Project 1 Virus/Trojan

[PurelyCanadian]

Alright, well I've read about this virus/trojan elsewhere after getting it, and I figured that to best rid myself of it would be to add a thread on one of these websites.

Got this through MSN, you know - known contact sends you a picture link, click it, it downloads something, then it opens up every contact you have and sends them the link as well. Then it infects the computer... so now I'm stuck with it. It slows down the PC considerably, and there are random pop-ups, the volume on my PC (in the Volume Control) is randomly changed to 0, my internet is randomly disconnected and options are changed in MSN. I am running on a dial-up connection if that helps.

I have ran a virus scan with AVG Free already. The reason I used that is because about two months ago our hard-drive crashed and I haven't been able to re-install Norton (what do you recommend?).

Here is the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:21:21 PM, on 03/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\Mathew\Yinstall.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Common Files\{D038973E-0540-1033-0120-030406050002}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mathew\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\Mathew\Yinstall.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [ms04597634-801] C:\WINDOWS\ms04597634-801.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e21.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e21.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e21.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activ...33352D2D2D.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1150911382798
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1150914430032
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
O20 - Winlogon Notify: MediaContentIndex - C:\WINDOWS\system32\aPaamon.dll
O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\ciprops.dll
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\ciprops.dll
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\ciprops.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

[PurelyCanadian]

Sorry, I read something about when posting a log, disable word wrap. I did that in Notepad when I copied it, but I'm not sure how to do so here.

[tetonbob]

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Download AVG Anti-Spyware

• Install AVG Anti-Spyware
• Double-click the icon on Desktop to launch AVG Anti-Spyware

You will need to update AVG Anti-Spyware to the latest definition files.

• On the top of the main screen click Shield
• Click the word active to change it to inactive
• On the top of the main screen click Update.
• Then click on Start Update. The update will start and a progress bar will show the updates being installed.

• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
• Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"

When you have finished updating, EXIT AVG Anti-Spyware. Do Not run a scan just yet, we will shortly.

---------------------------------------------------------------------------------------------

Please download Brute Force Uninstaller to your desktop.

• Right click the BFU folder on your desktop, and choose Extract All
• Click "Next"
• In the box to choose where to extract the files to,
• Click "Browse"
• Click on the + sign next to "My Computer"
• Click on "Local Disk (C:) or whatever your primary drive is
• Click "Make New Folder"
• Type in BFU
• Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Download and install CleanUp!
NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe

We will use this later.

---------------------------------------------------------------------------------------------

1. Download combofix from one of these locations:
   • http://www.techsupportforum.com/sectools/combofix.exe
   • http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click on combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------

Next...

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

RXToolBar
TheSearchAccelerator

Please let me know of any other programs you don't recognize or do not recall installing.

Also, be sure you did not choose the sponsor program when installing MessengerPlus!3

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [ms04597634-801] C:\WINDOWS\ms04597634-801.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/activ...33352D2D2D.exe
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll


Close HijackThis now.

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.


Delete the following if they exist:

C:\Documents and Settings\Mathew\Yinstall.exe
C:\Program Files\RXToolBar
C:\Program Files\TheSearchAccelerator

---------------------------------------------------------------------------------------------

Run Cleanup! using the following configuration:

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files (if present)
• Cleanup! All Users
• Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program.. Do NOT Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

---------------------------------------------------------------------------------------------

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click on the Scan tab
• Click Complete System Scan to begin scanning.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

---------------------------------------------------------------------------------------------

Then, please go to Start > My Computer and navigate to the C:\BFU folder.

• Start the Brute Force Uninstaller by doubleclicking BFU.exe
• Beside the scriptline to execute field click the folder icon and select alcanshorty.bfu by double clicking on it.
• Press Execute and let it do it’s job. (You ought to see a blue progress bar if you did this correctly.)
• Wait for the complete script execution box to pop up and press OK.
• Press exit to terminate the BFU program.

Reboot into normal windows.

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

1. Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on See report then click Save report

*Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------


Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Run ComboFix once again.

---------------------------------------------------------------------------------------------

Please return with results from:

AVG AntiSpyware
Panda
HJT (taken just before posting)
C:\ComboFix.txt
C:\ComboFix2.txt

[tetonbob]

Also, in answer to your questions....your log is fine, so wordwrap must be off in Notepad. Thanks for thinking of it.

AVG is a fine free AntiVirus solution.

Others include Avira, AOL's ActiveVirusShield (powered by Kaspersky) and Avast.

