desktop/homepage hijacker + more - please help

[redryder]

I have run SPYBOT, CWSHREDDER, and now HIJACK THIS.  I get rid of most mal ware, but can't seem to get 100% removal.. Please help.
Thanks

Logfile of HijackThis v1.99.1
Scan saved at 4:37:46 PM, on 4/30/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\mocih.exe
C:\WINNT\System32\dev32.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\System32\combo.exe
C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\winnt\nvsvwc.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\wuauclt.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\sprmover.exe
C:\WINNT\System32\connmie.exe
C:\WINNT\System32\truettf.exe
C:\WINNT\System32\dxconf.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Name - {53B6BC76-7DF8-4B44-ABCF-773DB7994ADF} - C:\WINNT\System32\msnxa.dll
O2 - BHO: Name - {5E26824E-3685-4B70-A914-7F2410B77C0B} - C:\WINNT\System32\msnxa.dll
O2 - BHO: (no name) - {D7F3D96A-26C7-4658-88C3-A72E18719246} - C:\WINNT\openwin.dll
O2 - BHO: Name - {E954B5DC-0CE3-4343-B1B6-FB1B069C5851} - C:\WINNT\System32\msnxa.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINNT\System32\iecustom32.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [combo.exe] combo.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [winltmpv] c:\winnt\nvsvwc.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1114014142184
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B23A1B2-93B6-4D26-8A8D-5A920143ADD5}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE21173B-4981-4B8C-8B5C-2CE08D1D15A5}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37
O18 - Filter: text/html - {65FA9B6D-F028-4A58-9977-8321DA8D1F3A} - C:\WINNT\openwin.dll
O18 - Filter: text/plain - {65FA9B6D-F028-4A58-9977-8321DA8D1F3A} - C:\WINNT\openwin.dll
O23 - Service: Trace network connections (ACCRA) - Unknown owner - C:\WINNT\System32\mocih.exe
O23 - Service: Provides three management service (FreeBSD) - Unknown owner - C:\WINNT\System32\dev32.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

[guestolo]

You have a couple different infections, I need you too download a couple tools
please

==Download and save Remv3.zip
[attachment=189:attachment]
UNZIP the contents too desktop>>A new Remv3 folder will be placed on the desktop
We'll need this later

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup
Give the link time to load or try it twice, it may be busy
Install for now, don't run a scan yet

==Download and save to Desktop
SpSeHjfix112.zip
From that link
Unzip the contents, so you now have SpSeHjfix112.zip on your desktop

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation

In safe mode

Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- Trace network connections

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled
Find and delete these files if found
Do the same for this service too
Provides three management service

Using Windows Explore, Find and delete these files if found,
C:\WINNT\System32\msnxa.dll <-file
C:\WINNT\System32\iecustom32.dll <-file
C:\WINNT\System32\mocih.exe <-file
C:\WINNT\System32\dev32.exe <-file
C:\WINNT\openwin.dll <-file
c:\winnt\nvsvwc.exe <-file
Navigate to this file and right click on it and rename it
C:\WINNT\System32\combo.exe <-this file
Rename it too combo.ex_

Open Hijackthis>>Open Misc Tools Section>>Open "Delete an NT Service"
In the new empty box type in or copy and paste the following in bold and hit OK
ACCRA
Do the same for this one
FreeBSD

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Decline to Log off

Do another scan with Hijackthis and put a check next to these entries:
Not all may be seen in safe mode, but take a look

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: Name - {53B6BC76-7DF8-4B44-ABCF-773DB7994ADF} - C:\WINNT\System32\msnxa.dll
O2 - BHO: Name - {5E26824E-3685-4B70-A914-7F2410B77C0B} - C:\WINNT\System32\msnxa.dll
O2 - BHO: (no name) - {D7F3D96A-26C7-4658-88C3-A72E18719246} - C:\WINNT\openwin.dll
O2 - BHO: Name - {E954B5DC-0CE3-4343-B1B6-FB1B069C5851} - C:\WINNT\System32\msnxa.dll

O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINNT\System32\iecustom32.dll

O4 - HKLM\..\Run: [combo.exe] combo.exe

O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll,DllInstall

O4 - HKCU\..\Run: [winltmpv] c:\winnt\nvsvwc.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O15 - Trusted Zone: http://*.63.219.181.7

