I'm not sure how to get rid of the IRCbot thing that's infecting my computer. When it came up in the scan on Adware I quarantined it, but when I ran another scan a few days later, it came up again. I'm not sure why it keeps coming back. I am hoping you guys will be able to help me get rid of it for good.

Here's the Hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:03:09 PM, on 8/23/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\AccessRamp\ARMon32.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AdwareAlert\AdwareAlert.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\help\svchost.exe
C:\WINDOWS\help\svchost32.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\aol\aim toolbar 5.0\AolTbServer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.mindspring.net/ie/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeart1cile.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.mindspring.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MindSpring Internet Services
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
F2 - REG:system.ini: Shell=explorer.exe "C:\WINDOWS\Fonts\wmsncs.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [AccessRampMonitor] C:\Program Files\AccessRamp\ARMon32.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Wmsncs Service] C:\WINDOWS\Fonts\wmsncs.exe
O4 - HKLM\..\Run: [NvidMediaCenter] C:\Program Files\Common Files\System\wmsncs.exe
O4 - HKLM\..\Run: [Spool Driver Service] C:\WINDOWS\System32\spool\drivers\wmsncs.exe
O4 - HKLM\..\Run: [Wins Service] C:\WINDOWS\System32\wins\wmsncs.exe
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O5 "LPT1:" /M "Stylus C88"
O4 - HKLM\..\Run: [Background Intelligent Transfer Service] C:\WINDOWS\help\svchost.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKCU\..\Run: [Network Connections] C:\WINDOWS\help\internat.exe
O4 - HKUS\S-1-5-18\..\Run: [Wmsncs Service] C:\WINDOWS\Fonts\wmsncs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [NvidMediaCenter] C:\Program Files\Common Files\System\wmsncs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Spool Driver Service] C:\WINDOWS\System32\spool\drivers\wmsncs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Wins Service] C:\WINDOWS\System32\wins\wmsncs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Network Connections] C:\WINDOWS\help\internat.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Networking Monitoring] C:\WINDOWS\System32\mdm.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Wmsncs Service] C:\WINDOWS\Fonts\wmsncs.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: wmsncs.exe
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.mindspring.net
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7130 bytes


thanks,
Soleil

Hello

Please run the MGA Diagnostic Tool and post back the report it shall produce:

1. Download MGADiag to your desktop.
2. Double-click on MGADiag.exe to launch the program
3. Click "Continue"
4. Ensure that the "Windows" tab is selected (it should be by default).
5. Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
6. Paste the MGA Diagnostic Report back here in your next reply.

here's the report you asked for

Diagnostic Report (1.7.0095.0):
-----------------------------------------
WGA Data-->
Validation Status: Validation Control not Installed
Validation Code: 0
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-W3R3K-J2VF4-JFP8W
Windows Product Key Hash: XPfxGkd+SaYWqIyXYZav/kIic8c=
Windows Product ID: 55277-OEM-2111907-00111
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.1.0.hom
CSVLK Server: N/A
CSVLK PID: N/A
ID: {AC32276D-A7C7-47ED-8E90-86196A711CF3}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_025D1FF3-171-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control:
Active scripting:
Script ActiveX controls marked as safe for scripting:

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{AC32276D-A7C7-47ED-8E90-86196A711CF3}</UGUID><Version>1.7.0095.0</Version><OS>5.1.2600.2.00010300.1.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-JFP8W</PKey><PID>55277-OEM-2111907-00111</PID><PIDType>2</PIDType><SID>S-1-5-21-1238604406-4063022668-1793010294</SID><SYSTEM><Manufacturer>TOSHIBA</Manufacturer><Model>Satellite A15</Model></SYSTEM><BIOS><Manufacturer>TOSHIBA</Manufacturer><Version>Version 1.20</Version><SMBIOSVersion major="2" minor="3"/><Date>20030520******.******+***</Date><SLPBIOS>TOSHIBA</SLPBIOS></BIOS><HWID>E3613C07018400C2</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Toshiba</name><model>Satellite</model></SBID><OEM/><BRT/></MachineData> <Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Your Windows isn't validated, this is a sign of a pirated OS

Once you validate it, we can help you. Otherwise we cant.

Windows validated. Topic opened per request of the topic starter.

Now we can help you

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum.

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

I hope I did everything right.