[PurelyCanadian]

AVG Report:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:51:33 AM 04/10/2006

+ Scan result:



C:\Program Files\INSTAFINK -> Adware.404Search : No action taken.
C:\Program Files\INSTAFINK\instafink.dll -> Adware.404Search : No action taken.
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP116\A0016550.exe -> Adware.Agent : No action taken.
C:\Documents and Settings\Mathew\Desktop\Installs\kazaa_setup.exe -> Adware.Altnet : No action taken.
C:\WINDOWS\Temp\Altnet -> Adware.Altnet : No action taken.
HKLM\SOFTWARE\Classes\ADM25.ADM25 -> Adware.Altnet : No action taken.
HKLM\SOFTWARE\Classes\ADM25.ADM25.1 -> Adware.Altnet : No action taken.
HKLM\SOFTWARE\Classes\ADM25.ADM25\CurVer -> Adware.Altnet : No action taken.
HKLM\SOFTWARE\Classes\ADM4.ADM4 -> Adware.Altnet : No action taken.
HKLM\SOFTWARE\Classes\ADM4.ADM4.1 -> Adware.Altnet : No action taken.
HKLM\SOFTWARE\Classes\ADM4.ADM4\CurVer -> Adware.Altnet : No action taken.
HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE -> Adware.Altnet : No action taken.
HKLM\SOFTWARE\Classes\AppID\adm.EXE -> Adware.Altnet : No action taken.
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP115\A0016489.DLL -> Adware.IESearch : No action taken.
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP115\A0016519.dll -> Adware.IESearch : No action taken.
HKU\S-1-5-21-1292428093-1677128483-1957994488-1004\Software\INSTAFINK -> Adware.InstaFinder : No action taken.
HKU\S-1-5-21-1292428093-1677128483-1957994488-1004\Software\INSTAFINK\Reports -> Adware.InstaFinder : No action taken.
HKU\S-1-5-21-1292428093-1677128483-1957994488-1004\Software\INSTAFINK\Reports\38892 -> Adware.InstaFinder : No action taken.
HKU\S-1-5-21-1292428093-1677128483-1957994488-1004\Software\INSTAFINK\Reports\38892\Objects -> Adware.InstaFinder : No action taken.
HKU\S-1-5-21-1292428093-1677128483-1957994488-1004\Software\INSTAFINK\Reports\38892\Objects\5 -> Adware.InstaFinder : No action taken.
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP116\A0017562.dll -> Adware.Look2Me : No action taken.
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017596.exe -> Adware.Look2Me : No action taken.
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017604.exe -> Adware.Look2Me : No action taken.
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017645.dll -> Adware.Look2Me : No action taken.
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017669.dll -> Adware.Look2Me : No action taken.
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017682.dll -> Adware.Look2Me : No action taken.
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017692.dll -> Adware.Look2Me : No action taken.
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017695.DLL -> Adware.Look2Me : No action taken.
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017696.dll -> Adware.Look2Me : No action taken.
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017702.dll -> Adware.Look2Me : No action taken.
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017703.dll -> Adware.Look2Me : No action taken.
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017704.dll -> Adware.Look2Me : No action taken.
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017705.dll -> Adware.Look2Me : No action taken.
C:\QooBox\Purity\WINDOWS\ECURIT~1\wυaclt.exe -> Adware.PurityScan : No action taken.
C:\WINDOWS\system32\zelyoer.dll -> Adware.PurityScan : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{59879FA4-4790-461c-A1CC-4EC4DE4CA483} -> Adware.RXToolbar : No action taken.
HKU\S-1-5-21-1292428093-1677128483-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{59879FA4-4790-461C-A1CC-4EC4DE4CA483} -> Adware.RXToolbar : No action taken.
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP116\A0016559.dll -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP116\A0017569.dll -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017607.exe/IUCMORE.DLL -> Adware.Ucmore : No action taken.
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017607.exe/UCMTSAIE.DLL -> Adware.Ucmore : No action taken.
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017607.exe/empty_00000001 -> Adware.Ucmore : No action taken.
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017629.dll -> Adware.Ucmore : No action taken.
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017632.dll -> Adware.Ucmore : No action taken.
C:\Documents and Settings\Mathew\Desktop\backups\backup-20061003-233820-216.dll -> Dialer.VB.j : No action taken.
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP113\A0016410.exe -> Downloader.Adload.fu : No action taken.
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017592.exe -> Downloader.Adload.fu : No action taken.
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017603.exe -> Downloader.Adload.fu : No action taken.
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017610.exe -> Downloader.Adload.fu : No action taken.
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017593.exe -> Downloader.Dyfuca.fb : No action taken.
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017597.exe -> Downloader.Dyfuca.fb : No action taken.
C:\QooBox\Purity\WINDOWS\FNTS~1\ati2evxx.exe -> Downloader.PurityScan.dr : No action taken.
C:\Documents and Settings\Diane\Local Settings\Temp\installer.exe -> Dropper.PurityScan.q : No action taken.
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP116\A0016553.exe -> Hijacker.Small : No action taken.
C:\WINDOWS\Downloaded Program Files\speedtest2.dll -> Not-A-Virus.Downloader.Win32.InsTool.a : No action taken.
C:\Documents and Settings\Diane\Cookies\diane@247realmedia[2].txt -> TrackingCookie.247realmedia : No action taken.
C:\Documents and Settings\Diane\Cookies\diane@2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Diane\Cookies\diane@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Diane\Cookies\diane@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Diane\Cookies\diane@adbrite[2].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\Diane\Cookies\diane@ads.addynamix[1].txt -> TrackingCookie.Addynamix : No action taken.
C:\Documents and Settings\Diane\Cookies\diane@advertising[2].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\Diane\Cookies\diane@atdmt[1].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Diane\Cookies\diane@burstnet[2].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\Diane\Cookies\diane@www.burstnet[1].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\Diane\Cookies\diane@casalemedia[2].txt -> TrackingCookie.Casalemedia : No action taken.
C:\Documents and Settings\Diane\Cookies\diane@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : No action taken.
C:\Documents and Settings\Diane\Cookies\diane@doubleclick[2].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Diane\Cookies\diane@fastclick[1].txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\Diane\Cookies\diane@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Diane\Cookies\diane@ehg-highlights.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Diane\Cookies\diane@hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Diane\Cookies\diane@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Diane\Cookies\diane@need2find[1].txt -> TrackingCookie.Need2find : No action taken.
C:\Documents and Settings\Diane\Cookies\diane@stat.onestat[2].txt -> TrackingCookie.Onestat : No action taken.
C:\Documents and Settings\Diane\Cookies\diane@overture[1].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Diane\Cookies\diane@ads.pointroll[1].txt -> TrackingCookie.Pointroll : No action taken.
C:\Documents and Settings\Diane\Cookies\diane@questionmarket[1].txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\Diane\Cookies\diane@serving-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Diane\Cookies\diane@statcounter[1].txt -> TrackingCookie.Statcounter : No action taken.
C:\Documents and Settings\Diane\Cookies\diane@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Diane\Cookies\diane@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Diane\Cookies\diane@zedo[1].txt -> TrackingCookie.Zedo : No action taken.
C:\WINDOWS\uninst108.exe -> Trojan.VB.tg : No action taken.


