Solved Help with daughter's computer

[Ved]

I completely understand what you have mentioned that problems I should post to new treads.
Before that just o inform you of few things after following your kind comments.
1. You are absolutely right it is not OPService.exe but rather QPservice.exe
2. I followed your instruction regarding Autoruns Zip. You mentioned in (7) Attach to your next reply, and as you already assisted me with this part of a problem, I thought just to complete this one so: after following your instruction, I have removed few entries that mentioned File Not Found in Everything tab. After that in File I searched for Export As, but I did not find it but instead found Save and I saved as AutoRuns.txt which I am attaching to this reply. I am not sure if that will tell you anything. After that I followed your instruction further but in the Startup Tab after msconfig in Run I did not find any entries related to above mentioned OC. However after restarting a system for a few times the screen with the message C:\PROGRA~1\CHEATE~1\OPENCA~1\OCSETU~1.DLL does not show up any longer. Would you plese look into attached and let me know if you see anything or to move forward with the post in Software Forum.
3. Later I will run the preliminary steps for viruses and will post back the logs.

Thank You.

Edit: Atten: Bobbye

 

[Bobbye]

Good Morning Ved! Just wanted to let you know I've looked over the Autoruns log. I will work on the following when I get the remaining scans.

1.

makes system a bit slow. games? That’s ok, but I am wondering if I can run something that will show you what is on that computer and maybe you can suggest besides the games what can be arrested to get some more space.

2. Also upon start up this screen keeps on showing titled: RunDLL and with the message:
Error loading C:\PROGRA~1\CHEATE~1\OPENCA~1\OCSETU~1.DLL
The specific module could not be found.

3. Also upon shut down the screen shows up at all time, titled:
CL RC Engine 3 Dummy Window: QPService.exe – Application Error: Desc. The instruction at 0x00928feb referenced memory at 0x000227f6. The memory could not be read.

She can download the HP QuickPlay Web Update HERE which should resolve the error message. However, I can also have you take it off of startup.

I'll check for malware. You can also go ahead and run Combofix. Once I see the report from that scan, I can write script for any entries that still need to be moved:

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..

 

[Ved]

Hello,
I apologize if I am double posting.
I was sure that previously I posted a reply here but it does not show.
However, following your instruction for HP QuickPlay Web Update, I removed the screen that was showing up on the shut down: CL RC Engine 3 Dummy Window: QPService.exe….

Question: Do I need to keep AutoRuns I have installed and log or I can delete that from the system?

Here is the post for Combofix log:
That is why it did not post…Got a message a text is to long, that is why I am attaching it. Thank you for the understanding and your time.

 

[Bobbye]

There are multiple antivirus programs running: Norton,McAfee and Avira. Two of them need to be removed. Use either of the following tools for the program to be removed:
McAfee Removal
Norton Removal Tool
To uninstall Avira:

• Start> Settings> Control Panel> Add or Remove Programs (Windows 2000/ XP) or Start - Control Panel - Uninstall a program (Windows Vista / 7)
• Wait for the list of installed programs to load, then click the name of the Avira program.
• Click Remove next to the program's name (Windows 2000 / XP) or in the menu above the list (Windows Vista / 7).
• Press Yes, to confirm the removal and then OK.
• . Click Next until Finish. The software is removed.

Contrary to what some people think, multiple antivirus program actually make the system more vulnerable as well as slow it down.
========================================

3. Later I will run the preliminary steps for viruses and will post back the logs.

Please run those scan and leave the logs. I only told you to go ahead with Combofix for your convenience, not in place of the other programs.

She has got MyWebSearch malware and that will be all over the system. Malwarebytes will remove a lot of it so it's important that you run that. And chances are pretty good that there will be other malware as well.

As for autoruns, it's a long log. Advise keep it until she decides what to remove. The logs should be viewed to see what to 'auto'running' and decide what can be stopped. You don't have to remove the program.

Tell her to stay away from the Fun Web Products site. This is another one that will get her into trouble: c:\program files\iWin Games

Also, using this file sharing "BitComet" will add malware. It either needs to be uninstalled or not use while I am helping. It can be causing reinfections as fast as I remove malware.

I am not going to write any script for Combofix until the other programs have been run- and that's kind of doing it backwards.