O17 - HKLM\System\CCS\Services\Tcpip\..\{5B23A1B2-93B6-4D26-8A8D-5A920143ADD5}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE21173B-4981-4B8C-8B5C-2CE08D1D15A5}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37
O18 - Filter: text/html - {65FA9B6D-F028-4A58-9977-8321DA8D1F3A} - C:\WINNT\openwin.dll
O18 - Filter: text/plain - {65FA9B6D-F028-4A58-9977-8321DA8D1F3A} - C:\WINNT\openwin.dll
O23 - Service: Trace network connections (ACCRA) - Unknown owner - C:\WINNT\System32\mocih.exe
O23 - Service: Provides three management service (FreeBSD) - Unknown owner - C:\WINNT\System32\dev32.exe

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Open the Remv3 folder you unzipped earlier and Double click on Remv3.bat
Let it finish, it will produce a log, save the log, we'll need this later
By default it is saved to C:\Log.txt

==Run SpSeHjfix112.zip.exe by clicking the Start Disinfection
It should reboot your computer
If not Reboot anyways back to Normal mode
Back in Windows>>The tool would of created a log, could you copy and paste that log to a location such as MyDocuments, just so we don't overwrite it when we run the tool again

Run
SpSeHjfix109.exe again

Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Reset home page

Go to START>>RUN>>type in cmd
Hit OK
At the prompt type in
ipconfig /flushdns
Hit Enter
type
exit
Enter

Post back the logs from SpSeHjfix and a new Hijackthis log
Also post the log from Remv3.bat
C:\Log.txt

Could you also go to this site please
Give this site time to load
Jotti's Online Malware scan

Use the browse button and navigate to this file on your hard disk
C:\WINNT\System32\combo.ex_<--this file

Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please, just the scanner results

NOTE:If you have trouble connecting to Internet after
This is important
With all browser windows closed
Access your Control Panel
If your in Category View>>Switch to Classic View
- Double-click the Network Connections icon.
- Right-click your connection >>>Probably Local Area Connection icon and select Properties.
- Highlight Internet Protocol (TCP/IP) and click the Properties button.
If you don't need to enter a DNS server address with your ISP
Be sure "Obtain DNS server address automatically' is selected. OK your way out.
Restart your computer again

[redryder]

First off, thanks for the quick and thorough reply.  

I had a few issues with the recovery procedure..  

"Trace Network Connections" was stopped, yet I could not delete ACCRA and FreeBSD - said program was in use."  I checked them off in Hijackthis and deleted, then repeated the "Delete an NT Service" instructions.  Seemed to work.

WhenI ran SpSeHjfix109 the first time, it immediately restarted my computer (as it should).   After startup, I went to run SpSeHjfix109 again (as instructed) and it appeared to lock up..  My cursor would occasionally turn to an hour glass so I thought it was working..  After 5 minutes of this, I walked away and let it run.. An hour or so later it was still doing the same thing.  Aborted and rebooted to find my desktop still hijacked with black screen: "WARNING..."  

I decided to call it quits for the evening...  I will try the whole procedure again tonight after work....  Can you think of anything I may be doing wrong?

Thanks again,

Paul

[guestolo]

I decided to call it quits for the evening... I will try the whole procedure again tonight after work.... Can you think of anything I may be doing wrong?

Can you make sure your running SpSeHjfix112
I know I said run SpSeHjfix109 again, but ensure you have version 112

Remember to be in safe mode when trying the fixes
Make sure you stop and disable the services
Trace network connections
Provides three management service

I will have to see some logs after to be more assistance
Please go back and read everything I posted, I'm quite sure you missed some important steps
You must do everything I posted, not just bits and pieces

Eg... I know you haven't download Remv3.zip and unzipped it yet

So, I guess, basically, go back and do everything I asked  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />

[redryder]

Hi Guestolo,

Thanks again for the quick reply...

Eg... I know you haven't download Remv3.zip and unzipped it yet

I actually did download and unzip the file... I don't know if I was in a view mode or what, but there was no hotlink to Remv3.zip when I originally looked (of course, it's plain as day now).  I did a search and found it attached to another post of yours...

Believe me, I followed your instructions to a "T" until running into the couple of snags mentioned in my previous post.  

I'll make sure I'm running SpSeHjfix112 on my next attempt...

