Tech Support Forum - View Single Post

VinnyC · 10-06-2006, 07:07 PM

Hey, thanks for all the help. My computer is running much better and that windows bubble saying my computer is infected stops popping up which is a good start.

here r all the logs

Combofix:

Ciampa - 06-10-05 22:51:04.25 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Ciampa\Desktop"

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Ciampa\Application Data\Dxcknwrd.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Ciampa\Application Data\Install.dat
C:\WINDOWS\system32\aaa00000.sys
C:\WINDOWS\system32\kernels8.exe
C:\WINDOWS\system32\WinNB58.dll
C:\winstall.exe
C:\Program Files\Common Files\{1094D352-0640-4105-0727-040410270002}

((((((((((((((((((((((((((((((( Files Created from 2006-09-05 to 2006-10-05 ))))))))))))))))))))))))))))))))))

2006-10-05 22:43 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-04 16:25 32,768 --a------ C:\WINDOWS\system32\six.exe
2006-09-29 13:02 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2006-09-29 13:02 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2006-09-28 11:30 830 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-09-28 11:29 1,233 --a------ C:\WINDOWS\system32\joc0e388.sys
2006-09-28 09:24 75,264 --a------ C:\WINDOWS\system32\nsu22.dll
2006-09-22 10:36 53,248 --a------ C:\WINDOWS\uni_7eh.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-05 22:53 -------- d-a------ C:\Program Files\Common Files
2006-10-05 22:43 -------- d-------- C:\Program Files\Grisoft
2006-10-05 22:13 -------- d-------- C:\Program Files\PC Tools AntiVirus
2006-10-04 23:24 -------- d-------- C:\Program Files\Spybot
2006-10-04 23:24 -------- d-------- C:\Program Files\QuickTime
2006-10-04 23:17 -------- d-------- C:\Program Files\iTunes
2006-10-04 23:17 -------- d-------- C:\Program Files\Internet Explorer
2006-10-04 23:17 -------- d-------- C:\Program Files\Hiiack This
2006-09-29 18:13 -------- d-------- C:\Program Files\Messenger
2006-09-29 18:12 -------- d-------- C:\Program Files\Windows Media Player
2006-09-29 18:02 -------- d-------- C:\Program Files\Outlook Express
2006-09-29 18:02 -------- d-------- C:\Program Files\Common Files\System
2006-09-29 09:42 -------- d-------- C:\Documents and Settings\Ciampa\Application Data\PC Tools
2006-09-06 15:43 -------- d-------- C:\Program Files\MSN Messenger
2006-09-03 23:37 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 05:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-08 21:31 98304 --a------ C:\WINDOWS\W2BNEUnin.exe
2006-08-08 21:31 2829 --a------ C:\WINDOWS\W2BNEUnin.pif
2006-07-28 17:43 45568 --a------ C:\WINDOWS\system32\{C3D075D8-54B0-44C7-82C1-AC630A3799AB}.exe
2006-07-28 17:43 424718 --a------ C:\WINDOWS\system32\{00422582-2E19-4239-9F87-44A72C22FD65}.exe
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"SHS"="\"C:\\Program Files\\Rogers\\SelfHealing\\SHS.exe\" /background"
"Update Manager"="\"C:\\Program Files\\Rogers\\Update Manager\\UpdateManager.exe\" /background"
"Winsvr"="C:\\DOCUME~1\\Ciampa\\LOCALS~1\\Temp\\stdrun165632.exe"
"PCTAVApp"="\"C:\\Program Files\\PC Tools AntiVirus\\PCTAV.exe\" /MONITORSCAN"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="C:\\Program Files\\Creative\\SB Live! 24-bit\\Surround Mixer\\CTSysVol.exe /r"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"POINTER"="point32.exe"
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~2\\mimboot.exe"
"MMTray"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"sachost"="C:\\WINDOWS\\sachostx.exe"
"{4D-D3-35-52-ZN}"="C:\\windows\\system32\\oldsregn.exe ELT001"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,c4,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,4b,00,00,00,00,00,00,00,b5,04,00,00,c4,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,4b,00,00,00,00,00,00,00,b5,04,00,00,c4,03,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"IEFilter"="{690F6A1B-8C7D-4020-92B0-AFA351689F0B}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Completion time: 05/10/2006 22:53:57.37
ComboFix.txt