SDFix report:


SDFix: Version 1.219
Run by Soleil Robichaud on Sun 08/24/2008 at 07:57 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\g.bat - Deleted
C:\WINDOWS\Help\svchost.exe - Deleted
C:\WINDOWS\system32\i - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-24 20:03:43
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

C:\WINDOWS\Fonts\wmsncs.exe [1704] 0xFF9DA4C0

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 1
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 7 Aug 2008 126,823 ..SHR --- "C:\WINDOWS\Fonts\wmsncs.exe"
Thu 7 Aug 2008 126,823 ..SHR --- "C:\Program Files\Common Files\System\wmsncs.exe"
Mon 4 Jun 2007 20,809 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti3.tmp"
Thu 7 Aug 2008 126,823 ..SHR --- "C:\WINDOWS\system32\wins\wmsncs.exe"
Wed 13 Aug 2008 21,504 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL0001.tmp"
Sun 10 Aug 2008 28,672 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL0002.tmp"
Sun 10 Aug 2008 33,280 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL0005.tmp"
Wed 20 Aug 2008 19,456 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL0006.tmp"
Sun 10 Aug 2008 31,232 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL0331.tmp"
Sun 10 Aug 2008 32,256 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL0513.tmp"
Wed 13 Aug 2008 42,496 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL0800.tmp"
Sun 10 Aug 2008 32,256 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL1937.tmp"
Mon 4 Aug 2008 22,528 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL2081.tmp"
Wed 13 Aug 2008 22,528 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL2388.tmp"
Wed 13 Aug 2008 19,968 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL2405.tmp"
Sun 10 Aug 2008 32,768 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL2562.tmp"
Wed 20 Aug 2008 26,624 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL2625.tmp"
Sun 10 Aug 2008 32,768 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL2845.tmp"
Thu 7 Aug 2008 23,552 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL3033.tmp"
Wed 13 Aug 2008 19,456 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL3499.tmp"
Sun 10 Aug 2008 29,184 ...H. --- "C:\Documents and Settings\Soleil Robichaud\My Documents\Soleil\~WRL3552.tmp"
Thu 7 Aug 2008 126,823 ..SHR --- "C:\WINDOWS\system32\spool\drivers\wmsncs.exe"
Thu 7 Aug 2008 126,823 ..SHR --- "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmsncs.exe"
Wed 13 Aug 2008 38,912 ...H. --- "C:\Documents and Settings\Soleil Robichaud\Application Data\Microsoft\Word\~WRL1821.tmp"
Wed 12 Nov 2003 65,024 A..H. --- "C:\Documents and Settings\Ron Robichaud\My Documents\Ron\CDS-Info\Awise General\~WRL0013.tmp"
Tue 11 Nov 2003 31,744 A..H. --- "C:\Documents and Settings\Ron Robichaud\My Documents\Ron\CDS-Info\Awise General\~WRL0928.tmp"
Tue 11 Nov 2003 54,784 A..H. --- "C:\Documents and Settings\Ron Robichaud\My Documents\Ron\CDS-Info\Awise General\~WRL1105.tmp"
Wed 12 Nov 2003 64,512 A..H. --- "C:\Documents and Settings\Ron Robichaud\My Documents\Ron\CDS-Info\Awise General\~WRL1110.tmp"
Wed 12 Nov 2003 68,096 A..H. --- "C:\Documents and Settings\Ron Robichaud\My Documents\Ron\CDS-Info\Awise General\~WRL1924.tmp"
Tue 11 Nov 2003 53,760 A..H. --- "C:\Documents and Settings\Ron Robichaud\My Documents\Ron\CDS-Info\Awise General\~WRL2454.tmp"
Tue 11 Nov 2003 40,960 A..H. --- "C:\Documents and Settings\Ron Robichaud\My Documents\Ron\CDS-Info\Awise General\~WRL2620.tmp"
Tue 11 Nov 2003 65,024 A..H. --- "C:\Documents and Settings\Ron Robichaud\My Documents\Ron\CDS-Info\Awise General\~WRL2759.tmp"
Tue 11 Nov 2003 55,296 A..H. --- "C:\Documents and Settings\Ron Robichaud\My Documents\Ron\CDS-Info\Awise General\~WRL2916.tmp"
Wed 12 Nov 2003 65,024 A..H. --- "C:\Documents and Settings\Ron Robichaud\My Documents\Ron\CDS-Info\Awise General\~WRL2932.tmp"
Wed 12 Nov 2003 69,120 A..H. --- "C:\Documents and Settings\Ron Robichaud\My Documents\Ron\CDS-Info\Awise General\~WRL2997.tmp"
Wed 12 Nov 2003 65,536 A..H. --- "C:\Documents and Settings\Ron Robichaud\My Documents\Ron\CDS-Info\Awise General\~WRL3387.tmp"
Tue 11 Nov 2003 29,184 A..H. --- "C:\Documents and Settings\Ron Robichaud\My Documents\Ron\CDS-Info\Awise General\~WRL3431.tmp"
Wed 12 Nov 2003 118,272 A..H. --- "C:\Documents and Settings\Ron Robichaud\My Documents\Ron\CDS-Info\Awise General\~WRL3564.tmp"

Finished!




