virus in temp file that keeps on reappearing

This is my HJT log, and yes the computer seems to be working fine, no pop ups either but i am a bit suspicious.

Logfile of HijackThis v1.99.1
Scan saved at 5:56:21 PM, on 6/25/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthat\HijackThis.exe

O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [Spyware Doctor] “C:\Program Files\Spyware Doctor\swdoctor.exe” /Q
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O15 - Trusted Zone: *.drivecleaner.com
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/download/tgctlsr.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/16a9ed0aa72cfdc47e23/netzip/RdxIE601.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

Right-Click HERE http://www.mvps.org/winhelp2002/DelDomains.inf and select Save Target As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the “Trusted Zone” and “Ranges” also.

THEN

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. [b]

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/16a9ed0aa72cfdc47e23/netzip/RdxIE601.cab
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)

[/b]Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

NEXT

Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\shudqcet.exe
C:\WINDOWS\system32\pbojfbna.exe
C:\WINDOWS\system32\lyyueayl.exe
C:\WINDOWS\system32\dybmdfxj.exe

Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If you could follow up with one more hijackthis log please

Thank you for your time and helping me fix my computer, i will be sure to try everything and post another HJT log.
Guess what, my computer is better already!!! although i am still a bit suspicious about that, but at least there will be no more annoying pop ups when i go on the internet. And again thanks for your time and help, i REALLY appreciate it!!!

this is my OTMoveIT results.But when i pressed the move it button the avast scanner found a few more viruses?

C:\WINDOWS\system32\shudqcet.exe moved successfully.
C:\WINDOWS\system32\pbojfbna.exe moved successfully.
C:\WINDOWS\system32\lyyueayl.exe moved successfully.
C:\WINDOWS\system32\dybmdfxj.exe moved successfully.

Created on 06/26/2007 10:43:33

This is my HJT log

Logfile of HijackThis v1.99.1
Scan saved at 10:47:29 AM, on 6/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthat\HijackThis.exe

O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [Spyware Doctor] “C:\Program Files\Spyware Doctor\swdoctor.exe” /Q
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - https://password.bellsouth.net/sdccommon/download/tgctlsr.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

Nothing apparent on your log now. But if you want I can go deep and dirty to winkle out all miscreants present on your system. If so then could you please do the following

Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.


If you decide not to then :

Double click OTMoveIt once again and you should see a CleanUp! button, press that button, you may get prompt by your firewall that OTMoveIt wants to contact internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself

Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

  1. Select Start > All Programs > Accessories > System tools > System Restore.
  2. On the dialogue box that appears select Create a Restore Point
  3. Click NEXT
  4. Enter a name e.g. Clean
  5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

  1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  2. In the Drop down box that appears select your main drive e.g. C
  3. Click OK
  4. The System will do some calculation and the display a dialogue box with TABS
  5. Select the More Options Tab.
  6. At the bottom will be a system restore box with a CLEANUP button click this
  7. Accept the Warning and select OK again, the program will close and you are done

First priority will be to get you updated to Service Pack 2 on this page you will have the option to download or order the Service Pack on CD. Your choice , but whichever option you choose ensure are malware free before installation SP2 does not play well with an infected system, before installation pop back here for a quick health check.

Thank you for all of your time and help, seems like my computer is finally free of nasty critters, and i will sure try WinPFind to completely get rid of everything bad in my system. And again thanks you for all of your help!!! It has really helped me to become a more calmer person when a seemingly unbeatable virus attacks again. Thank you all!!!

