht AVG cant remove

"D:\WINDOWS\system32\braviax.exe";"Hidden application";"Object is hidden"

gonna try taht chrunchie but i have a problem right now taht spybot and hitjack dosent want to run 2, im trying to unistall but i cant, i hit unistall and dosent unistall the program..dont nkow why this thing is happening

its there any chances to do taht without the spybot? maybe with othe antispyware?

[crunchie]

Please right click on hijackthis.exe and select Rename. Change the name to analysethis and hit the Enter key.
See if you can get it to run now.
Spybot needs to be disabled whilst 'fixing' with hijackthis. You should be able to do it within the program.

[MrObvious]

I would recommending to IE8 and just using it only when you use Windows Updates.

[AlbertWesker]

I mannage to remove the annoying message about the virus thanks to Dr-webcureit antispyware program and malawarebytes (on safe mode) then i did another scan and restar and now the thing is gone , with other virus taht I had in my pc XD,

thanks for the help people, much apeciated

[crunchie]

Hopefully it removed everything I saw in your hijackthis log. If I were you, I would still have posted a new hijackthis log.

[byounger]

Hey guys I am hving the same poblem I followed all directions and here is what was in my note pad please help, also email me black88965@yahoo.com

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:59:54 PM, on 9/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\Program Files\RegistrySmart\RegistrySmart.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\braviax.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Brian Younger\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit .exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [RegistrySmart] "C:\Program Files\RegistrySmart\RegistrySmart.exe" -boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKCU\..\Policies\Explorer\Run: [{D801A1B3-0512-1033-1109-040308200001}] "C:\Program Files\Common Files\{D801A1B3-0512-1033-1109-040308200001}\Update.exe" mc-110-12-0000137
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presar io&pf=laptop
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O18 - Protocol: navnet - {AD6E5643-7B0C-46AA-95AD-9773FF2A857A} - C:\Program Files\NavNetApp\ComUtilities.dll
O18 - Filter hijack: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - (no file)
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\en0ul1d91.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Firewall service (FWSvc) - Unknown owner - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows Media Player\kygedar.html
O24 - Desktop Component 1: (no name) - C:\Program Files\MSN Gaming Zone\hodybupup.html

--
End of file - 7408 bytes

[crunchie]

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebyt...are_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Download the update from here if you have problems.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Make sure that you restart the computer.

Post new HJT log.