Can't do anything till I get off from work!!!  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/dry.gif\' class=\'bbc_emoticon\' alt=\'<_<\' />

I'll post my results tonight or early tomorrow A.M.  

Thanks again for all the help..

Paul

[guestolo]

Ok great, just let me see all the logs afterwards
Could you delete your copy of Remv3 and download the one I have uploaded for you
You may have an old version that may not find all bad files

[redryder]

Hello Guestolo,

I read your last post after performing the whole procedure.  I'm sure the version of REMV3 is the same.. I went ahead and downloaded the one from this thread and installed it - after the fact.  All the files were replaced with ones of equal size.  The reason I could not download it the 1st time was because I was not in the "full version" of the forum.. I guess attachments don't show up unless you're in the "full version".

Enough on that..  This time everything went fairly smooth.  A lot of the files in Hijack this were gone from yesterdays cleanup attempt.  I seem to have regained control of my Internet Explorer (no pop-ups, no redirects, homepage is once again yahoo, etc).  But my desktop is still hijacked..  A nasty black "Warning!! You're in danger!" message still  appears.  I right clicked on the desktop, went to properties and the address URL was //c:\\WINNT\\WEB\desktop.html.  I proceeded to delete this file and refresh the desktop and now I have a plain white desktop (with the same URL address).  I do not get the usual desktop configuration window when right clicking and going to properties (ie Wallpaper, screensaver, etc). However, I do see my original desktop picture for a short while when booting up... Dont know if this info helps out or not..  

Maybe the following logs will:

_____________________________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 10:28:22 PM, on 5/1/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\System32\nvsvc32.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\svchost.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [sysobj.exe] sysobj.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [sprmover.exe] sprmover.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1114014142184
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

_________________________________________

C:\log.txt states:

Files Found.................
----------------------------------------

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------
 
 
Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
 Volume in drive C has no label.
 Volume Serial Number is 9873-4FF9

 Directory of C:\WINNT\system32

04/30/2005  06:14 PM            19,456 hdzjv.dll
               1 File(s)         19,456 bytes
               0 Dir(s)  110,273,032,192 bytes free
msi.dll
Finished

_______________________________________________________
SpSeHjfix.txt states:



(4/30/05 7:57:07 PM) SPSeHjFix started v1.1.2
(4/30/05 7:57:07 PM) OS: WinXP  (5.1.2600)
(4/30/05 7:57:07 PM) Language: english
(4/30/05 7:57:07 PM) Win-Path: C:\WINNT
(4/30/05 7:57:07 PM) System-Path: C:\WINNT\System32
(4/30/05 7:57:07 PM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(4/30/05 7:57:17 PM) Disinfection started
(4/30/05 7:57:17 PM) Bad-Dll(IEP): (not found)
(4/30/05 7:57:17 PM) Bad-Dll(IEP) in BHO: (not found)
(4/30/05 7:57:17 PM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINNT\openwin.dll
(4/30/05 7:57:17 PM) Searchassistant Uninstaller - Keys Deleted
(4/30/05 7:57:17 PM) UBF: 5 - UBB: 0 - UBR: 12
(4/30/05 7:57:17 PM) UBF: 5 - UBB: 0 - UBR: 12
(4/30/05 7:57:17 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
(4/30/05 7:57:17 PM) Stealth-String not found
(4/30/05 7:57:17 PM) File added to delete: c:\winnt\openwin.dll
(4/30/05 7:57:17 PM) Reboot


(4/30/05 7:59:01 PM) SPSeHjFix started v1.1.2
(4/30/05 7:59:01 PM) OS: WinXP  (5.1.2600)
(4/30/05 7:59:01 PM) Language: english
(4/30/05 7:59:01 PM) Win-Path: C:\WINNT
(4/30/05 7:59:01 PM) System-Path: C:\WINNT\System32
(4/30/05 7:59:01 PM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(4/30/05 7:59:43 PM) Disinfection started
(4/30/05 7:59:43 PM) Bad-Dll(IEP): (not found)
(4/30/05 7:59:43 PM) Bad-Dll(IEP) in BHO: (not found)
(4/30/05 7:59:43 PM) UBF: 5 - UBB: 0 - UBR: 12
(4/30/05 7:59:43 PM) UBF: 5 - UBB: 0 - UBR: 12
(4/30/05 7:59:43 PM) Bad IE-pages: (none)
(4/30/05 7:59:43 PM) Stealth-String not found
(4/30/05 7:59:43 PM) Not infected->END