 

[Ved]

Following your instructions I have:

1. Avira installed, update and full scan run
Detections: 0
Warnings: 0
Suspicious: 0
Repair: 0

2. TFC completed

3. Windows Updated, Java Updated, Adobe reader Updated

4. MBAM ran, log posted

5. GMER completed, had to uncheck Devices, log posted

6. DDS completed, logs attached

7. iWin Games uninstall with add/remove…and related games

Please advice further

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4200

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

6/15/2010 7:46:12 PM
mbam-log-2010-06-15 (19-46-12).txt

Scan type: Quick scan
Objects scanned: 133666
Time elapsed: 10 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\luna\downloads\CursorManiaSetup2.3.50.62.NoSA.NoHP.ZCfox000.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Users\luna\downloads\PopularScreensaversSetup2.3.67.1.ZRfox000.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.

 

[Bobbye]

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\program files\iwin games\iWinTrusted.exe
c:\program files\viewpoint\common\ViewpointService.exe

Folder::

DDS::
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
HO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.3.7.16.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
uRun: [BitComet] "c:\program files\bitcomet\BitComet.exe" /tray
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150595.exe -Update -1150595 -"Mozilla/5.0_(Windows;_U;_Windows_NT_6.0;_en-US;_rv:1.9.0.15)_Gecko/2009101601_Firefox/3.0.15_GTB6_(.NET_CLR_3.5.30729)" -"http://www.neopets.com/games/dgs/play_shockwave.phtml?va=&game_id=313&nc_referer=&age=0&hiscore=&sp=0&questionSet=&r=7623290&width=520&height=560&quality=high"
mRun: [WildTangent CDA] "c:\program files\wildtangent\apps\cda\gamedrvr.exe" /startup "c:\program files\wildtangent\apps\cda\cdaEngine0500.dll"
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm

Extra::
File::
c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
Firefox::
Firefox:- Profile - c:\users\luna\appdata\roaming\mozilla\firefox\profiles\7tnq3fkt.default\

Registry::

Driver::
WinTrusted
Viewpoint Manager Service
FCopy::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
===================================
Please follow this for the shockwave updater: How to disable the auto update setting in Shockwave
When the Adobe Shockwave player is installed, there is an option to auto update. If this option is enabled, the Shockwave player will periodically ping an Adobe server. If there is new Shockwave content, a prompt will appear asking permission to update the Shockwave player. This setting can be changed after the Shockwave player is installed by going to the context menu of a Shockwave movie. When this setting is disabled, the Shockwave Player will not ping the Adobe server, and no updates will occur.

To disable the auto update settings for Shockwave, follow the steps below:
1 Navigate to the Shockwave Welcome page:http://www.adobe.com/shockwave/welcome/
Note: The context menu can be accessed from any Shockwave movie if the context menu has been enabled by the author, but this URL was provided to simplify the process.
2 Windows: Right click the Shockwave movie.
Macintosh: Control+click on the Shockwave movie.
3 From the drop down menu choose "Properties".
4 Uncheck the box next to "Automatic Update Service" to disable the auto update feature.
http://kb.adobe.com/selfservice/view...6683&sliceId=1
=======================================
Do the online AV scan: Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please leave new Combofix report and Eset log in next reply.Re

 

[Ved]

1. Attached is new Combofix report.
2. Following your instruction I disabled the auto update settings for Shockwave.
3. I ran AV scan from the provided link. Log included.
To mention additional, through the installation I was not asked to: allow the Active X control to install
Please advice.

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=70c291489f636d469e2fa6d8bba1f252
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-06-18 08:10:54
# local_time=2010-06-18 10:10:54 (+0100, Central Europe Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1797 16775165 100 94 1071348 35978977 0 0
# compatibility_mode=5892 16776573 100 100 268906 114418612 0 0
# compatibility_mode=8192 67108863 100 0 362 362 0 0
# compatibility_mode=9217 16777214 75 70 2981 2015394 0 0
# scanned=195013
# found=6
# cleaned=0
# scan_time=5970
C:\HP\HPQWare\aim_icq\triton_de_de\setup.exe probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I
C:\HP\HPQWare\aim_icq\triton_en_gb\setup.exe probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I
C:\HP\HPQWare\aim_icq\triton_es_es\setup.exe probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I
C:\HP\HPQWare\aim_icq\triton_fr_fr\setup.exe probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I
C:\HP\HPQWare\aim_icq\triton_it_it\setup.exe probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I
C:\HP\HPQWare\aim_icq\triton_nl_nl\setup.exe probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I

 

[Bobbye]

Eset appears to have run all right without the Active X request.