Hi eliza the winpfind is an analysis tool and will not actually fix anything unless I tell it to

BTW I like your Avatar

WinPFind3 logfile created on: 6/26/2007 6:22:16 PM
WinPFind3U by OldTimer - Version 1.0.39 Folder = C:\Documents and Settings\Wendi\Desktop\WinPFind3u
Microsoft Windows XP Service Pack 1 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2800.1106)

511.55 Mb Total Physical Memory | 306.82 Mb Available Physical Memory | 59.98% Memory free
1.22 Gb Paging File | 0.99 Gb Available in Paging File | 81.28% Paging File free
Paging file location(s): E:\pagefile.sys 768 768;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 6.00 Gb Total Space | 0.32 Gb Free Space | 5.41% Space Free
D: Drive not present or media not loaded
Drive E: | 4.01 Gb Total Space | 2.66 Gb Free Space | 66.41% Space Free
F: Drive not present or media not loaded

Computer Name: DELL600
Current User Name: Wendi
Logged in as Administrator.
Current Boot Mode: Normal

[Processes - Non-Microsoft Only]
ashdisp.exe → %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe → ALWIL Software [Ver = 4, 7, 997, 0 | Size = 75392 bytes | Modified Date = 4/30/2007 11:42:48 AM | Attr = ]
ashmaisv.exe → %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe → ALWIL Software [Ver = 4, 7, 997, 0 | Size = 243328 bytes | Modified Date = 4/30/2007 12:04:38 PM | Attr = ]
ashserv.exe → %ProgramFiles%\Alwil Software\Avast4\ashServ.exe → ALWIL Software [Ver = 4, 7, 997, 0 | Size = 132736 bytes | Modified Date = 4/30/2007 11:42:40 AM | Attr = ]
ashwebsv.exe → %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe → ALWIL Software [Ver = 4, 7, 997, 0 | Size = 345728 bytes | Modified Date = 4/30/2007 11:41:28 AM | Attr = ]
aswupdsv.exe → %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe → ALWIL Software [Ver = 4, 7, 997, 0 | Size = 16512 bytes | Modified Date = 4/30/2007 11:29:56 AM | Attr = ]
cfd.exe → %ProgramFiles%\BroadJump\Client Foundation\CFD.exe → [Ver = | Size = 368706 bytes | Modified Date = 9/10/2002 9:26:26 PM | Attr = ]
ipodservice.exe → %ProgramFiles%\iPod\bin\iPodService.exe → Apple Computer, Inc. [Ver = 7.0.2.16 | Size = 492608 bytes | Modified Date = 10/30/2006 10:36:32 AM | Attr = ]
ituneshelper.exe → %ProgramFiles%\iTunes\iTunesHelper.exe → Apple Computer, Inc. [Ver = 7.0.2.16 | Size = 256576 bytes | Modified Date = 10/30/2006 10:36:36 AM | Attr = ]
lexbces.exe → %System32%\LEXBCES.EXE → Lexmark International, Inc. [Ver = 9.37 | Size = 307200 bytes | Modified Date = 11/6/2003 3:57:00 AM | Attr = ]
lexpps.exe → %System32%\LEXPPS.EXE → Lexmark International, Inc. [Ver = 9.37 | Size = 174592 bytes | Modified Date = 11/6/2003 3:57:00 AM | Attr = ]
realsched.exe → %CommonProgramFiles%\Real\Update_OB\realsched.exe → RealNetworks, Inc. [Ver = 0.1.0.3760 | Size = 185896 bytes | Modified Date = 3/13/2007 5:53:04 PM | Attr = ]
sdhelp.exe → %ProgramFiles%\Spyware Doctor\sdhelp.exe → PC Tools Research Pty Ltd [Ver = 3.6.0.2024 | Size = 894120 bytes | Modified Date = 6/15/2006 5:10:58 PM | Attr = ]
swdoctor.exe → %ProgramFiles%\Spyware Doctor\swdoctor.exe → PC Tools Research Pty Ltd [Ver = 4.0.0.2602 | Size = 2083040 bytes | Modified Date = 7/19/2006 9:57:30 AM | Attr = ]