ComboFix log:


ComboFix 08-08-23.03 - Soleil Robichaud 2008-08-24 20:41:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.94 [GMT -4:00]
Running from: C:\Documents and Settings\Soleil Robichaud\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Soleil Robichaud\Application Data\macromedia\Flash Player\#SharedObjects\FUYZS8F5\interclick.com
C:\Documents and Settings\Soleil Robichaud\Application Data\macromedia\Flash Player\#SharedObjects\FUYZS8F5\interclick.com\ud.sol
C:\Documents and Settings\Soleil Robichaud\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Soleil Robichaud\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Trevor Robichaud\Application Data\macromedia\Flash Player\#SharedObjects\R6B6SHBX\interclick.com
C:\Documents and Settings\Trevor Robichaud\Application Data\macromedia\Flash Player\#SharedObjects\R6B6SHBX\interclick.com\ud.sol
C:\Documents and Settings\Trevor Robichaud\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Trevor Robichaud\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\help\svchost.exe
C:\WINDOWS\system32\mdm.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))
.

2008-08-24 19:54 . 2008-08-24 19:54 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-24 19:48 . 2008-08-24 20:05 <DIR> d-------- C:\SDFix
2008-08-24 18:02 . 2008-08-24 18:55 <DIR> d-------- C:\Documents and Settings\Trevor Robichaud\Application Data\AdwareAlert
2008-08-24 12:30 . 2008-08-24 12:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-08-23 19:25 . 2008-08-23 19:25 <DIR> d-------- C:\Program Files\AdwareAlert
2008-08-23 19:01 . 2008-08-23 19:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-23 18:52 . 2008-08-23 19:28 <DIR> d-------- C:\Documents and Settings\Soleil Robichaud\Application Data\AdwareAlert
2008-08-23 18:52 . 2008-08-24 16:14 <DIR> d-------- C:\Documents and Settings\Ron Robichaud\Application Data\AdwareAlert
2008-08-23 18:49 . 2008-08-23 18:52 <DIR> d-------- C:\Documents and Settings\Soleil Robichaud\Application Data\AdwareAlert(2)
2008-08-23 18:32 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-08-23 18:32 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-08-23 18:32 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-08-23 18:32 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-08-23 18:20 . 2008-08-23 18:52 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-23 18:20 . 2008-08-23 18:20 <DIR> d-------- C:\Documents and Settings\Soleil Robichaud\Application Data\Malwarebytes
2008-08-23 18:20 . 2008-08-23 18:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-23 18:19 . 2008-08-23 18:19 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-23 18:13 . 2008-08-23 18:59 <DIR> d-------- C:\Program Files\ERUNT
2008-08-22 13:32 . 2008-08-24 18:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-22 13:32 . 2008-08-22 13:32 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-14 22:37 . 2008-08-14 22:37 <DIR> d-------- C:\Program Files\EPSON
2008-08-14 22:37 . 2004-06-24 01:20 309,760 --a------ C:\WINDOWS\system32\EAL32.DLL
2008-08-14 22:37 . 2004-03-12 01:30 82,944 --a------ C:\WINDOWS\system32\EAL.EXE
2008-08-14 22:37 . 2004-11-25 05:07 79,679 --a------ C:\WINDOWS\system32\E_FLMABA.DLL
2008-08-14 22:37 . 2003-05-21 02:27 64,000 --a------ C:\WINDOWS\system32\E_FBCBABA.DLL
2008-08-14 22:37 . 2000-06-07 01:01 34,304 --a------ C:\WINDOWS\system32\E_FBCHABA.DLL
2008-08-14 22:37 . 2004-06-24 01:20 51 --a------ C:\WINDOWS\system32\EAL32.INI
2008-08-11 00:33 . 2008-08-11 00:33 <DIR> d-------- C:\Documents and Settings\Soleil Robichaud\Application Data\acccore
2008-08-11 00:31 . 2008-08-11 00:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-08-11 00:30 . 2008-08-11 00:30 21 --a------ C:\WINDOWS\atid.ini
2008-08-11 00:29 . 2008-08-11 00:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-08-11 00:29 . 2008-08-11 00:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-08-11 00:29 . 2008-08-11 00:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\acccore
2008-08-11 00:27 . 2008-08-11 00:33 <DIR> d-------- C:\Program Files\AIM6
2008-08-08 22:46 . 2008-08-08 22:46 53 --a------ C:\WINDOWS\system32\g.ftp
2008-08-07 17:31 . 2008-08-07 17:31 159,744 --a------ C:\WINDOWS\system32\Bsmtp.dll
2008-08-07 17:31 . 2008-08-07 17:31 108,336 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-08-07 15:46 . 2008-08-07 15:46 <DIR> d---s---- C:\Documents and Settings\Ron Robichaud\UserData