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Processes	
  :Services
  :Reg
  
  :Files  
  C:\HP\HPQWare\aim_icq\triton_de_de\setup.exe 
  C:\HP\HPQWare\aim_icq\triton_en_gb\setup.exe 
  C:\HP\HPQWare\aim_icq\triton_es_es\setup.exe 
  C:\HP\HPQWare\aim_icq\triton_fr_fr\setup.exe 
  C:\HP\HPQWare\aim_icq\triton_it_it\setup.exe 
  C:\HP\HPQWare\aim_icq\triton_nl_nl\setup.exe 
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

For your information:
Since I know you are working on your daughter's computer- age unknown, here's some background:

1.ICQ features include sending text messages, offline support, multi-user chats, free daily-limited SMS sending, resumable file transfers, greeting cards, multiplayer games and a searchable user directory.
2. The chat rooms can be a danger. History of ICQ starts with 5 Israeli men, the program becoming Mirabilis and ICQ became the first Internet-wide instant messaging service, later patenting the technology. AOL acquired Mirabilis on June 8, 1998.
3. AOL sold ICQ to Digital Sky Technologies.

It looks like she downloaded the program in 6 different languages, each setup infected with a Trojan.

Run this please. I'll be back with the Combofix script.

 

[Ved]

I did not get OTMoveIt3.exe, after downloading from the link, but rather OTM.exe

Hope this is ok?

Log posted:
All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\HP\HPQWare\aim_icq\triton_de_de\setup.exe moved successfully.
C:\HP\HPQWare\aim_icq\triton_en_gb\setup.exe moved successfully.
C:\HP\HPQWare\aim_icq\triton_es_es\setup.exe moved successfully.
C:\HP\HPQWare\aim_icq\triton_fr_fr\setup.exe moved successfully.
C:\HP\HPQWare\aim_icq\triton_it_it\setup.exe moved successfully.
C:\HP\HPQWare\aim_icq\triton_nl_nl\setup.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: luna
->Temp folder emptied: 1375842 bytes
->Temporary Internet Files folder emptied: 49154 bytes
->Java cache emptied: 2027 bytes
->FireFox cache emptied: 46773561 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1226 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1514330 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 666 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 47.00 mb


OTM by OldTimer - Version 3.1.12.2 log created on 06192010_203042

Files moved on Reboot...
C:\Users\luna\AppData\Local\Temp\ehmsas.txt moved successfully.
C:\Users\luna\AppData\Local\Temp\~DFA236.tmp moved successfully.
File C:\Windows\temp\TMP0000000C2BAE90B8F40CAE63 not found!
File C:\Windows\temp\ZLT06fc3.TMP not found!

Registry entries deleted on Reboot...
-------------------
Not a teen yet. I do remember ICQ from way back. I asked her if she is using it, and she did not know what it is. She is using FB, Messengers, AIM…

She doesn’t need ICQ, can you assist me in removing it as it does not show in control panel-add/remove

Also upon the start up, actually after reboot following run of OTM, an Adobe Shockwave Player Notification for update is showing…should I install the update?

 

[Bobbye]

Let's wait on the Adobe update. I thought it likely that she was a young lass. She has many game type programs installed. But the ICQ entry will be trouble. The infected entries were moved in OTM. I will set up the script to remove any remaining files or folders.it.
----------------------------------------
Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
KillAll::
c:\windows\system32\usbaaplrc.dll
c:\programdata\iWin Games\firefox\iWinArcadeLauncher.exe
c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150595.exe
c:\program files\BitComet\BitComet.exe/AddLink.htm		
Folder::
c:\program files\BitComet
c:\programdata\iWin Games
c:\users\luna\AppData\Local\Symantec
c:\programdata\McAfee
c:\windows\system32\config\systemprofile\AppData\Local\temp
c:\users\Public\AppData\Local\temp
c:\users\Default\AppData\Local\temp
c:\programdata\WildTangent
c:\program files\WildGames
c:\programdata\NortonInstaller

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"= -

RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Go ahead and run HijackThis after above- there may be some other entries we can stop:

Download the HijackThis Installer HERE and save to the desktop:

1. Double-click on HJTInstall.exe to run the program.
2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Click "Save log" to save the log file and then the log will open in notepad.
6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Please leave both logs in next reply. It helps me a lot if you would paste the HijackThis log in.