SmitFraudFix:

SmitFraudFix v2.105

Scan done at 23:04:30.53, 05/10/2006
Run from C:\Documents and Settings\Ciampa\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\gimmygames.dat Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Ewido:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:05:35 AM 06/10/2006

+ Scan result:

C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP8\A0005054.exe -> Adware.Agent : No action taken.
C:\Documents and Settings\All Users\Application Data\AutoSearch.dll -> Adware.AutoSearch : No action taken.
HKLM\SOFTWARE\Classes\Interface\{06CA2DA3-3A44-4FC7-8FD9-246C0F53407C} -> Adware.CoolWebSearch : No action taken.
C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0004029.exe -> Adware.FindSpy : No action taken.
HKU\S-1-5-21-583907252-1715567821-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000001-C003-4A2F-9142-7CB1D78DE6C1} -> Adware.InternetOptimizer : No action taken.
C:\WINDOWS\em.ocx -> Adware.MediaMotor : No action taken.
C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP8\A0005040.dll -> Adware.Mirar : No action taken.
C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP8\A0005103.exe -> Adware.Msnagent : No action taken.
C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP6\A0002966.dll -> Adware.TrafficSol : No action taken.
C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP3\A0000898.exe -> Adware.ZenoSearch : No action taken.
C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0002995.exe -> Adware.ZenoSearch : No action taken.
C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0002996.exe -> Adware.ZenoSearch : No action taken.
C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP2\A0000126.dll -> Downloader.Agent.awb : No action taken.
C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP2\A0000127.dll -> Downloader.Agent.awb : No action taken.
C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0004046.exe -> Downloader.Agent.uj : No action taken.
C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0002990.exe -> Downloader.Small.dnk : No action taken.
C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0002992.exe -> Downloader.Tibs.dr : No action taken.
C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0004041.exe -> Downloader.Tibs.id : No action taken.
C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP8\A0005039.exe -> Downloader.Tibs.ij : No action taken.
C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP3\A0000893.exe -> Dropper.Agent.mu : No action taken.
C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0002993.exe -> Hijacker.Spywad.o : No action taken.
C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0004040.exe -> Proxy.Small : No action taken.
C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0002994.exe -> Trojan.Sinowal.ay : No action taken.
C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0004045.dll -> Trojan.Sinowal.az : No action taken.
C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0004044.dll -> Trojan.Sinowal.ba : No action taken.
C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0004047.exe -> Trojan.Small.fb : No action taken.
C:\WINDOWS\uni_7eh.exe -> Trojan.VB.tg : No action taken.

::Report end

Kaspersky:

Friday, October 06, 2006 8:57:44 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 6/10/2006
Kaspersky Anti-Virus database records: 229359

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects 48312
Number of viruses found 26
Number of infected objects 33 / 0
Number of suspicious objects 0
Duration of the scan process 00:44:54

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\AutoSearch.dll Infected: not-a-virus:AdWare.Win32.AutoSearch.b skipped

C:\Documents and Settings\Ciampa\Application Data\PC Tools\PC Tools AntiVirus\Application Logs\PCToolsAntivirus.txt Object is locked skipped

C:\Documents and Settings\Ciampa\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Ciampa\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Ciampa\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Ciampa\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Ciampa\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped

C:\Documents and Settings\Ciampa\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped

C:\Documents and Settings\Ciampa\Local Settings\Application Data\Musicmatch\MIM\Database\Default.ldb Object is locked skipped

C:\Documents and Settings\Ciampa\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped

C:\Documents and Settings\Ciampa\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Ciampa\Local Settings\Temp\JET6608.tmp Object is locked skipped

C:\Documents and Settings\Ciampa\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Ciampa\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Ciampa\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\PC Tools AntiVirus\PCTAVService.txt Object is locked skipped