(5/1/05 9:37:07 PM) SPSeHjFix started v1.1.2
(5/1/05 9:37:07 PM) OS: WinXP  (5.1.2600)
(5/1/05 9:37:07 PM) Language: english
(5/1/05 9:37:07 PM) Win-Path: C:\WINNT
(5/1/05 9:37:07 PM) System-Path: C:\WINNT\System32
(5/1/05 9:37:07 PM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(5/1/05 9:37:08 PM) Disinfection started
(5/1/05 9:37:08 PM) Bad-Dll(IEP): (not found)
(5/1/05 9:37:08 PM) Bad-Dll(IEP) in BHO: (not found)
(5/1/05 9:37:08 PM) UBF: 5 - UBB: 0 - UBR: 11
(5/1/05 9:37:08 PM) UBF: 5 - UBB: 0 - UBR: 11
(5/1/05 9:37:08 PM) Bad IE-pages: (none)
(5/1/05 9:37:08 PM) Stealth-String not found
(5/1/05 9:37:08 PM) Not infected->END


(5/1/05 9:44:24 PM) SPSeHjFix started v1.1.2
(5/1/05 9:44:24 PM) OS: WinXP  (5.1.2600)
(5/1/05 9:44:24 PM) Language: english
(5/1/05 9:44:24 PM) Win-Path: C:\WINNT
(5/1/05 9:44:24 PM) System-Path: C:\WINNT\System32
(5/1/05 9:44:24 PM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(5/1/05 9:44:34 PM) Disinfection started
(5/1/05 9:44:34 PM) Bad-Dll(IEP): (not found)
(5/1/05 9:44:34 PM) Bad-Dll(IEP) in BHO: (not found)
(5/1/05 9:44:34 PM) UBF: 5 - UBB: 0 - UBR: 11
(5/1/05 9:44:34 PM) UBF: 5 - UBB: 0 - UBR: 11
(5/1/05 9:44:34 PM) Bad IE-pages: (none)
(5/1/05 9:44:34 PM) Stealth-String not found
(5/1/05 9:44:34 PM) Not infected->END
________________________________________________________________

I think I'm close... Any  ideas on the desktop?

Muchos Gracias,

Paul

[guestolo]

Looking better, still some cleanup
I'll post some fixes tomorrow Red
I'm just on my way to bed
So it won't be till I get off work

In the meantime, can you do the following for me please
Download and UNZIP to a folder findall.zip
So you now have Get.bat and Get2.bat in the same folder

Double click on Get.bat and Get2.bat, they will both produce logs
Can you open the text files produced and post them back here
Export.txt and Export2.txt

Also, go ahead and delete this file
C:\WINNT\system32\hdzjv.dll <-file

Also, can you look for any of these files and let me know if they exist
C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe

And these folders
C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

If you have Security IGuard
Virtual Maid
Search Maid
in your Add/Remove programs go ahead and Remove them

[redryder]

I'm trapped at work for the next 12 hours..  Will try your last set of instructions when I get home.

Thanks again,

Paul

[redryder]

I deleted C:\WINNT\system32\hdzjv.dll <-file  and did not have any of the other mentioned files/folders/programs.

The export and export2 files follow:
_________________________________________
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"LoadedBefore"="1"
"ThemeActive"="1"
"LastUserLangID"="1033"
"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,72,00,65,00,73,00,6f,00,75,00,72,00,63,00,65,00,73,00,5c,\
  00,54,00,68,00,65,00,6d,00,65,00,73,00,5c,00,6c,00,75,00,6e,00,61,00,5c,00,\
  6c,00,75,00,6e,00,61,00,2e,00,6d,00,73,00,73,00,74,00,79,00,6c,00,65,00,73,\
  00,00,00
"ColorName"="NormalColor"
"SizeName"="NormalSize"
_____________________________________________________________
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

__________________________________________________________
Thanks,

Paul

[guestolo]

Download and UNZIP to a folder
fixdesktop.zip, so you now have fixdesktop.reg unzipped to a folder
[attachment=197:attachment]