 

[Ved]

Thank you for your time again.
What other game programs do you suggest to be removed, and I will check with her if it’s ok.
So, Custom CFScript log:
(I will include HJT log in next reply as it does not fit in one)
(This also did not work, so I am attaching CFScript log and posting HJT here:

Regarding, HJT upon installing I got this message: For some reason your system denied write access to the Host file... and that I would need to run in Start:
C: \Windows\System32\drivers\etc\hosts
but I did not need to do that the scan completed, the HJT log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:11:37 PM, on 6/22/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Windows\V0400Mon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Windows\system32\wuauclt.exe
C:\Users\luna\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Program Files\ZoneAlarm\tbZone.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll (file missing)
O2 - BHO: EmailBHO - {647FD14A-C4F1-46F4-8FC3-0B40F54226F7} - C:\Program Files\jZip\WebmailPlugin.dll
O2 - BHO: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Program Files\ZoneAlarm\tbZone.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: ZoneAlarm Toolbar - {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - C:\Program Files\ZoneAlarm\tbZone.dll
O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [V0400Mon.exe] C:\Windows\V0400Mon.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\Run: [C:\Windows\system32\V0400Ext.ax] C:\Windows\system32\RegSvr32.exe /s C:\Windows\system32\V0400Ext.ax
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.37.11/ttinst.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 10446 bytes

 

[Bobbye]

Her system should be moving a lot faster now! The script removed pages and pages of files and folders from Bit Comment, Wild Tangent, iWin Games, Norton, McAfee and some assorted entries. You have done a great hob of cleaning her system up.

Here are some of the game sites or game programs she has on the system. I'll leave it to you to check them out and then handle as you feel is the most appropriate. I am not familiar with most of these- please understand I'm not telling you that any are 'bad'- or 'good':

c:\program files\MyPlayCity.com
c:\program files\RealArcade
c:\program files\phenomedia
c:\program files\Graboid
c:\program files\THQ
c:\program files\Zylom Games
c:\program files\VideoLAN
c:\program files\Free Windows Games
-----------------------------------------------------------
Please reopen HijackThis to 'do system scan only.' Check each of the following if present:

C:\Windows\system32\Dwm.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...esario&pf=cnnb
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll (file missing)
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)

Close all Windows except HijackThis and click on "Fix Checked

Let me know if we've resolved the problem and I'll have you remove the cleaning tools.

 

[Ved]

You are absolutely right, the system is noticeable faster.
In regards to the or programs, she is saying she doesn’t want them so would you please assist me removing anything form the system associated with same.

I run HijackThis as you advices me:
The only line that I did not find is:
C:\Windows\system32\Dwm.exe

After checking the rest and clicking on Fix Checked I got the screen with following:
Error Details:
An unexpected error has occurred at procedure: modBackup_MakeBackup(sistem=09 – Extra button: (no name) –Cmdmapping – (no file) (HKCU)
Error #5 – Invalid procedure call or argument
Windows version Windows NT 6.00.1906
MSIE version: 7.0.6002.18005
HijackThis version 2.0.4

Please advice
After this the only remaining, I guess is if you can assist me in removing what is not needed from start up as, the notification of: Windows has blocked some stratup programs, appears always, and from one of the previous posts I noticed there might be a lot of things on the start up.

 

[Bobbye]

Okay, here go the games:

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

KillAll::
File::
c:\users\luna\AppData\Roaming\OpenCandy\DLMGR3.exe
c:\program files\BitComet\BitComet.exe/AddLink.htm
Extra::
File::
c:\programdata\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
Firefox:: 
Firefox-: - Profile - c:\users\luna\AppData\Roaming\Mozilla\Firefox\Profiles\7tnq3fkt.default\
Firefox-:

Folder::
c:\program files\MyPlayCity.com
c:\program files\RealArcade
c:\program files\phenomedia
c:\users\luna\AppData\Roaming\OpenCandy
c:\program files\Graboid
c:\users\luna\AppData\Roaming\PlayFirst
c:\programdata\PlayFirst
c:\programdata\Zylom
c:\program files\Zylom Games
c:\program files\VideoLAN
c:\program files\Free Windows Games
Registry::

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Run the script then leave the log it generates. This should remove the games and any data from them.