C:\Program Files\PC Tools AntiVirus\~ulo Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP2\A0000126.dll Infected: Trojan-Downloader.Win32.Agent.awb skipped

C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP2\A0000127.dll Infected: Trojan-Downloader.Win32.Agent.awb skipped

C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP3\A0000893.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped

C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP3\A0000898.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped

C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP6\A0002966.dll Infected: not-a-virus:AdWare.Win32.TrafficSol.c skipped

C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0002990.exe Infected: Trojan-Downloader.Win32.Small.dnk skipped

C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0002992.exe Infected: Trojan-Downloader.Win32.Tibs.dr skipped

C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0002993.exe Infected: Trojan-Clicker.Win32.Spywad.o skipped

C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0002994.exe Infected: Trojan-PSW.Win32.Sinowal.ay skipped

C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0002995.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped

C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0002996.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.s skipped

C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0004029.exe Infected: not-a-virus:AdWare.Win32.FindSpy.a skipped

C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0004039.dll Infected: Trojan-Spy.Win32.Small.ez skipped

C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0004040.exe Infected: Trojan-Spy.Win32.Small.ez skipped

C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0004041.exe Infected: Trojan-Downloader.Win32.Tibs.id skipped

C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0004044.dll Infected: Trojan-PSW.Win32.Sinowal.ba skipped

C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0004045.dll Infected: Trojan-PSW.Win32.Sinowal.az skipped

C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0004046.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0004047.exe Infected: Trojan.Win32.Small.fb skipped

C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP8\A0005039.exe Infected: Trojan-Downloader.Win32.Tibs.ij skipped

C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP8\A0005040.dll Infected: not-a-virus:AdWare.Win32.Mirar.a skipped

C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP8\A0005041.exe Infected: not-virus:Hoax.Win32.Renos.ff skipped

C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP8\A0005054.exe Infected: not-a-virus:AdWare.Win32.Agent.y skipped

C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP8\A0005103.exe Infected: not-a-virus:AdWare.Win32.Msnagent.b skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\em.ocx Infected: Trojan-Dropper.Win32.VB.dq skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\six.exe Infected: not-virus:Hoax.Win32.Renos.ff skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\uni_7eh.exe Infected: Trojan.Win32.VB.tg skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

F:\BearShare\Installer\BSInstall5.2.5.1.exe/WISE0026.BIN/clientax.dll Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped

F:\BearShare\Installer\BSInstall5.2.5.1.exe/WISE0026.BIN Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped

F:\BearShare\Installer\BSInstall5.2.5.1.exe WiseSFX: infected - 2 skipped

F:\BearShare\Installer\BSInstall5.2.5.1.exe WiseSFX Dropper: infected - 2 skipped

F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

HiJack:

Logfile of HijackThis v1.99.1
Scan saved at 9:07:27 PM, on 06/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PC Tools AntiVirus\ScanningProcess.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hiiack This\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsa10AB.dll
O2 - BHO: Banner Rotator - {E954DB82-1533-4714-92F2-59C98D5C18CC} - C:\WINDOWS\system32\brrotate.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/apop/def...ploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: IEFilter - {690F6A1B-8C7D-4020-92B0-AFA351689F0B} - C:\WINDOWS\system32\IEFilter.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - Unknown owner - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe

pretty long post...keep me posted thanks!