=Download the RKFiles.zip
http://skads.org/special/rkfiles.zip
UNZIP the contents to it's own folder

You may want to print this out or save too a Notepad file

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [sysobj.exe] sysobj.exe

O4 - HKLM\..\Run: [sprmover.exe] sprmover.exe

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart into SAFE MODE

With windows set to show Hidden files and folders
First Double click on fixdesktop.reg and allow to merge to the registry

Next
Open the folder you unzipped rkfiles.zip too
Double click to run Rkfiles.bat
Wait for the scan to finish, give this time
When it's done a log will be produced, save this log
By default, it is saved to C:\Log.txt

Restart back to Normal mode
Do the following if you can
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Change your background>>You can change it back later if preferred
5. Click the Customize Desktop button.
6. Click the Web tab in the Desktop Items window.
7. Uncheck "Security" or  Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything unchecked

Post the log produced by rkfiles.bat and a new Hijackthis log

[redryder]

Well, as far as I can tell, the computer is back to normal..  My desktop has been restored, my home page is no longer hijacked, pop-ups are gone, etc.

Thanks again for all the help.  I'll post one last Hijackthis log and the results from rkfiles.bat (with any luck, it will be the last one!!!).

Logfile of HijackThis v1.99.1
Scan saved at 5:13:01 AM, on 5/3/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\System32\nvsvc32.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1114014142184
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

----------------------------------------------------------------------
C:\rkfiles
 
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINNT\system32\cidaconf.exe: UPX!
C:\WINNT\system32\combo.ex_.exe: UPX!
C:\WINNT\system32\downf102.exe: UPX!
C:\WINNT\system32\downf46.exe: UPX!
C:\WINNT\system32\sccfull.exe: UPX!
C:\WINNT\system32\spoolsrv32.exe: UPX!
C:\WINNT\system32\txfdb32.dll: UPX!
C:\WINNT\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
 
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINNT\fdrest.exe: UPX!
C:\WINNT\MEMORY.DMP: UPX!
C:\WINNT\MEMORY.DMP: UPX!
C:\WINNT\MEMORY.DMP: UPX!
C:\WINNT\MEMORY.DMP: MSTVGS.ChannelLineupx!j6
C:\WINNT\msmconret.dll: UPX!
C:\WINNT\winsx.dll: UPX!
C:\WINNT\MEMORY.DMP: FSG!
C:\WINNT\mfunclo.exe: FSG!
Finished
bye
------------------------------------------------------------------------

Thanks again for all your efforts in helping me removing the malware.  I'd like to make a donation for your services.. The paypal link goes to someone named Tangea.  Is this the preferred account for making a donation?

Paul (redryder)

[guestolo]

If you find SB Soft in your Add/Remove programs
Remove it

Print this out or save too a notepad file
Restart into safe mode

Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Find and delete these files
C:\WINNT\system32\combo.ex_.exe
C:\WINNT\system32\spoolsrv32.exe <=notice the spelling
C:\WINNT\system32\txfdb32.dll
C:\WINNT\winsx.dll
C:\WINNT\fdrest.exe

You can remove the memory.dmp files in the Winnt folder too

Now, in safe mode, right click and empty spot on your desktop
Select NEW>>Folder
Call the new folder Backup
Can you left click and DRAG these next files into that folder
Don't copy and paste them, we want them there as backups, but not left where they can do damage

C:\WINNT\system32\cidaconf.exe
C:\WINNT\system32\downf102.exe
C:\WINNT\system32\downf46.exe
C:\WINNT\system32\sccfull.exe
C:\WINNT\msmconret.dll
C:\WINNT\mfunclo.exe

Now stay in safe mode and run rkfiles.bat again

Restart back into safe mode

Post back one more hijackthis log to ensure it's clean
also the new log from rkfiles.bat

Could you next
Go to this site please
Give this site time to load
Jotti's Online Malware scan

Use the browse button and navigate to the files in the Backup folder on the desktop

Right click on each  file individually  and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please, just the scanner results for each file

[redryder]

hello Guestolo,

Heres the latest:

-Deleted the following files as requested:

C:\WINNT\system32\combo.ex_.exe
C:\WINNT\system32\spoolsrv32.exe <=notice the spelling
C:\WINNT\system32\txfdb32.dll
C:\WINNT\winsx.dll
C:\WINNT\fdrest.exe