winpfind3u.exe → %UserDesktop%\WinPFind3u\WinPFind3U.exe → OldTimer Tools [Ver = 1.0.38.0 | Size = 322048 bytes | Modified Date = 6/23/2007 3:15:54 PM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] → %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe → ALWIL Software [Ver = 4, 7, 997, 0 | Size = 16512 bytes | Modified Date = 4/30/2007 11:29:56 AM | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] → %ProgramFiles%\Alwil Software\Avast4\ashServ.exe → ALWIL Software [Ver = 4, 7, 997, 0 | Size = 132736 bytes | Modified Date = 4/30/2007 11:42:40 AM | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] → %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe → ALWIL Software [Ver = 4, 7, 997, 0 | Size = 243328 bytes | Modified Date = 4/30/2007 12:04:38 PM | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] → %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe → ALWIL Software [Ver = 4, 7, 997, 0 | Size = 345728 bytes | Modified Date = 4/30/2007 11:41:28 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] → %System32%\dmadmin.exe → Microsoft Corp., Veritas Software [Ver = 2600.0.503.0 | Size = 204800 bytes | Modified Date = 8/29/2002 8:00:00 AM | Attr = ]
(iPod Service) iPod Service [Win32_Own | On_Demand | Running] → %ProgramFiles%\iPod\bin\iPodService.exe → Apple Computer, Inc. [Ver = 7.0.2.16 | Size = 492608 bytes | Modified Date = 10/30/2006 10:36:32 AM | Attr = ]
(LexBceS) LexBce Server [Win32_Own | Auto | Running] → %System32%\LEXBCES.EXE → Lexmark International, Inc. [Ver = 9.37 | Size = 307200 bytes | Modified Date = 11/6/2003 3:57:00 AM | Attr = ]
(SDhelper) PC Tools Spyware Doctor [Win32_Own | Auto | Running] → %ProgramFiles%\Spyware Doctor\sdhelp.exe → PC Tools Research Pty Ltd [Ver = 3.6.0.2024 | Size = 894120 bytes | Modified Date = 6/15/2006 5:10:58 PM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run →
avast! → %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe → ALWIL Software [Ver = 4, 7, 997, 0 | Size = 75392 bytes | Modified Date = 4/30/2007 11:42:48 AM | Attr = ]
BJCFD → %ProgramFiles%\BroadJump\Client Foundation\CFD.exe → [Ver = | Size = 368706 bytes | Modified Date = 9/10/2002 9:26:26 PM | Attr = ]
iTunesHelper → %ProgramFiles%\iTunes\iTunesHelper.exe → Apple Computer, Inc. [Ver = 7.0.2.16 | Size = 256576 bytes | Modified Date = 10/30/2006 10:36:36 AM | Attr = ]
QuickTime Task → %ProgramFiles%\QuickTime\qttask.exe → Apple Computer, Inc. [Ver = 7.1.3 | Size = 282624 bytes | Modified Date = 10/25/2006 7:58:18 PM | Attr = ]
TkBellExe → %CommonProgramFiles%\Real\Update_OB\realsched.exe → RealNetworks, Inc. [Ver = 0.1.0.3760 | Size = 185896 bytes | Modified Date = 3/13/2007 5:53:04 PM | Attr = ]
< OptionalComponents [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ →
IMAIL → Installed = 1 →
MAPI → Installed = 1 →
MSFS → Installed = 1 →
< Run [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run →
Spyware Doctor → %ProgramFiles%\Spyware Doctor\swdoctor.exe → PC Tools Research Pty Ltd [Ver = 4.0.0.2602 | Size = 2083040 bytes | Modified Date = 7/19/2006 9:57:30 AM | Attr = ]
< SecurityProviders [HKLM] > → HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders →
< Winlogon settings [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon →
< Winlogon settings [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon →
< CurrentVersion Policy Settings [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} → 1073741857 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1} → 32 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\dontdisplaylastusername → 0 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticecaption → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticetext → →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\shutdownwithoutlogon → 1 →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\undockwithoutlogon → 1 →
< CurrentVersion Policy Settings [HKCU] > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun → 36 →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveAutoRun → ÿÿÿÿ →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ → →
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ → →
< HOSTS File > (27 bytes) → C:\WINDOWS\System32\drivers\etc\Hosts →
127.0.0.1 localhost → →

