Had virus and removed using Malwarebytes and now getting Bad Image errors

[velocity101]

Some how I had a fake security program on my computer called Security Tool. I researched the internet and found Malwarebytes Anti-Malware. I followed these steps:

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

* If an update is found, it will download and install the latest version.

* Once the program has loaded, select Perform Full Scan, then click Scan.

* The scan may take some time to finish, so please be patient.

* When the scan is complete, click OK, then Show Results to view the results.

* Make sure that everything is checked, and click Remove Select

After the computer restarted I started getting a ton of bad image errors when starting up. I found this post http://www.malwarebytes.org/forums/index.php?showtopic=5029 which then sent me to the post http://www.malwarebytes.org/forums/index.php?showtopic=2936

So I've ran HijackThis and here's my log files

Malwarebytes' Anti-Malware 1.41

Database version: 3149

Windows 5.1.2600 Service Pack 2

11/11/2009 3:32:04 PM

mbam-log-2009-11-11 (15-32-04).txt

Scan type: Quick Scan

Objects scanned: 113739

Time elapsed: 24 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 4

Registry Keys Infected: 16

Registry Values Infected: 12

Registry Data Items Infected: 13

Folders Infected: 0

Files Infected: 51

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\system32\fiyulake.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\pihimage.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\__c005DB68.dat (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\loguteyu.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b6d223f6-c185-49a2-ba7e-a03e84744702} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{b6d223f6-c185-49a2-ba7e-a03e84744702} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{b030e3be-d705-40fe-9027-7e35ecde757a} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c005db68 (Trojan.Vundo) -> Delete on reboot.

HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a45a4b15-23f2-42ad-f4e4-00aac39c0004} (Trojan.Ertfor) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b6d223f6-c185-49a2-ba7e-a03e84744702} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c002faaa (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0071410 (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0082b10 (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00f9f10 (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{edd19874-43bc-4caf-a8be-76a5397f0830} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fewipipeh (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{b030e3be-d705-40fe-9027-7e35ecde757a} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\felusesah (Trojan.Vundo.H) -> Delete on reboot.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fewipipeh (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f3fb0a0.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\85144931 (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yjafosi8kdf98winmdkmnkmfnwe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\npjadhbe (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\npjadhbe (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backup windows 2009 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\fiyulake.dll -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\fiyulake.dll -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7b04a996-2bc1-4ee4-99f8-2f49f13d7c83}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d89b434b-f32a-4517-9356-4aa079b51498}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{7b04a996-2bc1-4ee4-99f8-2f49f13d7c83}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{d89b434b-f32a-4517-9356-4aa079b51498}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{7b04a996-2bc1-4ee4-99f8-2f49f13d7c83}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{d89b434b-f32a-4517-9356-4aa079b51498}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\fiyulake.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\pihimage.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\__c005DB68.dat (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\loguteyu.dll (Trojan.Vundo) -> Delete on reboot.

C:\Documents and Settings\Randy Brown\Local Settings\Temp\_A00F3FB0A0.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Randy Brown\Local Settings\Temp\our66bsh.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Randy Brown\Local Settings\Temp\nvsvc32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\prqef14.dll (Trojan.Ertfor) -> Quarantined and deleted successfully.

C:\Documents and Settings\Randy Brown\Desktop\temp.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\luobk.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\oqbkddrr.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\dedovewu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\futajido.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\jesuvaya.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\kavinepe.exe (Rogue.AntivirusPlus) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\muyotohe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\padinobo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\simipari.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wiwirira.dll (Rogue.Installer) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lavufanu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wukohiwe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\yokagumo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\yudufiyo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\__c003B084.exe (Trojan.Buzus) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\__c00A28F6.exe (Trojan.Buzus) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\__c00E8F5C.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\Randy Brown\Local Settings\Temp\install.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Randy Brown\Local Settings\Temp\mg3j5.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Randy Brown\Local Settings\Temp\cmd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Randy Brown\Local Settings\Temp\drweb.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Randy Brown\Local Settings\Temp\win.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Randy Brown\Local Settings\Temp\win16.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Randy Brown\Local Settings\Temp\win32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Randy Brown\Local Settings\Temp\winamp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Randy Brown\Local Settings\Temp\winlogon.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Randy Brown\Local Settings\Temp\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Randy Brown\Local Settings\Temp\spoolsv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Randy Brown\Local Settings\Temp\lsass.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Randy Brown\Local Settings\Temp\taskmgr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Randy Brown\Desktop\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\LocalService\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\Randy Brown\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.