2008-08-01 23:09 . 2008-08-01 23:09 <DIR> d-------- C:\WINDOWS\A8B9466986544126BD28D0D2412CDED6.TMP
2008-08-01 13:01 . 2008-08-15 12:21 <DIR> d-------- C:\Documents and Settings\Trevor Robichaud\Application Data\OnRez
2008-08-01 12:07 . 2008-08-01 12:07 <DIR> d---s---- C:\Documents and Settings\Trevor Robichaud\UserData
2008-07-31 22:03 . 2008-08-15 01:49 <DIR> d-------- C:\Documents and Settings\Trevor Robichaud\Application Data\SecondLife
2008-07-31 21:53 . 2008-07-31 21:53 <DIR> d---s---- C:\Documents and Settings\Soleil Robichaud\UserData
2008-07-31 21:40 . 2008-07-31 21:40 2,838 --a------ C:\WINDOWS\machine.ver
2008-07-31 14:02 . 2008-07-31 14:02 <DIR> d-------- C:\Documents and Settings\Soleil Robichaud\Application Data\MAGIX
2008-07-25 10:37 . 2006-05-23 17:41 626,688 --a------ C:\WINDOWS\system32\mgxoschk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 22:47 79,270 ----a-w C:\Program Files\hptdvnkb.txt
2008-08-11 04:28 --------- d-----w C:\Program Files\Common Files\AOL
2008-08-08 07:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2008-08-07 21:31 83,968 ----a-w C:\WINDOWS\Help\svchost32.exe
2008-08-07 21:31 409,600 ----a-w C:\WINDOWS\Help\ipconfig.sys
2008-08-07 21:31 409,600 ----a-w C:\WINDOWS\Help\internat.exe
2008-08-07 19:17 126,823 --sh--r C:\WINDOWS\Fonts\wmsncs.exe
2008-08-02 03:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-01 15:16 --------- d-----w C:\Program Files\MindSpring 4.0
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 18:08 1511453]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-08-06 11:21 50472]
"AdwareAlert"="C:\Program Files\AdwareAlert\AdwareAlert.exe" [2008-08-22 15:20 9093120]
"Network Connections"="C:\WINDOWS\help\internat.exe" [2008-08-07 17:31 409600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [2003-04-15 23:01 258048]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 03:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 03:07 114688]
"PmProxy"="C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe" [2003-02-28 22:54 40960]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-01-02 20:16 172032]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-12-25 17:38 159744]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-01-21 21:00 126976]
"NDSTray.exe"="C:\Program Files\Toshiba\ConfigFree\NDSTray.exe" [2003-01-17 23:26 458752]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29 40960]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2002-10-17 16:21 159744]
"AccessRampMonitor"="C:\Program Files\AccessRamp\ARMon32.exe" [1999-08-03 13:13 68096]
"QuickTime Task"="C:\WINDOWS\System32\qttask.exe" [2006-08-20 22:28 28672]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 02:12 49152]
"Wmsncs Service"="C:\WINDOWS\Fonts\wmsncs.exe" [2008-08-07 15:17 126823]
"NvidMediaCenter"="C:\Program Files\Common Files\System\wmsncs.exe" [2008-08-07 15:17 126823]
"Spool Driver Service"="C:\WINDOWS\System32\spool\drivers\wmsncs.exe" [2008-08-07 15:17 126823]
"Wins Service"="C:\WINDOWS\System32\wins\wmsncs.exe" [2008-08-07 15:17 126823]
"EPSON Stylus C88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE" [2005-01-27 04:00 98304]
"000StTHK"="000StTHK.exe" [2001-06-23 23:28 24576 C:\WINDOWS\system32\000StTHK.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-04-18 14:20 88363 C:\WINDOWS\agrsmmsg.exe]
"TFNF5"="TFNF5.exe" [2001-08-03 20:08 73728 C:\WINDOWS\system32\TFNF5.exe]
"Tpwrtray"="TPWRTRAY.EXE" [2002-12-10 13:49 237568 C:\WINDOWS\system32\TPWRTRAY.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Wmsncs Service"="C:\WINDOWS\Fonts\wmsncs.exe" [2008-08-07 15:17 126823]
"NvidMediaCenter"="C:\Program Files\Common Files\System\wmsncs.exe" [2008-08-07 15:17 126823]
"Spool Driver Service"="C:\WINDOWS\System32\spool\drivers\wmsncs.exe" [2008-08-07 15:17 126823]
"Wins Service"="C:\WINDOWS\System32\wins\wmsncs.exe" [2008-08-07 15:17 126823]
"Network Connections"="C:\WINDOWS\help\internat.exe" [2008-08-07 17:31 409600]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 02:23:26 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-09-04 18:23:00 65588]
wmsncs.exe [2008-08-07 15:17:21 126823]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="explorer.exe \"C:\\WINDOWS\\Fonts\\wmsncs.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