continuing log from WinPFind3u

< Internet Explorer Settings > → →
HKLM: Default_Page_URL → http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM: Main\Default_Search_URL → http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM: Local Page → %SystemRoot%\system32\blank.htm →
HKLM: Search Page → http://www.google.com
HKLM: Start Page → about:blank →
HKLM: CustomizeSearch → http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKLM: SearchAssistant → http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKCU: Local Page → C:\WINDOWS\System32\blank.htm →
HKCU: Search Page → http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU: Start Page → http://www.google.com/
HKCU: ProxyEnable → 0 →
< BHO’s > → HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ →
{00000000-0007-5041-4354-0020e48020af} [HKLM] → %ProgramFiles%\12Ghosts\12popup.dll [12Ghosts Popup-Killer] → File not found
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] → %ProgramFiles%\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] → Adobe Systems Incorporated [Ver = 6.0.0.2003051500 | Size = 50376 bytes | Modified Date = 5/15/2003 1:47:54 AM | Attr = ]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} [HKLM] → %ProgramFiles%\Spyware Doctor\tools\iesdsg.dll [PCTools Site Guard] → PC Tools [Ver = 3.6.0.2069 | Size = 803048 bytes | Modified Date = 5/5/2006 1:55:04 PM | Attr = ]
{B56A7D7D-6927-48C8-A975-17DF180C71AC} [HKLM] → %ProgramFiles%\Spyware Doctor\tools\iesdpb.dll [PCTools Browser Monitor] → PC Tools [Ver = 3.6.0.2281 | Size = 839920 bytes | Modified Date = 5/5/2006 1:56:36 PM | Attr = ]
< Internet Explorer ToolBars [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar →
{8E718888-423F-11D2-876E-00A0C9082467} [HKLM] → %System32%\msdxm.ocx [&Radio] → [Ver = | Size = 844048 bytes | Modified Date = 9/17/2003 12:01:28 PM | Attr = ]
< Internet Explorer Extensions [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ →
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} → Reg Data - Value does not exist [ButtonText: Spyware Doctor] → File not found
< DNS Name Servers [HKLM] > → HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ →
{EAA35DFA-0396-480A-97A7-B140645BA47C} → (3Com 3C918 Integrated Fast Ethernet Controller (3C905B-TX Compatible)) →
< Default Protocols [HKLM] - Select to Repair > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults →
shell → shell protocol not assigned →
< Default Protocols [HKCU] - Select to Repair > → HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults →
shell → shell protocol not assigned →
< Protocol Handlers [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ →
ipp → Reg Data - Key not found → File not found
msdaipp → Reg Data - Key not found → File not found
vnd.ms.radio → %System32%\msdxm.ocx → [Ver = | Size = 844048 bytes | Modified Date = 9/17/2003 12:01:28 PM | Attr = ]
< Downloaded Program Files > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ →
{00000075-0000-0010-8000-00AA00389B71} → - CodeBase = http://codecs.microsoft.com/codecs/i386/voxmsdec.CAB
{00000075-9980-0010-8000-00AA00389B71} → - CodeBase = http://codecs.microsoft.com/codecs/i386/voxacm.CAB
{01113300-3E00-11D2-8470-0060089874ED} → Support.com Configuration Class - CodeBase = http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
{01118A01-3E00-11D2-8470-0060089874ED} → SupportSoft Script Runner Class - CodeBase = https://password.bellsouth.net/sdccommon/download/tgctlsr.cab
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} → QuickTime Object - CodeBase = http://www.apple.com/qtactivex/qtplugin.cab
{33564D57-0000-0010-8000-00AA00389B71} → - CodeBase = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
{33564D57-9980-0010-8000-00AA00389B71} → - CodeBase = http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} → Java Plug-in 1.4.0_01 - CodeBase = http://java.sun.com/products/plugin/autodl/jinstall-1_4_0_01-win.cab
{9F1C11AA-197B-4942-BA54-47A8489BB47F} → - CodeBase = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37696.6352430556
{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} → Java Plug-in 1.4.0_01 - CodeBase = http://java.sun.com/products/plugin/autodl/jinstall-1_4_0_01-win.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} → Shockwave Flash Object - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DirectAnimation Java Classes → - CodeBase = file://C:\WINDOWS\Java\classes\dajava.cab →
Microsoft XML Parser for Java → - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab →

still continuing,

[Files/Folders - Created Within 30 days]
Avenger → %SystemDrive%\Avenger → [Folder | Created Date = 6/25/2007 4:33:53 PM | Attr = ]
Config.Msi → %SystemDrive%\Config.Msi → [Folder | Created Date = 5/28/2007 10:03:29 AM | Attr = HS]
QooBox → %SystemDrive%\QooBox → [Folder | Created Date = 6/25/2007 4:26:24 PM | Attr = ]
_OTMoveIt → %SystemDrive%_OTMoveIt → [Folder | Created Date = 6/26/2007 9:43:17 AM | Attr = ]
catchme.exe → %SystemRoot%\catchme.exe → [Ver = | Size = 87552 bytes | Created Date = 6/25/2007 4:19:57 PM | Attr = ]
erdnt → %SystemRoot%\erdnt → [Folder | Created Date = 6/25/2007 4:28:54 PM | Attr = ]
nircmd.exe → %SystemRoot%\nircmd.exe → NirSoft [Ver = 1.85 | Size = 49152 bytes | Created Date = 6/25/2007 4:19:57 PM | Attr = ]
mcrh.tmp → %System32%\mcrh.tmp → [Ver = | Size = 143 bytes | Created Date = 6/15/2007 10:10:59 AM | Attr = ]
ojqlbetl.ini → %System32%\ojqlbetl.ini → [Ver = | Size = 3451673 bytes | Created Date = 6/9/2007 10:15:10 AM | Attr = HS]
swreg.exe → %System32%\swreg.exe → SteelWerX [Ver = 2.0.1.6 | Size = 428032 bytes | Created Date = 6/25/2007 4:19:57 PM | Attr = ]
swsc.exe → %System32%\swsc.exe → SteelWerX [Ver = 2.0.0.0 | Size = 370688 bytes | Created Date = 6/25/2007 4:19:57 PM | Attr = ]
swxcacls.exe → %System32%\swxcacls.exe → SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 6/25/2007 4:19:57 PM | Attr = ]
vfind.exe → %System32%\vfind.exe → [Ver = | Size = 49152 bytes | Created Date = 6/25/2007 4:19:57 PM | Attr = ]