-In safe mode I ran rkfiles.bat,  here are the results:

C:\rkfiles
 
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINNT\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
 
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye


-hijackthis file also ran... results follow:

Logfile of HijackThis v1.99.1
Scan saved at 10:02:40 AM, on 5/5/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1114014142184
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

------------------------------------------------------------------------

-Results from Jottis follows:
-----------------------------------------------------------------
cidaconf.exe
-------------------
Scanner results  
AntiVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found nothing
BitDefender  Found nothing
ClamAV  Found nothing
Dr.Web  Found nothing
F-Prot Antivirus  Found nothing
Fortinet  Found nothing
Kaspersky Anti-Virus  Found nothing
mks_vir  Found nothing
NOD32  Found nothing
Norman Virus Control  Found nothing
VBA32  Found nothing

---------------------------------
downf46.exe
-----------------
AntiVir  Found Worm/Bagz.J  
Avast  Found Win32:Bagz-F-UPX  
AVG Antivirus  Found I-Worm/Bagz.Q  
BitDefender  Found Win32.Bagz.H@mm  
ClamAV  Found nothing
Dr.Web  Found Trojan.Pigmail  
F-Prot Antivirus  Found nothing
Fortinet  Found W32/Mochi-tr  
Kaspersky Anti-Virus  Found Email-Worm.Win32.Bagz.h  
mks_vir  Found Worm.Bagz.H  
NOD32  Found Win32/Bagz.H  
Norman Virus Control  Found Bagz.H  
VBA32  Found Email-Worm.Win32.Bagz.h

------------------------------------
downf102.exe
---------------------
AntiVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found nothing
BitDefender  Found nothing
ClamAV  Found nothing
Dr.Web  Found nothing
F-Prot Antivirus  Found nothing
Fortinet  Found nothing
Kaspersky Anti-Virus  Found nothing
mks_vir  Found nothing
NOD32  Found nothing
Norman Virus Control  Found nothing
VBA32  Found nothing

--------------------------------------
mfunclo.exe
---------------------------
AntiVir  Found TR/Drop.Small.VN  
Avast  Found nothing
AVG Antivirus  Found Dropper.Small.17.A  
BitDefender  Found BehavesLike:Trojan.StartPage (probable variant)  
ClamAV  Found Trojan.Clicker.Agent-33  
Dr.Web  Found Trojan.MulDrop.1847  
F-Prot Antivirus  Found nothing
Fortinet  Found W32/Daodrop.B-tr  
Kaspersky Anti-Virus  Found Trojan-Dropper.Win32.Small.vn  
mks_vir  Found Win32 (probable variant)  
NOD32  Found probably unknown NewHeur_PE (probable variant)  
Norman Virus Control  Found W32/Smalldrp.BZX  
VBA32  Found Trojan-Dropper.Win32.Small.vn  

----------------------------------------
msmconret.dll
----------------------
AntiVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found nothing
BitDefender  Found nothing
ClamAV  Found nothing
Dr.Web  Found nothing
F-Prot Antivirus  Found nothing
Fortinet  Found nothing
Kaspersky Anti-Virus  Found rojanDownloader.Win32.Agent.fc  
mks_vir  Found nothing
NOD32  Found nothing
Norman Virus Control  Found nothing
VBA32  Found nothing

------------------------------------
sccfull.exe
----------------------
AntiVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found nothing
BitDefender  Found nothing
ClamAV  Found nothing
Dr.Web  Found nothing
F-Prot Antivirus  Found nothing
Fortinet  Found nothing
Kaspersky Anti-Virus  Found nothing
mks_vir  Found nothing
NOD32  Found nothing
Norman Virus Control  Found nothing
VBA32  Found nothing
-----------------------------------------------------

Looks like some of these files are infected.. I'll wait for your reply on how to deal with them....

Thanks again,

Paul (redryder)

[guestolo]

Go ahead and delete these files
downf46.exe
msmconret.dll
mfunclo.exe
downf46.exe
downf102.exe
cidaconf.exe

If everything is running better

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster 3.3 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer


IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all

Why so far behind on Windows updates,
if your version is legit, and you need a hand on how I like to update to the latest
service pack, let me know
If not, please download the latest critical updates and service packs to keep your system secure