Here are my logs, I look forward to your replys, also how do you even get these viruses, I haven't downloaded anything and I am on my secured home router. Any idea's.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:32:30 PM, on 8/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\twc\medicsp2\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\lphcpkej0e31j.exe
C:\Program Files\rhctkej0e31j\rhctkej0e31j.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\pphcpkej0e31j.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Documents and Settings\David R. Dohring\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://crewphx.mesa-air.com/crewweb/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Road Runner High Speed Online
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lphcpkej0e31j] C:\WINDOWS\system32\lphcpkej0e31j.exe
O4 - HKLM\..\Run: [SMrhctkej0e31j] C:\Program Files\rhctkej0e31j\rhctkej0e31j.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZUfox000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: World Poker Exchange - {76028735-BBF1-4044-8DE2-5B90F0C7A77C} - C:\Program Files\WorldPokerExchange\GameClient.exe (file missing)
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SupportSoft Sprocket Service (medicsp2) (sprtsvc_medicsp2) - SupportSoft, Inc. - C:\Program Files\twc\medicsp2\bin\sprtsvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7432 bytes





Malwarebytes' Anti-Malware 1.24
Database version: 1061
Windows 5.1.2600 Service Pack 2

3:51:47 PM 8/17/2008
mbam-log-8-17-2008 (15-51-47).txt

Scan type: Quick Scan
Objects scanned: 43197
Time elapsed: 7 minute(s), 1 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 5
Registry Keys Infected: 18
Registry Values Infected: 8
Registry Data Items Infected: 2
Folders Infected: 14
Files Infected: 28

Memory Processes Infected:
C:\Program Files\rhctkej0e31j\rhctkej0e31j.exe (Rogue.Multiple) -> Unloaded process successfully.
C:\WINDOWS\system32\lphcpkej0e31j.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\WINDOWS\system32\pphcpkej0e31j.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\rhctkej0e31j\MFC71.dll (Rogue.Multiple) -> Delete on reboot.
C:\Program Files\rhctkej0e31j\MFC71ENU.DLL (Rogue.Multiple) -> Delete on reboot.
C:\Program Files\rhctkej0e31j\msvcp71.dll (Rogue.Multiple) -> Delete on reboot.
C:\Program Files\rhctkej0e31j\msvcr71.dll (Rogue.Multiple) -> Delete on reboot.
C:\WINDOWS\system32\blphcpkej0e31j.scr (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhctkej0e31j (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhctkej0e31j (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhctkej0e31j (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcpkej0e31j (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\inet20001 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\rhctkej0e31j (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\David R. Dohring\Application Data\rhctkej0e31j (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\David R. Dohring\Application Data\rhctkej0e31j\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\David R. Dohring\Application Data\rhctkej0e31j\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\David R. Dohring\Application Data\rhctkej0e31j\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\David R. Dohring\Application Data\rhctkej0e31j\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\David R. Dohring\Application Data\rhctkej0e31j\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\David R. Dohring\Application Data\rhctkej0e31j\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\David R. Dohring\Application Data\rhctkej0e31j\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\David R. Dohring\Application Data\rhctkej0e31j\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\David R. Dohring\Application Data\rhctkej0e31j\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\David R. Dohring\Application Data\rhctkej0e31j\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\WINDOWS\inet20001\winelf.txt (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\rhctkej0e31j\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhctkej0e31j\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhctkej0e31j\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhctkej0e31j\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhctkej0e31j\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhctkej0e31j\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhctkej0e31j\rhctkej0e31j.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhctkej0e31j\rhctkej0e31j.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\rhctkej0e31j\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk (Rogue.Antivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\David R. Dohring\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\desktop.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blphcpkej0e31j.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphcpkej0e31j.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phcpkej0e31j.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pphcpkej0e31j.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winsub.xml (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\svcp.csv (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vx.tll (Malware.Trace) -> Quarantined and deleted successfully.

Bump

hi Tazman282

start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"


O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [lphcpkej0e31j] C:\WINDOWS\system32\lphcpkej0e31j.exe
O4 - HKLM\..\Run: [SMrhctkej0e31j] C:\Program Files\rhctkej0e31j\rhctkej0e31j.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZUfox000

look in add/remove programs panel and uninstall my web search if present

look here:
C:\Program Files\

and delete the folder:
rhctkej0e31j

reboot and post a new hjt log


plenty. i will leave them for later

I was only able to delete two of the ones you listed, none of the others were still there. The mywebsearch was also not in my add/remove programs. Here is the new log.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:36 PM, on 8/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\twc\medicsp2\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\DfrgNtfs.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Documents and Settings\David R. Dohring\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://crewphx.mesa-air.com/crewweb/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Road Runner High Speed Online
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PC Pitstop Optimize Reminder] C:\Program Files\PCPitstop\Optimize2\Reminder.exe
O4 - HKLM\..\Run: [PCPitstop Disk MD Registration Reminder] C:\Program Files\PCPitstop\Disk MD\Reminder.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: World Poker Exchange - {76028735-BBF1-4044-8DE2-5B90F0C7A77C} - C:\Program

Files\WorldPokerExchange\GameClient.exe (file missing)
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) -

http://activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements

4.0\PhotoshopElementsFileAgent.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SupportSoft Sprocket Service (medicsp2) (sprtsvc_medicsp2) - SupportSoft, Inc. - C:\Program

Files\twc\medicsp2\bin\sprtsvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7132 bytes

hi,

ok looks good. hows it all looking on your end now? any pop ups, page redirects or other signs of malware?


start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe


I dont see a resident antivirus in your hjt log? unless you practice safe hex and have a locked down machine-- you need one. i can post links to several free ones.