 

[Ved]

Log attached

 

[Bobbye]

Okay, what do you think? I put a switch in to remove all unnecessary porocesses for the games. If you looked at the logs- and the last one- you can get some idea of how much these programs can leave on a system.

If 'slow' was the main problem, that should be resolved by now. Are there any remaining problems? If not:
Remove all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin
=============================================
Please follow these simple steps to keep your computer clean and secure:
These steps are optional, but they are recommended:
Stay current on updates:

• Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
• Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
• Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

Do regular Maintenance

• Remove Temporary Internet Files regularly:
  [o]ATF Cleaner by Atribune
  OR
  [o]TFC
• Disable and Enable System Restore:
  [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.

Have layered Security:

• Antivirus Software(only one): Both of the following programs are free and known to be good:
  [o]Avira Free
  [o]Avast Home
• Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
  [o]Comodo
  [o] Zone Alarm
• Antispyware: I recommend all of the following:
  [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
  [o]IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
  [o]Google Toolbar Get the free google toolbar to help stop pop up windows.

Let me know if you need more help.

 

[Ved]

The slow was the main problem, yes. Along some message screens that were showing up on the start up.
All of that is fine now. Just before I remove all the tools, is there anything you would suggest to remove from the start up. It seems to me that there might be some non necessary things that start with the start up of the system?
Please let me know, In the beginning I run a tool and posted a result hat start ups with the system?

 

[Bobbye]

Ved, I'm running way behind. I've made a copy of the HijackThis log and am selecting the processes that can be checked. This is beyond the malware cleaning, so it may take a day or so- okay?

 

[Ved]

no problem, day or so, well when you get some time. I am on stand by, the little one is getting edgy but am keeping her in control, and the new Sims is out, she can hardly wait. TG its summer!

 

[Bobbye]

Well I sure hope the posts show up! I did both the HJT log aand the cleanup- in 2 posts!

 

[Ved]

Hello, Ijust got this from your previous post
Well I sure hope the posts show up! I did both the HJT log aand the cleanup- in 2 posts!
did not get anything else, hjt log, clean up... 2 posts
was i suppose to receive posts as well?

 

[Ved]

did not get any posts with your reply... was I supose to ge....
Well I sure hope the posts show up! I did both the HJT log aand the cleanup- in 2 posts!

 

[Ved]

I apologize for double post. But as I was posting the first one, got some browser error message

 

[Bobbye]

You're very welcome! Looks good! Handle the HijackThis log first, then follow with the cleanup in next reply:

Print the HJT list out. You can look for the corresponding entries for everything that you checked in HJT and uncheck the related processes on the Startup menu. This does not remove a program or App- it's just keeps it from starting on boot. None of these entries are malware and their removal is optional. Stopping as many as possible will free up resources and help make the system faster.

Please reopen HijackThis to 'do system scan only'Check each of the following if present

C:\Windows\system32\Dwm.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\V0400Mon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...esario&pf=cnnb
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [V0400Mon.exe] C:\Windows\V0400Mon.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
-----------------------------------------------------------------------------
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolb...lerControl.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.37.11/ttinst.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
------------------------------------
Close all Windows except HijackThis and click on "Fix checked."

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Click on Start> Run> type in services.msc> double click on each of the following Services> change the Startup type to Manual.
Apple Mobile Device
Bonjour Service
Com4QLBEx
Google Software Updater (gusvc)
HP Health Check Service( B]hphc_service)
hpqwmiex
InstallDriver Table Manager (IDriverT)
iPod Service
Cyberlink RichVideo Service(CRVS) (RichVideo)
XAudioService
Yahoo! Updater (YahooAUService)
Exit Services when through

To stop processes from starting on boot using the msconfig utility, please see:
http://www.netsquirrel.com/msconfig/msconfig_vista.html

Follow the steps and use the screen shots for reference.

When you have finished, go on to the next reply to remove the cleaning tools.

--

 

[Bobbye]

Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

Let me know if you need more help.

Just so you know, for whatever reason neither of these replies got through. But I have a text recovery add-on which found them both- I will be sending them a donation!