Vin

10-06-2006, 07:07 PM	#5 (permalink)
VinnyC Registered User Join Date: Mar 2006 Posts: 14 OS: WinXP	Spyware Issues Hey, thanks for all the help. My computer is running much better and that windows bubble saying my computer is infected stops popping up which is a good start. here r all the logs Combofix: Ciampa - 06-10-05 22:51:04.25 Service Pack 2 ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Ciampa\Desktop" ((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Documents and Settings\Ciampa\Application Data\Dxcknwrd.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Documents and Settings\Ciampa\Application Data\Install.dat C:\WINDOWS\system32\aaa00000.sys C:\WINDOWS\system32\kernels8.exe C:\WINDOWS\system32\WinNB58.dll C:\winstall.exe C:\Program Files\Common Files\{1094D352-0640-4105-0727-040410270002} ((((((((((((((((((((((((((((((( Files Created from 2006-09-05 to 2006-10-05 )))))))))))))))))))))))))))))))))) 2006-10-05 22:43 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2006-10-04 16:25 32,768 --a------ C:\WINDOWS\system32\six.exe 2006-09-29 13:02 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll 2006-09-29 13:02 13,312 --a------ C:\WINDOWS\system32\irclass.dll 2006-09-28 11:30 830 --a------ C:\WINDOWS\system32\winpfg32.sys 2006-09-28 11:29 1,233 --a------ C:\WINDOWS\system32\joc0e388.sys 2006-09-28 09:24 75,264 --a------ C:\WINDOWS\system32\nsu22.dll 2006-09-22 10:36 53,248 --a------ C:\WINDOWS\uni_7eh.exe (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-10-05 22:53 -------- d-a------ C:\Program Files\Common Files 2006-10-05 22:43 -------- d-------- C:\Program Files\Grisoft 2006-10-05 22:13 -------- d-------- C:\Program Files\PC Tools AntiVirus 2006-10-04 23:24 -------- d-------- C:\Program Files\Spybot 2006-10-04 23:24 -------- d-------- C:\Program Files\QuickTime 2006-10-04 23:17 -------- d-------- C:\Program Files\iTunes 2006-10-04 23:17 -------- d-------- C:\Program Files\Internet Explorer 2006-10-04 23:17 -------- d-------- C:\Program Files\Hiiack This 2006-09-29 18:13 -------- d-------- C:\Program Files\Messenger 2006-09-29 18:12 -------- d-------- C:\Program Files\Windows Media Player 2006-09-29 18:02 -------- d-------- C:\Program Files\Outlook Express 2006-09-29 18:02 -------- d-------- C:\Program Files\Common Files\System 2006-09-29 09:42 -------- d-------- C:\Documents and Settings\Ciampa\Application Data\PC Tools 2006-09-06 15:43 -------- d-------- C:\Program Files\MSN Messenger 2006-09-03 23:37 -------- d-------- C:\Program Files\Common Files\Microsoft Shared 2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll 2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe 2006-08-21 05:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys 2006-08-08 21:31 98304 --a------ C:\WINDOWS\W2BNEUnin.exe 2006-08-08 21:31 2829 --a------ C:\WINDOWS\W2BNEUnin.pif 2006-07-28 17:43 45568 --a------ C:\WINDOWS\system32\{C3D075D8-54B0-44C7-82C1-AC630A3799AB}.exe 2006-07-28 17:43 424718 --a------ C:\WINDOWS\system32\{00422582-2E19-4239-9F87-44A72C22FD65}.exe 2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll 2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background" "LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot" "SHS"="\"C:\\Program Files\\Rogers\\SelfHealing\\SHS.exe\" /background" "Update Manager"="\"C:\\Program Files\\Rogers\\Update Manager\\UpdateManager.exe\" /background" "Winsvr"="C:\\DOCUME~1\\Ciampa\\LOCALS~1\\Temp\\stdrun165632.exe" "PCTAVApp"="\"C:\\Program Files\\PC Tools AntiVirus\\PCTAV.exe\" /MONITORSCAN" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTSysVol"="C:\\Program Files\\Creative\\SB Live! 24-bit\\Surround Mixer\\CTSysVol.exe /r" "UpdReg"="C:\\WINDOWS\\UpdReg.EXE" "POINTER"="point32.exe" "LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE" "LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe " "LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe" "MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~2\\mimboot.exe" "MMTray"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\"" "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe" "IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32" "IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE" "MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC" "PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC" "PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "sachost"="C:\\WINDOWS\\sachostx.exe" "{4D-D3-35-52-ZN}"="C:\\windows\\system32\\oldsregn.exe ELT001" "!