Tech Support Forum - View Single Post - HJT log....a few things still hanging on :(

bigjohn · 07-12-2005, 12:13 PM

Done... Still slow on startup, still getting a pop-up here and there, and also getting these messages on startup:

The application or DLL C:\WINDOWS\javato.dll is not a valid Windows image.

The application or DLL C:\WINDOWS\system32\crrn.dll is not a valid Windows image.

Updated HJT Log:

Logfile of HijackThis v1.98.2
Scan saved at 2:05:35 PM, on 7/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe
C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\crbk32.exe
C:\WINDOWS\system32\crff32.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\dpmw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DLink\Bluetooth Software\BTTray.exe
C:\hjt\HijackThis.exe
C:\WINDOWS\system32\MsiExec.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {003156AA-B2AD-54C8-CF6D-1C992B937149} - C:\WINDOWS\system32\apidt.dll
O2 - BHO: Class - {146A4A8B-66F9-80FA-6E14-51A6991BAC7D} - C:\WINDOWS\system32\apibs32.dll
O2 - BHO: Class - {4ABB5929-6D33-1BD3-5889-307B70AC94D2} - C:\WINDOWS\system32\crxz.dll
O2 - BHO: Class - {5CE5B985-51B1-3958-E5DB-92DD9091CFBB} - C:\WINDOWS\javavq.dll
O2 - BHO: Class - {63C3B90C-CAE8-913A-DBA5-AC8E0D0896D0} - C:\WINDOWS\system32\crbk32.dll
O2 - BHO: Class - {6827E44A-FCD1-5704-0FF9-EE64FBCBD77F} - C:\WINDOWS\system32\wingm32.dll
O2 - BHO: Class - {7D52FC72-76A8-77EF-270D-8A1A8EA30F96} - C:\WINDOWS\system32\winsx32.dll
O2 - BHO: Class - {91D042E7-25DF-B6F2-5C0C-B0963EF3EA01} - C:\WINDOWS\winqv32.dll
O2 - BHO: Class - {A4913EBE-69AB-7C2E-EA16-13F6C5E79E14} - C:\WINDOWS\system32\ipvh32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {C1A7352F-7207-2C2F-6A41-8C46196F8284} - C:\WINDOWS\system32\winug32.dll
O2 - BHO: Class - {C2EFCA32-D3CF-3801-B32F-6A7589AA0A8A} - C:\WINDOWS\netfd.dll
O2 - BHO: Class - {FEF289B2-6015-9A71-D02D-8394ED825678} - C:\WINDOWS\system32\javany.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\COMMAN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [iesn.exe] C:\WINDOWS\system32\iesn.exe
O4 - HKLM\..\Run: [crbk32.exe] C:\WINDOWS\system32\crbk32.exe
O4 - HKLM\..\RunOnce: [apiua.exe] C:\WINDOWS\apiua.exe
O4 - HKLM\..\RunOnce: [crnf.exe] C:\WINDOWS\crnf.exe
O4 - HKLM\..\RunOnce: [appxr32.exe] C:\WINDOWS\system32\appxr32.exe
O4 - HKLM\..\RunOnce: [mfcpj32.exe] C:\WINDOWS\system32\mfcpj32.exe
O4 - HKLM\..\RunOnce: [mfcsy32.exe] C:\WINDOWS\mfcsy32.exe
O4 - HKLM\..\RunOnce: [javaad32.exe] C:\WINDOWS\system32\javaad32.exe
O4 - HKLM\..\RunOnce: [iexj.exe] C:\WINDOWS\system32\iexj.exe
O4 - HKLM\..\RunOnce: [ipfp.exe] C:\WINDOWS\system32\ipfp.exe
O4 - HKLM\..\RunOnce: [addvf.exe] C:\WINDOWS\system32\addvf.exe
O4 - HKLM\..\RunOnce: [appkj32.exe] C:\WINDOWS\appkj32.exe
O4 - HKLM\..\RunOnce: [addyu.exe] C:\WINDOWS\system32\addyu.exe
O4 - HKLM\..\RunOnce: [netkc32.exe] C:\WINDOWS\netkc32.exe
O4 - HKLM\..\RunOnce: [crcy.exe] C:\WINDOWS\system32\crcy.exe
O4 - HKLM\..\RunOnce: [sysxo.exe] C:\WINDOWS\sysxo.exe
O4 - HKLM\..\RunOnce: [msvh32.exe] C:\WINDOWS\msvh32.exe
O4 - HKLM\..\RunOnce: [addua.exe] C:\WINDOWS\addua.exe
O4 - HKLM\..\RunOnce: [addyp.exe] C:\WINDOWS\addyp.exe
O4 - HKLM\..\RunOnce: [crzj32.exe] C:\WINDOWS\crzj32.exe
O4 - HKLM\..\RunOnce: [msul32.exe] C:\WINDOWS\msul32.exe
O4 - HKLM\..\RunOnce: [crnn.exe] C:\WINDOWS\crnn.exe
O4 - HKLM\..\RunOnce: [winsx.exe] C:\WINDOWS\winsx.exe
O4 - HKLM\..\RunOnce: [crff32.exe] C:\WINDOWS\system32\crff32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\DLink\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) - https://esis.ncwise.org/jinitiator/jinit.exe
O16 - DPF: {D27FFC5F-D7B9-4349-9F41-F7458B585374} (SoloTriv Control) - http://mirror.worldwinner.com/games/...v/solotriv.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab

********
And here's the results from Panda's online scan:

Incident Status Location

Adware:Adware/nCase No disinfected C:\WINDOWS\180solutions
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\jthomps\Favorites\Only sex website.url
Adware:Adware/SideStep No disinfected C:\WINDOWS\Downloaded Program Files\SbCIe???.???
Adware:Adware/Midaddle No disinfected Windows Registry
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Ab scissor.url
Adware:Adware/CWS.Aboutblank No disinfected Windows Registry
Adware:Adware/CWS.008k No disinfected C:\WINDOWS\appaz32.exe
Adware:Adware/CWS.HomeSearchAsisstantNo disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-4ce0ce54.zip[a.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-4ce0ce54.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-4ce0ce54.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6fd1d987-4758c273.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6fd1d987-4758c273.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6fd1d987-4758c273.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6fd1d987-4758c273.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-6a0ae450.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-6a0ae450.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-6a0ae450.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-6a0ae450.zip[Beyond.class]
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\jthomps\Favorites\Only sex website.url
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\jthomps\Favorites\Search the web.url
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\jthomps\Favorites\Seven days of free porn.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Ab scissor.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Broadband comparison.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Credit counseling.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Credit report.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Crm software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Debt credit card.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Escorts.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Fha.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Health insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Help desk software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Insurance home.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Loan for debt consolidation.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Loan for people with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Marketing email.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Mortgage insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Mortgage life insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Nevada corporations.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Online Betting Site.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Online gambling casino.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Online instant loan.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Order phentermine.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Payroll advance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Personal loans online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Personal loans with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Prescription Drugs Rx Online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Refinancing my mortgage.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Tahoe vacation rental.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Unsecured bad credit loans.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Videos.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\What is hydrocodone.url
Adware:Adware/nCase No disinfected C:\WINDOWS\180loader.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\addvn32.exe
Adware:Adware/CWS.008k No disinfected C:\WINDOWS\appaz32.exe
Adware:Adware/SideStep No disinfected C:\WINDOWS\Downloaded Program Files\SbCIe026.dll
Virus:Trj/Downloader.DKJ Disinfected C:\WINDOWS\sdkqu32.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\system32\netgk32.exe

****

Thanks so much for the help... what next?