C:\Documents and Settings\Randy Brown\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\__c00FC87E.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\vuwupajo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Randy Brown\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Randy Brown\Local Settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\xwreg32.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wbem\proquota.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Randy Brown\Local Settings\Application Data\redxdb\ioswsysguard.exe (Trojan.FakeAlert.N) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:59:22 PM, on 11/11/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\msdtc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe

C:\Program Files\Trend Micro\Antivirus\tmproxy.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\Program Files\Windows Media Player\WMPNetwk.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\ehome\mcrdsvc.exe

C:\WINDOWS\system32\mqsvc.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\HP\QuickPlay\QPService.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Trend Micro\Antivirus\pccguide.exe

C:\Program Files\Trend Micro\Antivirus\PCClient.exe

C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\NETGEAR\WPN111\wpn111.exe

C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

C:\Program Files\Spyware Doctor\pctsGui.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

R3 - URLSearchHook: ToolbarURLSearchHook Class - {CA3EB689-8F09-4026-AA10-B9534C691CE0} - C:\Program Files\Fast Browser Search\IE\tbhelper.dll

O1 - Hosts: ::1 localhost

O1 - Hosts: 91.212.127.226 winwarepro.microsoft.com

O1 - Hosts: 91.212.127.226 winwarepro.com

O1 - Hosts: 91.212.127.226 www.winwarepro.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll

O2 - BHO: Search Assistant - {F0626A63-410B-45E2-99A1-3F2475B2D695} - C:\Program Files\SGPSA\BHO.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Fast Browser Search - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll

O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe"

O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet /nodetect

O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

O4 - HKLM\..\Run: [synTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"

O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [Cpqset] "C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe"

O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe

O4 - HKLM\..\Run: [\\office\EPSON Stylus CX6400] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE" /P28 "\\office\EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"

O4 - HKLM\..\Run: [Auto EPSON Stylus CX6400 on office] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE" /P34 "Auto EPSON Stylus CX6400 on office" /O14 "\\OFFICE\epson" /M "Stylus CX6400"

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"

O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"

O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QlbCtrl] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start

O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\y6BdRmwdh.exe" /runcleanupscript

O4 - HKLM\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

O4 - HKLM\..\Run: [fewipipeh] "Rundll32.exe" "c:\windows\system32\fiyulake.dll",a

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [LDM] "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"

O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"

O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')

O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - Global Startup: Logitech SetPoint.lnk = ?

O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer...DataManager.CAB

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...tDetection2.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Filter hijack: text/html - {edd19874-43bc-4caf-a8be-76a5397f0830} - (no file)

O20 - AppInit_DLLs: pihimage.dll

O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--

End of file - 12754 bytes

Please help. Thank you.

[miekiemoes]

Hi,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R3 - URLSearchHook: ToolbarURLSearchHook Class - {CA3EB689-8F09-4026-AA10-B9534C691CE0} - C:\Program Files\Fast Browser Search\IE\tbhelper.dll

O1 - Hosts: ::1 localhost

O1 - Hosts: 91.212.127.226 winwarepro.microsoft.com

O1 - Hosts: 91.212.127.226 winwarepro.com

O1 - Hosts: 91.212.127.226 www.winwarepro.com

O2 - BHO: Search Assistant - {F0626A63-410B-45E2-99A1-3F2475B2D695} - C:\Program Files\SGPSA\BHO.dll

O3 - Toolbar: Fast Browser Search - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll

O4 - HKLM\..\Run: [fewipipeh] "Rundll32.exe" "c:\windows\system32\fiyulake.dll",a

O18 - Filter hijack: text/html - {edd19874-43bc-4caf-a8be-76a5397f0830} - (no file)

O20 - AppInit_DLLs: pihimage.dll

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

Let me know in your next reply how things are now.

[velocity101]

That worked!! Thank you!

[miekiemoes]

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[miekiemoes]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.