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "NoChange"="1" "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000001 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,c4,03,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,4b,00,00,00,00,00,00,00,b5,04,00,00,c4,03,\ 00,00,04,00,00,40 "RestoredStateInfo"=hex:18,00,00,00,4b,00,00,00,00,00,00,00,b5,04,00,00,c4,03,\ 00,00,01,00,00,00 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE" [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 "NoActiveDesktop"=dword:00000000 "ClassicShell"=dword:00000000 "ForceActiveDesktopOn"=dword:00000000 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" "IEFilter"="{690F6A1B-8C7D-4020-92B0-AFA351689F0B}" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll Completion time: 05/10/2006 22:53:57.37 ComboFix.txt SmitFraudFix: SmitFraudFix v2.105 Scan done at 23:04:30.53, 05/10/2006 Run from C:\Documents and Settings\Ciampa\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\WINDOWS\gimmygames.dat Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End Ewido: --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 7:05:35 AM 06/10/2006 + Scan result: C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP8\A0005054.exe -> Adware.Agent : No action taken. C:\Documents and Settings\All Users\Application Data\AutoSearch.dll -> Adware.AutoSearch : No action taken. HKLM\SOFTWARE\Classes\Interface\{06CA2DA3-3A44-4FC7-8FD9-246C0F53407C} -> Adware.CoolWebSearch : No action taken. C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0004029.exe -> Adware.FindSpy : No action taken. HKU\S-1-5-21-583907252-1715567821-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000001-C003-4A2F-9142-7CB1D78DE6C1} -> Adware.InternetOptimizer : No action taken. C:\WINDOWS\em.ocx -> Adware.MediaMotor : No action taken. C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP8\A0005040.dll -> Adware.Mirar : No action taken. C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP8\A0005103.exe -> Adware.Msnagent : No action taken. C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP6\A0002966.dll -> Adware.TrafficSol : No action taken. C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP3\A0000898.exe -> Adware.ZenoSearch : No action taken. C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0002995.exe -> Adware.ZenoSearch : No action taken. C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0002996.exe -> Adware.ZenoSearch : No action taken. C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP2\A0000126.dll -> Downloader.Agent.awb : No action taken. C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP2\A0000127.dll -> Downloader.Agent.awb : No action taken. C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0004046.exe -> Downloader.Agent.uj : No action taken. C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0002990.exe -> Downloader.Small.dnk : No action taken. C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0002992.exe -> Downloader.Tibs.dr : No action taken. C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0004041.exe -> Downloader.Tibs.id : No action taken. C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP8\A0005039.exe -> Downloader.Tibs.ij : No action taken. C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP3\A0000893.exe -> Dropper.Agent.mu : No action taken. C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0002993.exe -> Hijacker.Spywad.o : No action taken. C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0004040.exe -> Proxy.Small : No action taken. C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0002994.exe -> Trojan.Sinowal.ay : No action taken. C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0004045.dll -> Trojan.Sinowal.az : No action taken. C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0004044.dll -> Trojan.Sinowal.ba : No action taken. C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0004047.exe -> Trojan.Small.fb : No action taken. C:\WINDOWS\uni_7eh.exe -> Trojan.VB.tg : No action taken. ::Report end Kaspersky: Friday, October 06, 2006 8:57:44 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.83.0 Kaspersky Anti-Virus database last update: 6/10/2006 Kaspersky Anti-Virus database records: 229359 Scan Settings Scan using the following antivirus database extended Scan Archives true Scan Mail Bases true Scan Target My Computer A:\ C:\ D:\ E:\ F:\ Scan Statistics Total number of scanned objects 48312 Number of viruses found 26 Number of infected objects 33 / 0 Number of suspicious objects 0 Duration of the scan process 00:44:54 Infected Object Name Virus Name Last Action C:\Documents and Settings\All Users\Application Data\AutoSearch.dll Infected: not-a-virus:AdWare.Win32.AutoSearch.b skipped C:\Documents and Settings\Ciampa\Application Data\PC Tools\PC Tools AntiVirus\Application Logs\PCToolsAntivirus.txt Object is locked skipped C:\Documents and Settings\Ciampa\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Ciampa\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\Ciampa\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Ciampa\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Ciampa\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped C:\Documents and Settings\Ciampa\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped C:\Documents and Settings\Ciampa\Local Settings\Application Data\Musicmatch\MIM\Database\Default.ldb Object is locked skipped C:\Documents and