07-12-2005, 12:13 PM	#3 (permalink)
bigjohn Registered User Join Date: Sep 2004 Posts: 11 OS: XP Professional	Ok... I've done that... Done... Still slow on startup, still getting a pop-up here and there, and also getting these messages on startup: The application or DLL C:\WINDOWS\javato.dll is not a valid Windows image. The application or DLL C:\WINDOWS\system32\crrn.dll is not a valid Windows image. Updated HJT Log: Logfile of HijackThis v1.98.2 Scan saved at 2:05:35 PM, on 7/12/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe C:\Program Files\Common Files\Command Software\dvpapi.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\crbk32.exe C:\WINDOWS\system32\crff32.exe C:\WINDOWS\System32\sistray.EXE C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\System32\dpmw32.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\NWTRAY.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\DLink\Bluetooth Software\BTTray.exe C:\hjt\HijackThis.exe C:\WINDOWS\system32\MsiExec.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\auapd.dll/sp.html#37049 R3 - Default URLSearchHook is missing O2 - BHO: Class - {003156AA-B2AD-54C8-CF6D-1C992B937149} - C:\WINDOWS\system32\apidt.dll O2 - BHO: Class - {146A4A8B-66F9-80FA-6E14-51A6991BAC7D} - C:\WINDOWS\system32\apibs32.dll O2 - BHO: Class - {4ABB5929-6D33-1BD3-5889-307B70AC94D2} - C:\WINDOWS\system32\crxz.dll O2 - BHO: Class - {5CE5B985-51B1-3958-E5DB-92DD9091CFBB} - C:\WINDOWS\javavq.dll O2 - BHO: Class - {63C3B90C-CAE8-913A-DBA5-AC8E0D0896D0} - C:\WINDOWS\system32\crbk32.dll O2 - BHO: Class - {6827E44A-FCD1-5704-0FF9-EE64FBCBD77F} - C:\WINDOWS\system32\wingm32.dll O2 - BHO: Class - {7D52FC72-76A8-77EF-270D-8A1A8EA30F96} - C:\WINDOWS\system32\winsx32.dll O2 - BHO: Class - {91D042E7-25DF-B6F2-5C0C-B0963EF3EA01} - C:\WINDOWS\winqv32.dll O2 - BHO: Class - {A4913EBE-69AB-7C2E-EA16-13F6C5E79E14} - C:\WINDOWS\system32\ipvh32.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Class - {C1A7352F-7207-2C2F-6A41-8C46196F8284} - C:\WINDOWS\system32\winug32.dll O2 - BHO: Class - {C2EFCA32-D3CF-3801-B32F-6A7589AA0A8A} - C:\WINDOWS\netfd.dll O2 - BHO: Class - {FEF289B2-6015-9A71-D02D-8394ED825678} - C:\WINDOWS\system32\javany.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\COMMAN~1\COMMAN~1\vchk.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE O4 - HKLM\..\Run: [iesn.exe] C:\WINDOWS\system32\iesn.exe O4 - HKLM\..\Run: [crbk32.exe] C:\WINDOWS\system32\crbk32.exe O4 - HKLM\..\RunOnce: [apiua.exe] C:\WINDOWS\apiua.exe O4 - HKLM\..\RunOnce: [crnf.exe] C:\WINDOWS\crnf.exe O4 - HKLM\..\RunOnce: [appxr32.exe] C:\WINDOWS\system32\appxr32.exe O4 - HKLM\..\RunOnce: [mfcpj32.exe] C:\WINDOWS\system32\mfcpj32.exe O4 - HKLM\..\RunOnce: [mfcsy32.exe] C:\WINDOWS\mfcsy32.exe O4 - HKLM\..\RunOnce: [javaad32.exe] C:\WINDOWS\system32\javaad32.exe O4 - HKLM\..\RunOnce: [iexj.exe] C:\WINDOWS\system32\iexj.exe O4 - HKLM\..\RunOnce: [ipfp.exe] C:\WINDOWS\system32\ipfp.exe O4 - HKLM\..\RunOnce: [addvf.exe] C:\WINDOWS\system32\addvf.exe O4 - HKLM\..\RunOnce: [appkj32.exe] C:\WINDOWS\appkj32.exe O4 - HKLM\..\RunOnce: [addyu.exe] C:\WINDOWS\system32\addyu.exe O4 - HKLM\..\RunOnce: [netkc32.exe] C:\WINDOWS\netkc32.exe O4 - HKLM\..\RunOnce: [crcy.exe] C:\WINDOWS\system32\crcy.exe O4 - HKLM\..\RunOnce: [sysxo.exe] C:\WINDOWS\sysxo.exe O4 - HKLM\..\RunOnce: [msvh32.exe] C:\WINDOWS\msvh32.exe O4 - HKLM\..\RunOnce: [addua.exe] C:\WINDOWS\addua.exe O4 - HKLM\..\RunOnce: [addyp.exe] C:\WINDOWS\addyp.exe O4 - HKLM\..\RunOnce: [crzj32.exe] C:\WINDOWS\crzj32.exe O4 - HKLM\..\RunOnce: [msul32.exe] C:\WINDOWS\msul32.exe O4 - HKLM\..\RunOnce: [crnn.exe] C:\WINDOWS\crnn.exe O4 - HKLM\..\RunOnce: [winsx.exe] C:\WINDOWS\winsx.exe O4 - HKLM\..\RunOnce: [crff32.exe] C:\WINDOWS\system32\crff32.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: BTTray.lnk = ? O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\DLink\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) - https://esis.ncwise.org/jinitiator/jinit.exe O16 - DPF: {D27FFC5F-D7B9-4349-9F41-F7458B585374} (SoloTriv Control) - http://mirror.worldwinner.com/games/...v/solotriv.cab O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab ****** And here's the results from Panda's online scan: Incident Status Location Adware:Adware/nCase No disinfected C:\WINDOWS\180solutions Adware:Adware/SearchAid No disinfected C:\Documents and Settings\jthomps\Favorites\Only sex website.url Adware:Adware/SideStep No disinfected C:\WINDOWS\Downloaded Program Files\SbCIe???.??? Adware:Adware/Midaddle No disinfected Windows Registry Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Ab scissor.url Adware:Adware/CWS.Aboutblank No disinfected Windows Registry Adware:Adware/CWS.008k No disinfected C:\WINDOWS\appaz32.exe Adware:Adware/CWS.HomeSearchAsisstantNo disinfected Windows Registry Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-4ce0ce54.zip[a.