::Report end


Panda Report:


Incident Status Location

Potentially unwanted tool:application/bestoffer Not disinfected c:\windows\smdat32a.sys
Adware:adware/instafinder Not disinfected c:\program files\INSTAFINK
Potentially unwanted tool:application/need2find Not disinfected c:\program files\Need2Find
Adware:adware/rxtoolbar Not disinfected Windows Registry
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\classes\appid\adm.EXE
Adware:adware/ucmore Not disinfected Windows Registry
Dialer:dialer.asl Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}
Adware:Adware/DigInk Not disinfected C:\bintheredunthat\ms04597634-801.exe
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Diane\Cookies\diane@247realmedia[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Diane\Cookies\diane@2o7[1].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Diane\Cookies\diane@ads.addynamix[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Diane\Cookies\diane@ads.pointroll[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Diane\Cookies\diane@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Diane\Cookies\diane@atdmt[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Diane\Cookies\diane@burstnet[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Diane\Cookies\diane@casalemedia[2].txt
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Diane\Cookies\diane@data.coremetrics[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Diane\Cookies\diane@doubleclick[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Diane\Cookies\diane@ehg-dig.hitbox[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Diane\Cookies\diane@fastclick[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Diane\Cookies\diane@go[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Diane\Cookies\diane@hitbox[1].txt
Spyware:Cookie/Diglnk Not disinfected C:\Documents and Settings\Diane\Cookies\diane@mbop[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Diane\Cookies\diane@mediaplex[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Diane\Cookies\diane@microsofteup.112.2o7[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Diane\Cookies\diane@overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Diane\Cookies\diane@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Diane\Cookies\diane@realmedia[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Diane\Cookies\diane@serving-sys[2].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Diane\Cookies\diane@stat.onestat[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Diane\Cookies\diane@statcounter[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Diane\Cookies\diane@tribalfusion[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Diane\Cookies\diane@zedo[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Mathew\Cookies\mathew@apmebf[2].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Mathew\Cookies\mathew@qksrv[2].txt
Dialer:Dialer.GQK Not disinfected C:\Documents and Settings\Mathew\Desktop\backups\backup-20061003-233820-216.dll
Dialer:Dialer.GQK Not disinfected C:\Documents and Settings\Mathew\Desktop\backups\backup-20061003-233820-216.inf
Adware:Adware/InstaFinder Not disinfected C:\Program Files\INSTAFINK\instafink.dll
Possible Virus. Renamed C:\QooBox\Purity\WINDOWS\ECURIT~1\w?aclt.exe
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\Downloaded Program Files\speedtest2.dll
Adware:Adware/DigInk Not disinfected C:\WINDOWS\srvxifpiem.exe[Gck26.exe]
Adware:Adware/DigInk Not disinfected C:\WINDOWS\srvxifpiem.exe[TagASaurus.exe]
HJT Report:

Logfile of HijackThis v1.99.1
Scan saved at 5:17:21 PM, on 04/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mathew\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Iltu] "C:\WINDOWS\FNTS~1\ati2evxx.exe" -vt yazb
O4 - HKCU\..\Run: [Vmi] C:\WINDOWS\?ecurity\w?aclt.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1150911382798
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1150914430032
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{88774762-5113-4F52-83D2-CB76B567F64C}: NameServer = 206.47.244.59 206.47.244.87
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe


Combo Fix Report (One):

Mathew - 06-10-03 23:14:59.95 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Mathew\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{963E886D-CBFF-4942-B647-38C18380AB3C}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{963E886D-CBFF-4942-B647-38C18380AB3C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{963E886D-CBFF-4942-B647-38C18380AB3C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{963E886D-CBFF-4942-B647-38C18380AB3C}\InprocServer32]
@="C:\\WINDOWS\\system32\\aPaamon.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{2F3D2E51-035F-460F-A2FC-DE8234037C8B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2F3D2E51-035F-460F-A2FC-DE8234037C8B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2F3D2E51-035F-460F-A2FC-DE8234037C8B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2F3D2E51-035F-460F-A2FC-DE8234037C8B}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\system32\aPaamon.dll
C:\WINDOWS\system32\ciprops.dll
C:\WINDOWS\system32\cqsetacl.dll
C:\WINDOWS\system32\ISKED.DLL
C:\WINDOWS\system32\ivxpromn.dll
C:\WINDOWS\system32\rfhx32.dll
C:\WINDOWS\system32\guard.tmp


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dxclib303562752.dll
C:\Documents and Settings\Mathew\Application Data\Dxcknwrd.dll
C:\WINDOWS\system32\bkd.exe
C:\Program Files\DeluxeCommunications\Dxc.exe
C:\Program Files\DeluxeCommunications\DxcBho.dll
C:\Program Files\DeluxeCommunications\DxcCore.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\drsmartload2.dat
C:\WINDOWS\Duce6.exe
C:\WINDOWS\teller2.chk
C:\Documents and Settings\Mathew\Local Settings\Temporary Internet Files\Content.IE5\RASZ0WK6\dfndrff_e_uit[1].exe
C:\Documents and Settings\Mathew\Local Settings\Temporary Internet Files\Content.IE5\QJAN21AR\drsmartload[1].exe
C:\Documents and Settings\Mathew\Local Settings\Temporary Internet Files\Content.IE5\UQ7YKIUQ\drsmartload45a[1].exe
C:\Documents and Settings\Mathew\Local Settings\Temporary Internet Files\Content.IE5\UQ7YKIUQ\deskbar_e[1].exe
C:\Documents and Settings\Mathew\Local Settings\Temporary Internet Files\Content.IE5\HG4JTT8D\kybrdff_e[1].exe
C:\Documents and Settings\Mathew\Local Settings\Temporary Internet Files\Content.IE5\68MPZTCC\nwnmff_e[1].exe
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\misc002
C:\Program Files\Deskbar
C:\Program Files\Inetget2
C:\Program Files\TheSearchAccelerator
C:\WINDOWS\system32\crunner
C:\Program Files\Common Files\{D038973E-0540-1033-0120-030406050002}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\WINDOWS\ECURIT~1
C:\QooBox\Purity\WINDOWS\FNTS~1
C:\QooBox\Purity\WINDOWS\ECURIT~1\w?aclt.exe
C:\QooBox\Purity\WINDOWS\FNTS~1\ati2evxx.exe
C:\QooBox\Purity\WINDOWS\FNTS~1\F?nts


((((((((((((((((((((((((((((((( Files Created from 2006-09-03 to 2006-10-03 ))))))))))))))))))))))))))))))))))