[Files/Folders - Modified Within 30 days]
Avenger → %SystemDrive%\Avenger → [Folder | Modified Date = 6/25/2007 5:33:54 PM | Attr = ]
Config.Msi → %SystemDrive%\Config.Msi → [Folder | Modified Date = 5/29/2007 6:10:26 PM | Attr = HS]
hiberfil.sys → %SystemDrive%\hiberfil.sys → [Ver = | Size = 536465408 bytes | Modified Date = 6/26/2007 6:05:16 PM | Attr = HS]
Program Files → %ProgramFiles% → [Folder | Modified Date = 6/25/2007 5:55:40 PM | Attr = R ]
QooBox → %SystemDrive%\QooBox → [Folder | Modified Date = 6/25/2007 5:26:26 PM | Attr = ]
Temp → %SystemDrive%\Temp → [Folder | Modified Date = 6/25/2007 5:27:36 PM | Attr = ]
WINDOWS → %SystemRoot% → [Folder | Modified Date = 6/25/2007 5:36:32 PM | Attr = ]
_OTMoveIt → %SystemDrive%_OTMoveIt → [Folder | Modified Date = 6/26/2007 10:43:18 AM | Attr = ]
bootstat.dat → %SystemRoot%\bootstat.dat → [Ver = | Size = 2048 bytes | Modified Date = 6/26/2007 6:05:18 PM | Attr = S]
catchme.exe → %SystemRoot%\catchme.exe → [Ver = | Size = 87552 bytes | Modified Date = 6/5/2007 5:24:04 AM | Attr = ]
Debug → %SystemRoot%\Debug → [Folder | Modified Date = 6/26/2007 6:05:52 PM | Attr = ]
Downloaded Program Files → %SystemRoot%\Downloaded Program Files → [Folder | Modified Date = 6/26/2007 10:38:00 AM | Attr = S]
erdnt → %SystemRoot%\erdnt → [Folder | Modified Date = 6/25/2007 5:28:56 PM | Attr = ]
Help → %SystemRoot%\Help → [Folder | Modified Date = 6/25/2007 5:11:32 PM | Attr = ]
inf → %SystemRoot%\inf → [Folder | Modified Date = 6/25/2007 5:11:16 PM | Attr = H ]
Installer → %SystemRoot%\Installer → [Folder | Modified Date = 5/28/2007 11:02:34 AM | Attr = HS]
Prefetch → %SystemRoot%\Prefetch → [Folder | Modified Date = 6/26/2007 10:27:22 AM | Attr = ]
SoftwareDistribution → %SystemRoot%\SoftwareDistribution → [Folder | Modified Date = 6/25/2007 5:11:44 PM | Attr = ]
system32 → %System32% → [Folder | Modified Date = 6/26/2007 10:43:30 AM | Attr = ]
Tasks → %SystemRoot%\Tasks → [Folder | Modified Date = 6/25/2007 5:28:22 PM | Attr = S]
Temp → %SystemRoot%\Temp → [Folder | Modified Date = 6/26/2007 6:06:44 PM | Attr = ]
uedit32.INI → %SystemRoot%\uedit32.INI → [Ver = | Size = 18426 bytes | Modified Date = 6/26/2007 10:51:58 AM | Attr = ]
SA.DAT → %SystemRoot%\tasks\SA.DAT → [Ver = | Size = 6 bytes | Modified Date = 6/26/2007 6:05:40 PM | Attr = H ]
CatRoot2 → %System32%\CatRoot2 → [Folder | Modified Date = 6/25/2007 5:12:02 PM | Attr = ]
config → %System32%\config → [Folder | Modified Date = 6/25/2007 5:30:56 PM | Attr = ]
dllcache → %System32%\dllcache → [Folder | Modified Date = 6/25/2007 5:09:44 PM | Attr = RHS]
drivers → %System32%\drivers → [Folder | Modified Date = 6/25/2007 5:39:08 PM | Attr = ]
fuptddyu.ini → %System32%\fuptddyu.ini → [Ver = | Size = 2429338 bytes | Modified Date = 6/9/2007 11:13:52 AM | Attr = HS]
mcrh.tmp → %System32%\mcrh.tmp → [Ver = | Size = 143 bytes | Modified Date = 6/15/2007 11:13:36 AM | Attr = ]
ojqlbetl.ini → %System32%\ojqlbetl.ini → [Ver = | Size = 3451673 bytes | Modified Date = 6/15/2007 10:59:28 AM | Attr = HS]
wpa.dbl → %System32%\wpa.dbl → [Ver = | Size = 13256 bytes | Modified Date = 6/25/2007 5:11:40 PM | Attr = ]
etc → %System32%\drivers\etc → [Folder | Modified Date = 6/25/2007 5:35:46 PM | Attr = ]