Settings\Ciampa\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped C:\Documents and Settings\Ciampa\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Ciampa\Local Settings\Temp\JET6608.tmp Object is locked skipped C:\Documents and Settings\Ciampa\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Ciampa\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Ciampa\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\PC Tools AntiVirus\PCTAVService.txt Object is locked skipped C:\Program Files\PC Tools AntiVirus\~ulo Object is locked skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP2\A0000126.dll Infected: Trojan-Downloader.Win32.Agent.awb skipped C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP2\A0000127.dll Infected: Trojan-Downloader.Win32.Agent.awb skipped C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP3\A0000893.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP3\A0000898.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP6\A0002966.dll Infected: not-a-virus:AdWare.Win32.TrafficSol.c skipped C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0002990.exe Infected: Trojan-Downloader.Win32.Small.dnk skipped C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0002992.exe Infected: Trojan-Downloader.Win32.Tibs.dr skipped C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0002993.exe Infected: Trojan-Clicker.Win32.Spywad.o skipped C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0002994.exe Infected: Trojan-PSW.Win32.Sinowal.ay skipped C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0002995.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0002996.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.s skipped C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0004029.exe Infected: not-a-virus:AdWare.Win32.FindSpy.a skipped C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0004039.dll Infected: Trojan-Spy.Win32.Small.ez skipped C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0004040.exe Infected: Trojan-Spy.Win32.Small.ez skipped C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0004041.exe Infected: Trojan-Downloader.Win32.Tibs.id skipped C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0004044.dll Infected: Trojan-PSW.Win32.Sinowal.ba skipped C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0004045.dll Infected: Trojan-PSW.Win32.Sinowal.az skipped C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0004046.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP7\A0004047.exe Infected: Trojan.Win32.Small.fb skipped C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP8\A0005039.exe Infected: Trojan-Downloader.Win32.Tibs.ij skipped C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP8\A0005040.dll Infected: not-a-virus:AdWare.Win32.Mirar.a skipped C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP8\A0005041.exe Infected: not-virus:Hoax.Win32.Renos.ff skipped C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP8\A0005054.exe Infected: not-a-virus:AdWare.Win32.Agent.y skipped C:\System Volume Information\_restore{993CABA7-7E82-49F6-A485-6341BD6A8DDE}\RP8\A0005103.exe Infected: not-a-virus:AdWare.Win32.Msnagent.b skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\em.ocx Infected: Trojan-Dropper.Win32.VB.dq skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\six.exe Infected: not-virus:Hoax.Win32.Renos.ff skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\uni_7eh.exe Infected: Trojan.Win32.VB.tg skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped F:\BearShare\Installer\BSInstall5.2.5.1.exe/WISE0026.BIN/clientax.dll Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped F:\BearShare\Installer\BSInstall5.2.5.1.exe/WISE0026.BIN Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped F:\BearShare\Installer\BSInstall5.2.5.1.exe WiseSFX: infected - 2 skipped F:\BearShare\Installer\BSInstall5.2.5.1.exe WiseSFX Dropper: infected - 2 skipped F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped Scan process completed. HiJack: Logfile of HijackThis v1.99.1 Scan saved at 9:07:27 PM, on 06/10/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\PC Tools AntiVirus\ScanningProcess.exe C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe C:\Program Files\PC Tools AntiVirus\PCTAV.exe C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Hiiack This\HijackThis.exe R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsa10AB.dll O2 - BHO: Banner Rotator - {E954DB82-1533-4714-92F2-59C98D5C18CC} - C:\WINDOWS\system32\brrotate.dll O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background O4 - HKCU\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/apop/def...ploader_v6.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O21 - SSODL: IEFilter - {690F6A1B-8C7D-4020-92B0-AFA351689F0B} - C:\WINDOWS\system32\IEFilter.dll (file missing) O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - Unknown owner - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe pretty long post...keep me posted thanks! Vin