2006-10-03 22:57 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-03 18:36 2 --a------ C:\WINDOWS\system32\wnsapiit.exe
2006-10-03 18:35 131,072 --a------ C:\WINDOWS\system32\zelyoer.dll
2006-10-03 04:25 44,032 --a------ C:\WINDOWS\ms04597634-8012006.exe
2006-10-03 04:25 217,276 --a------ C:\WINDOWS\srvxifpiem.exe
2006-09-25 22:19 40,576 --------- C:\WINDOWS\system32\drivers\sdcplh.sys
2006-09-15 17:21 53,248 --a------ C:\WINDOWS\uninst108.exe
2006-09-15 17:16 53,248 --a------ C:\WINDOWS\uni_e6h.exe
2006-09-15 16:56 163,840 --a------ C:\WINDOWS\ms04597634-801.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-03 23:24 -------- d-------- C:\Program Files\Common Files
2006-10-03 22:57 -------- d-------- C:\Program Files\Grisoft
2006-10-03 20:31 -------- d-------- C:\Program Files\Call of Duty Game of the Year Edition
2006-10-03 20:31 -------- d-------- C:\Documents and Settings\Mathew\Application Data\Xfire
2006-10-01 00:20 -------- d-------- C:\Program Files\MessengerPlus! 3
2006-09-30 23:39 -------- d-------- C:\Program Files\MSN Messenger
2006-09-29 23:54 -------- d---s---- C:\Program Files\Xfire
2006-09-29 10:12 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-28 21:49 -------- d-------- C:\Documents and Settings\Mathew\Application Data\Adobe
2006-09-28 21:05 -------- d-------- C:\Program Files\Starcraft
2006-09-25 22:27 -------- d-------- C:\Program Files\Google
2006-09-22 17:53 -------- d-------- C:\Program Files\Common Files\Adobe
2006-09-22 17:53 -------- d-------- C:\Program Files\Adobe
2006-09-18 14:35 -------- d-------- C:\Program Files\PokerStars
2006-09-11 18:32 -------- d---s---- C:\Documents and Settings\Mathew\Application Data\Microsoft
2006-08-22 21:32 967 --a------ C:\WINDOWS\ScUnin.pif
2006-08-22 21:32 94208 --a------ C:\WINDOWS\ScUnin.exe
2006-08-22 17:02 -------- d-------- C:\Documents and Settings\Mathew\Application Data\Macromedia
2006-08-22 14:26 -------- d-------- C:\Program Files\LimeWire
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 05:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-12 19:02 -------- d-------- C:\Program Files\Internet Explorer
2006-08-11 10:12 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"MessengerPlus3"="\"C:\\Program Files\\MessengerPlus! 3\\MsgPlus.exe\" /WinStart"
"Iltu"="\"C:\\WINDOWS\\FNTS~1\\ati2evxx.exe\" -vt yazb"
"Vmi"="C:\\WINDOWS\\?ecurity\\w?aclt.exe"
"cprocsvc"="C:\\WINDOWS\\system32\\crunner\\cproc.exe"
"msnmsgr"="\"C:\\PROGRA~1\\MSNMES~1\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"EPSON Stylus Photo R300 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2F1.EXE /P30 \"EPSON Stylus Photo R300 Series\" /O6 \"USB001\" /M \"Stylus Photo R300\""
"SemanticInsight"="C:\\Program Files\\RXToolBar\\Semantic Insight\\SemanticInsight.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"MessengerPlus3"="\"C:\\Program Files\\MessengerPlus! 3\\MsgPlus.exe\""
"ms04597634-801"="C:\\WINDOWS\\ms04597634-801.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,ea,00,00,00,00,00,00,00,16,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Completion time: 03/10/2006 23:25:16.51
ComboFix.txt


Combo Fix Report (Two):

Mathew - 06-10-04 17:11:40.84 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Mathew\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\WINDOWS\ECURIT~1
C:\QooBox\Purity\WINDOWS\FNTS~1
C:\QooBox\Purity\WINDOWS\ECURIT~1\w?aclt_exe.vir
C:\QooBox\Purity\WINDOWS\FNTS~1\ati2evxx.exe
C:\QooBox\Purity\WINDOWS\FNTS~1\F?nts


((((((((((((((((((((((((((((((( Files Created from 2006-09-04 to 2006-10-04 ))))))))))))))))))))))))))))))))))


