Another Downloader Agent 9 BF

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

First quick observation, you have both McAfee and AVG installed. You must only have one AV package installed. So decide which one you want and uninstall the other. Do that now while I look at your HJT log.

Also what is your expected home page?

Also look in Add/Remove programs for an uninstall to
Preview AdService

or AdService

Uninstall if found.

 

OK! Do you know what this is:
C:\WINDOWS\System32\Sktempdm.exe

If not, can you right click on it and Select Properties and Version tab. Find out who owns it.

 

Do you know anything about them or this program? Do you have a wireless keyboard? Is that what this is for?

 

Okay let's ignore the Sktempdm.exe file for the time being!

You don't seem to show all the typical symptoms of the hijacker so let's try and easier method to fix and see what happens.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zjupd.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zjupd.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zjupd.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {F1A6A9B5-3C41-5DA5-986D-F3935E072EF1} - C:\WINDOWS\winbf32.dll (file missing)
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\zjupd.dll
C:\WINDOWS\System32\gah95on6.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to www.google.ca. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.google.ca. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Looks good thus far. After a few reboots and some opening and closing of browsers you should know it it is gone or not.

You should complete the steps in the below thread to help avoid future problems:
How to Protect yourself from malware!