[File String Scan - Non-Microsoft Only]
UPX! , UPX0 , → %System32%\aswBoot.exe → ALWIL Software [Ver = 4, 7, 997, 0 | Size = 745600 bytes | Modified Date = 4/30/2007 11:46:10 AM | Attr = ]
PEC2 , → %System32%\dfrg.msc → [Ver = | Size = 41397 bytes | Modified Date = 8/29/2002 8:00:00 AM | Attr = ]
Thawte Consulting , → %System32%\rmoc3260.dll → RealNetworks, Inc. [Ver = 6.0.9.2568 | Size = 185952 bytes | Modified Date = 3/13/2007 5:53:48 PM | Attr = ]
winsync , → %System32%\wbdbase.deu → [Ver = | Size = 1309184 bytes | Modified Date = 8/29/2002 8:00:00 AM | Attr = ]
WSUD , UPX0 , → %System32%\dllcache\hwxjpn.dll → [Ver = | Size = 13463552 bytes | Modified Date = 8/29/2002 8:00:00 AM | Attr = ]

< End of report >

Hi Eliza looks a lot better now

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.

[Files/Folders - Created Within 30 days] YY -> ojqlbetl.ini -> %System32%\ojqlbetl.ini [Files/Folders - Modified Within 30 days] NY -> fuptddyu.ini -> %System32%\fuptddyu.ini NY -> ojqlbetl.ini -> %System32%\ojqlbetl.ini

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Now the best part of the day ----- Your log now appears clean :thumbsup:

Double click OTMoveIt once again and you should see a CleanUp! button, press that button, you may get prompted by your firewall that OTMoveIt wants to contact the internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself

Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

  1. Select Start > All Programs > Accessories > System tools > System Restore.
  2. On the dialogue box that appears select Create a Restore Point
  3. Click NEXT
  4. Enter a name e.g. Clean
  5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

  1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  2. In the Drop down box that appears select your main drive e.g. C
  3. Click OK
  4. The System will do some calculation and the display a dialogue box with TABS
  5. Select the More Options Tab.
  6. At the bottom will be a system restore box with a CLEANUP button click this
  7. Accept the Warning and select OK again, the program will close and you are done

This is my WinPFind3U log, hopefully everything is gone!

[Files/Folders - Created Within 30 days]
C:\WINDOWS\SYSTEM32\ojqlbetl.ini moved successfully.
[Files/Folders - Modified Within 30 days]
C:\WINDOWS\SYSTEM32\fuptddyu.ini moved successfully.
File C:\WINDOWS\SYSTEM32\ojqlbetl.ini not found!
< End of log >
Created on 06/27/2007 17:43:50

Hey, thank you for all of your help, but I do have this one little concern. A few moments after I ran WinPFind3U, and clicked the Run Fix button, an avast warning pops up and detects a virus:
C:\Documents and Settings\Wendi\My Documents\downloads\spyware-remover.exe
Its a Win32: Trojan-gen. {UPX}
I think its normal but still not entirely sure, and i put it in the virus chest, I just hope the virus is gone FOREVER. I dearly thank for your help from the bottom of my heart, I wouldn’t (SERIOUSLY WOULDN’T) have fixed my computer without everyones help especially from Essexboy, this is the only thing I have ever fixed (electronically) and I hope to learn more about computers in the future, and try to help others on this website with their problems. Please reply if my computers is fully healed, if not,please advise me on what to do. I hope the virus isn’t a problem!!!
Thank you very much times a million!!!

The programme appears to be a legitimate set up programme for spyware remover. And it is not on the list of rogue malware. Just delete the file.

C:\Documents and Settings\Wendi\My Documents\downloads and being in this folder means it is something you have downloaded but never installed at some stage

I am going to delete the file, and after that to celebrate since my computer is working just fine. YAY!!! Thanks for your hard work, and help and support throughout the whole difficult ordeal. Now I will go on vacation perfectly calm with nothing to worry about!!! Big apple here I come!!! YAY and THANKS A LOT, I MEAN IT!!!

Have a drink for me my love

Just one more TINY little question, should I delete the things in the recycle bin or should I leave it there since its not doing any harm. And water, soda or champagne!!!Ha Ha!

Actually a cheeky red wine would be nice, 8) you can empty the recycle bin as it is just taking up disc space… Have a nice trip

Ha Ha!!! Thanks, and I sure will get the red wine when I arrive at the Big Apple (room service)!!! And if I didn’t mention this before THANKS!!! a lot