2006-10-03 22:57 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-03 18:36 2 --a------ C:\WINDOWS\system32\wnsapiit.exe
2006-10-03 18:35 131,072 --a------ C:\WINDOWS\system32\zelyoer.dll
2006-10-03 04:25 44,032 --a------ C:\WINDOWS\ms04597634-8012006.exe
2006-10-03 04:25 217,276 --a------ C:\WINDOWS\srvxifpiem.exe
2006-09-25 22:19 40,576 --------- C:\WINDOWS\system32\drivers\sdcplh.sys
2006-09-15 17:21 53,248 --a------ C:\WINDOWS\uninst108.exe
2006-09-15 17:16 53,248 --a------ C:\WINDOWS\uni_e6h.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-04 16:36 -------- d-------- C:\Program Files\MSN Messenger
2006-10-04 16:33 -------- d-------- C:\Program Files\MessengerPlus! 3
2006-10-04 16:33 -------- d-------- C:\Program Files\Messenger
2006-10-04 16:31 -------- d-------- C:\Program Files\iTunes
2006-10-04 16:30 -------- d-------- C:\Program Files\Internet Explorer
2006-10-03 23:24 -------- d-------- C:\Program Files\Common Files
2006-10-03 22:57 -------- d-------- C:\Program Files\Grisoft
2006-10-03 20:31 -------- d-------- C:\Program Files\Call of Duty Game of the Year Edition
2006-10-03 20:31 -------- d-------- C:\Documents and Settings\Mathew\Application Data\Xfire
2006-09-29 23:54 -------- d---s---- C:\Program Files\Xfire
2006-09-29 10:12 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-28 21:49 -------- d-------- C:\Documents and Settings\Mathew\Application Data\Adobe
2006-09-28 21:05 -------- d-------- C:\Program Files\Starcraft
2006-09-25 22:27 -------- d-------- C:\Program Files\Google
2006-09-22 17:53 -------- d-------- C:\Program Files\Common Files\Adobe
2006-09-22 17:53 -------- d-------- C:\Program Files\Adobe
2006-09-18 14:35 -------- d-------- C:\Program Files\PokerStars
2006-09-11 18:32 -------- d---s---- C:\Documents and Settings\Mathew\Application Data\Microsoft
2006-08-22 21:32 967 --a------ C:\WINDOWS\ScUnin.pif
2006-08-22 21:32 94208 --a------ C:\WINDOWS\ScUnin.exe
2006-08-22 17:02 -------- d-------- C:\Documents and Settings\Mathew\Application Data\Macromedia
2006-08-22 14:26 -------- d-------- C:\Program Files\LimeWire
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 05:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-11 10:12 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"MessengerPlus3"="\"C:\\Program Files\\MessengerPlus! 3\\MsgPlus.exe\" /WinStart"
"Iltu"="\"C:\\WINDOWS\\FNTS~1\\ati2evxx.exe\" -vt yazb"
"Vmi"="C:\\WINDOWS\\?ecurity\\w?aclt.exe"
"msnmsgr"="\"C:\\PROGRA~1\\MSNMES~1\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"EPSON Stylus Photo R300 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2F1.EXE /P30 \"EPSON Stylus Photo R300 Series\" /O6 \"USB001\" /M \"Stylus Photo R300\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"MessengerPlus3"="\"C:\\Program Files\\MessengerPlus! 3\\MsgPlus.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,38,01,00,00,00,00,00,00,c8,02,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Completion time: 04/10/2006 17:12:37.07
ComboFix.txt
ComboFix2.txt

[tetonbob]

It appears that you may have misunderstood the instructions on my last post, as the logs you've posted indicate the following:

AVG Anti Spyware settings were not set to allow it to Quarantine what it found.

Let's try it again so we can get your system clean.

You will need to update AVG Anti-Spyware to the latest definition files.

• On the top of the main screen click Shield
• Click the word active to change it to inactive
• On the top of the main screen click Update.
• Then click on Start Update. The update will start and a progress bar will show the updates being installed.

• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
• Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"

When you have finished updating, EXIT AVG Anti-Spyware. Do Not run a scan just yet, we will shortly.

---------------------------------------------------------------------------------------------

Clear your IE cookies. Start>Settings>Control Panel>Internet Options>General tab>under Temporary files, click on Delete Cookies.


Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKCU\..\Run: [Iltu] "C:\WINDOWS\FNTS~1\ati2evxx.exe" -vt yazb
O4 - HKCU\..\Run: [Vmi] C:\WINDOWS\?ecurity\w?aclt.exe
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll

Close HijackThis now.

---------------------------------------------------------------------------------------------

Copy and paste the following into Notepad (don't forget to copy and paste REGEDIT4):

Quote:

REGEDIT4

[-hkey_local_machine\software\classes\appid\adm.EXE]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}]

Save the file as "delete.reg". Make sure to save it with the quotes. It should look like this:

Close Notepad.

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

---------------------------------------------------------------------------------------------

Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Need2Find
Tagasaurus
Instafind

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

Go to Start>Run then copy and paste, or type the following, then press Enter:

regsvr32 /u occache.dll

Delete these if present:


C:\bintheredunthat
c:\program files\INSTAFINK
c:\program files\Need2Find
C:\WINDOWS\ms04597634-8012006.exe
C:\WINDOWS\srvxifpiem.exe
C:\WINDOWS\uninst108.exe
C:\WINDOWS\uni_e6h.exe
c:\windows\smdat32a.sys
C:\WINDOWS\system32\wnsapiit.exe
C:\WINDOWS\system32\zelyoer.dll
C:\WINDOWS\Downloaded Program Files\speedtest2.dll

Go to Start>Run then copy and paste, or type the following, then press Enter:

regsvr32 occache.dll

---------------------------------------------------------------------------------------------

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click on the Scan tab
• Click Complete System Scan to begin scanning.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Restart in normal mode.

---------------------------------------------------------------------------------------------

Post the new AVG AntiSpyware log, and a new HJT log please. Also let me know how your system is behaving.

[PurelyCanadian]

Hmm.. I believe what I forgot to do was click "Apply All Actions".. well I did that this time and I'll post the log (and HJT log).