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-4ce0ce54.zip[Dummy.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-228d5c98-4ce0ce54.zip[VerifierBug.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6fd1d987-4758c273.zip[BlackBox.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6fd1d987-4758c273.zip[VB.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6fd1d987-4758c273.zip[Dummy.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6fd1d987-4758c273.zip[Beyond.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-6a0ae450.zip[BlackBox.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-6a0ae450.zip[VerifierBug.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-6a0ae450.zip[Dummy.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\jthomps\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-6a0ae450.zip[Beyond.class] Adware:Adware/SearchAid No disinfected C:\Documents and Settings\jthomps\Favorites\Only sex website.url Adware:Adware/SearchAid No disinfected C:\Documents and Settings\jthomps\Favorites\Search the web.url Adware:Adware/SearchAid No disinfected C:\Documents and Settings\jthomps\Favorites\Seven days of free porn.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Ab scissor.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Broadband comparison.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Credit counseling.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Credit report.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Crm software.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Debt credit card.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Escorts.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Fha.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Health insurance.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Help desk software.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Insurance home.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Loan for debt consolidation.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Loan for people with bad credit.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Marketing email.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Mortgage insurance.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Mortgage life insurance.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Nevada corporations.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Online Betting Site.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Online gambling casino.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Online instant loan.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Order phentermine.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Payroll advance.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Personal loans online.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Personal loans with bad credit.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Prescription Drugs Rx Online.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Refinancing my mortgage.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Tahoe vacation rental.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Unsecured bad credit loans.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\Videos.url Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\jthomps\Favorites\Sites about\What is hydrocodone.url Adware:Adware/nCase No disinfected C:\WINDOWS\180loader.exe Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\addvn32.exe Adware:Adware/CWS.008k No disinfected C:\WINDOWS\appaz32.exe Adware:Adware/SideStep No disinfected C:\WINDOWS\Downloaded Program Files\SbCIe026.dll Virus:Trj/Downloader.DKJ Disinfected C:\WINDOWS\sdkqu32.exe Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\system32\netgk32.exe ** Thanks so much for the help... what next?