R2 NET Runtime Optimization Service v2.1.41329_X86;NET Runtime Optimization Service v2.1.41329_X86;C:\WINDOWS\Fonts\wmsncs.exe [2008-08-07 15:17]
S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;C:\WINDOWS\System32\DRIVERS\cben5.sys [2001-08-17 08:13]
S3 wlags48b;Wireless LAN PCCard Driver;C:\WINDOWS\System32\DRIVERS\wlags48b.sys [2002-06-28 19:29]

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
*Newly Created Service* - PROCEXP90
*Newly Created Service* - SHAREDACCESS

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{103L3C30-C3B3-4130-9363-E59E1375PERM}]
C:\WINDOWS\Fonts\wmsncs.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Background Intelligent Transfer Service - C:\WINDOWS\help\svchost.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R1 -: HKCU-Internet Settings,ProxyOverride = <local>
O8 -: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-24 20:45:33
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

C:\WINDOWS\Fonts\wmsncs.exe [1704] 0xFF9DA4C0

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-24 20:48:55
ComboFix-quarantined-files.txt 2008-08-25 00:48:48

Pre-Run: 1,221,816,320 bytes free
Post-Run: 2,029,334,528 bytes free

179





HijackThis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:00 PM, on 8/24/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\AccessRamp\ARMon32.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
c:\program files\aol\aim toolbar 5.0\AolTbServer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: Shell=explorer.exe "C:\WINDOWS\Fonts\wmsncs.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [AccessRampMonitor] C:\Program Files\AccessRamp\ARMon32.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Wmsncs Service] C:\WINDOWS\Fonts\wmsncs.exe
O4 - HKLM\..\Run: [NvidMediaCenter] C:\Program Files\Common Files\System\wmsncs.exe
O4 - HKLM\..\Run: [Spool Driver Service] C:\WINDOWS\System32\spool\drivers\wmsncs.exe
O4 - HKLM\..\Run: [Wins Service] C:\WINDOWS\System32\wins\wmsncs.exe
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O5 "LPT1:" /M "Stylus C88"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - HKCU\..\Run: [Network Connections] C:\WINDOWS\help\internat.exe
O4 - HKUS\S-1-5-18\..\Run: [Wmsncs Service] C:\WINDOWS\Fonts\wmsncs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [NvidMediaCenter] C:\Program Files\Common Files\System\wmsncs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Spool Driver Service] C:\WINDOWS\System32\spool\drivers\wmsncs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Wins Service] C:\WINDOWS\System32\wins\wmsncs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Network Connections] C:\WINDOWS\help\internat.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Wmsncs Service] C:\WINDOWS\Fonts\wmsncs.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: wmsncs.exe
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.mindspring.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6773 bytes

I did another scan on AdWare Alert this morning and it found another backdoor trojan called Bifrose. =[

Hello

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

doing that won't mess up my computer in any way right? because I couldn't figure out how to install the windows recovery console, and I just want to be sure. thanks =]