The computer seems to be running faster, and I haven't gotten any pop-ups either. The logs:

AVG:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:14:33 AM 06/10/2006

+ Scan result:



C:\RECYCLER\S-1-5-21-1292428093-1677128483-1957994488-1004\Dc2\instafink.dll -> Adware.404Search : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP116\A0016550.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\Documents and Settings\Mathew\Desktop\Installs\kazaa_setup.exe -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM25.ADM25 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM25.ADM25.1 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM25.ADM25\CurVer -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM4.ADM4 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM4.ADM4.1 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM4.ADM4\CurVer -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE -> Adware.Altnet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP115\A0016489.DLL -> Adware.IESearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP115\A0016519.dll -> Adware.IESearch : Cleaned with backup (quarantined).
HKU\S-1-5-21-1292428093-1677128483-1957994488-1004\Software\INSTAFINK -> Adware.InstaFinder : Cleaned with backup (quarantined).
HKU\S-1-5-21-1292428093-1677128483-1957994488-1004\Software\INSTAFINK\Reports -> Adware.InstaFinder : Cleaned with backup (quarantined).
HKU\S-1-5-21-1292428093-1677128483-1957994488-1004\Software\INSTAFINK\Reports\38892 -> Adware.InstaFinder : Cleaned with backup (quarantined).
HKU\S-1-5-21-1292428093-1677128483-1957994488-1004\Software\INSTAFINK\Reports\38892\Objects -> Adware.InstaFinder : Cleaned with backup (quarantined).
HKU\S-1-5-21-1292428093-1677128483-1957994488-1004\Software\INSTAFINK\Reports\38892\Objects\5 -> Adware.InstaFinder : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP116\A0017562.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017596.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017604.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017645.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017669.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017682.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017692.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017695.DLL -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017696.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017702.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017703.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017704.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017705.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\QooBox\Purity\WINDOWS\ECURIT~1\wυaclt_exe.vir -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1292428093-1677128483-1957994488-1004\Dc11.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP113\A0016411.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017611.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017612.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017768.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{59879FA4-4790-461c-A1CC-4EC4DE4CA483} -> Adware.RXToolbar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1292428093-1677128483-1957994488-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{59879FA4-4790-461C-A1CC-4EC4DE4CA483} -> Adware.RXToolbar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP116\A0016559.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP116\A0017569.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017607.exe/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017607.exe/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017607.exe/empty_00000001 -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017629.dll -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017632.dll -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\Documents and Settings\Mathew\Desktop\backups\backup-20061003-233820-216.dll -> Dialer.VB.j : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP113\A0016410.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017592.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017603.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017610.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\313133352D2D2D.exe -> Downloader.Adload.ga : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017605.exe -> Downloader.Adload.gb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017593.exe -> Downloader.Dyfuca.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017597.exe -> Downloader.Dyfuca.fb : Cleaned with backup (quarantined).
C:\QooBox\Purity\WINDOWS\FNTS~1\ati2evxx.exe -> Downloader.PurityScan.dr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP116\A0016553.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017600.exe -> Hijacker.VB.ly : Cleaned with backup (quarantined).
C:\Documents and Settings\Mathew\Desktop\backups\backup-20061005-230909-189.dll -> Not-A-Virus.Downloader.Win32.InsTool.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Diane\Cookies\diane@247realmedia[2].txt -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\Diane\Cookies\diane@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Diane\Cookies\diane@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Diane\Cookies\diane@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Diane\Cookies\diane@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Diane\Cookies\diane@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\Diane\Cookies\diane@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Diane\Cookies\diane@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Diane\Cookies\diane@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Diane\Cookies\diane@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Diane\Cookies\diane@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Diane\Cookies\diane@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Documents and Settings\Diane\Cookies\diane@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Diane\Cookies\diane@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Diane\Cookies\diane@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Diane\Cookies\diane@ehg-highlights.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Diane\Cookies\diane@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Diane\Cookies\diane@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Diane\Cookies\diane@need2find[1].txt -> TrackingCookie.Need2find : Cleaned.
C:\Documents and Settings\Diane\Cookies\diane@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned.
C:\Documents and Settings\Diane\Cookies\diane@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Diane\Cookies\diane@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Diane\Cookies\diane@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Diane\Cookies\diane@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Diane\Cookies\diane@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Diane\Cookies\diane@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Diane\Cookies\diane@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Diane\Cookies\diane@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\RECYCLER\S-1-5-21-1292428093-1677128483-1957994488-1004\Dc7.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).


::Report end


HJT:

Logfile of HijackThis v1.99.1
Scan saved at 7:18:33 AM, on 06/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mathew\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1150911382798
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1150914430032
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{88774762-5113-4F52-83D2-CB76B567F64C}: NameServer = 206.47.244.43 206.47.244.79
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

[tetonbob]

Much better, good work. Let's have you do one more online scan to seek out remnants, and for a second opinion, as it were. First, we need to take care of something.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9.
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version.

---------------------------

Now, the online scan....

Go here and do the BitDefender online virus scan.

• Click "I Agree" to agree to the EULA.
• Allow the ActiveX control to install when prompted.
• Leave the scanning options at default and press "Click here to scan" to begin the scan.
• Please refrain from using the computer until the scan is finished.
• When the scan is finished, click on "Click here to export the scan results"
• Save the report to your desktop then come back here and post it in your next reply along with a new Hijack This log

[PurelyCanadian]

BitDefender:

BitDefender Online Scanner



Scan report generated at: Sun, Oct 08, 2006 - 03:25:56





Scan path: A:\;C:\;D:\;E:\;F:\;H:\;







Statistics

Time
01:45:55

Files
587982

Folders
3581

Boot Sectors
4

Archives
4926

Packed Files
68996




Results

Identified Viruses
4

Infected Files
6

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
6




Engines Info

Virus Definitions
474403

Engine build
AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)

Scan plugins
13

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\$VAULT$.AVG\60314097.FIL
Infected with: Trojan.Downloader.Small.BCB

C:\$VAULT$.AVG\60314097.FIL
Disinfection failed

C:\$VAULT$.AVG\60314097.FIL
Deleted

C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP116\A0016560.exe
Infected with: Trojan.Clicker.VB.FN

C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP116\A0016560.exe
Disinfection failed

C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP116\A0016560.exe
Deleted

C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017606.exe
Infected with: Trojan.Downloader.Adload.EE

C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017606.exe
Disinfection failed

C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP117\A0017606.exe
Deleted

C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP118\A0017833.dll
Infected with: VirTool.Downloader.InsTool.A

C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP118\A0017833.dll
Disinfection failed

C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP118\A0017833.dll
Deleted

C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP119\A0017903.exe=>(NSIS o)=>lzma_nsis0001
Infected with: Trojan.Clicker.VB.FN

C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP119\A0017903.exe=>(NSIS o)=>lzma_nsis0001
Disinfection failed

C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP119\A0017903.exe=>(NSIS o)=>lzma_nsis0001
Deleted

C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP119\A0017903.exe=>(NSIS o)
Update failed

C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP119\A0017907.exe
Infected with: Trojan.Clicker.VB.FN

C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP119\A0017907.exe
Disinfection failed

C:\System Volume Information\_restore{8AA3FA26-C312-4E12-996F-C94B9EA1E378}\RP119\A0017907.exe
Deleted


HJT:

Logfile of HijackThis v1.99.1
Scan saved at 12:37:01 PM, on 08/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mathew\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1150911382798
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1150914430032
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{88774762-5113-4F52-83D2-CB76B567F64C}: NameServer = 206.47.244.51 206.47.244.90
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

[tetonbob]

Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few items to address.


Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Create a new System Restore point

• click Start >> Run - type SYSDM.CPL & press Enter
• select the System Restore Tab
• tick on the checkbox - "Turn off System Restore on all drives"
• click Apply
• then untick the same checkbox & click OK

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• tick on the checkbox - "Keep my computer up to date"
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• SpywareGuard to catch and block spyware before it can execute.
  
• SPYBOT - SEARCH & DESTROY
  Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
  
• AD-AWARE
  Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software
  
  
• IE-SPYAD - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Download IE-SpyAD - Extract the contents to a new folder
    From within the folder, double-click install.bat
    Select Option #2 - Install the new IE-SPYAD list.
    Then return to the main menu.
    Select option #4 - Add the old porn sites domain
  
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
  
  
  
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
  
  See this link for a listing of some online antivirus scanners:
  
  Anti-Spyware Tutorial
  
  Here are two very good free Antivirus products which are available:
  
• Avast!
  
  
• AVG

If you do not have a firewall, here are 4 free ones available for personal use:

• ZoneAlarm
• Avast Antivirus/Firewall
• Tiny Personal Firewall
• OutPost Firewall

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[PurelyCanadian]

Thank you very much, I appreciate the assistance. Just out of curiosity, do you know anything about this virus? As in, how harmful is it, what could it of done, how long it's been going?

If not that's fine, just wondering. Thank you though, and over time (I've got dial-up ) I'll download some of those programs you listed.

.. Cheers ..

- Matt

[PurelyCanadian]

Oh, also, I forgot to ask this. This is very important for me:

I have a brand new, very expensive computer. I was going to burn picutres, and installers for large programs I downloaded to a disc then put them on my new computer, but now after this event I'm not so sure.

Because I have dial-up, some of the things I am going to burn would take about 15 hours to re-download, and the pictures are something I have to get off here regardless.

So is my computer safe enough to now do this?

[tetonbob]

Your system seems free of malware.

What you do with it now is in your hands. I'm not quite sure I understand the question.

You want to transfer files from this computer, which was infected, to another system which is brand new and clean?

Scan each file with your AV before transferring it. This is standard procedure.

Dialup - I feel for ya, I do. I had it until last June. I'll never go back.