cannot get rid of ctpmon.exe popups, trojans

Hello Horace, and welcome to TSF


Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools,
then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.


Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this
webpage would not be available when you're carrying out the fix.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.

The process is not instant. Please continue to review my answers until I tell you your machine is clear.
Absence of symptoms does not mean that everything is clear. So lets do this to the end!

Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more
likely additional infections will result.

----------------------------------------

Nothing really bad in the HJT log. We'll get rid of some junk and see what may be hiding in your system.


----------------------------------------

This looks like the legit file, but we'll check it anyway:

Please submit the following file to Jotti File Scan

C:\WINDOWS\system32\ctfmon.exe


At the top of the window you should see "File to Upload & Scan" and a blank box. Copy and paste the red text from above into the box.
Then click "submit".

When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" back in this thread.

----------------------------------------

DOWNLOADS


CLEANUP! version 4.52 – TEMP FILE CLEANING


Please download Cleanup! and install it. You will use this later.

Alternative link Cleanup Alt


*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups.



AVG Anti-Spyware 7.5

I see you have this installed already. Please update the definitions. We will use it later

1. Install AVG Anti-Spyware 7.5.
2. Double-click the icon on Desktop to launch AVG A-S 7.5
3. On the top of the main screen click Shield
4. Click the word active to change it to inactive
5. On the top of the main screen click Update.
6. Then click on Start Update. The update will start and a progress bar will show the updates being installed.
7. I also recommend changing the "Update interval" to something more reasonable like 12 hours.

ComboFix



1. Download this file - You MUST save it to your desktop

COMBOFIX




2. Double click combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

----------------------------------------

SAFE MODE RE-BOOT

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

If you are not able to reboot into Safe Mode, continue in Normal Mode
----------------------------------------

FIXES AND DELETIONS


Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - (no file)
O4 - HKLM\..\Run: [ctpmon] ctpmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: http://care.alltel.com
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} (Personal System Administrator Control) - http://www.gtwebcheck.com/rel/86/install/gtdowngc.cab



Please remember to close all other windows, including browsers then click Fix checked.

----------------------------------------

UNHIDE HIDDEN FILES

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

----------------------------------------
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\system32\ctpmon.exe

----------------------------------------

RUNNING SCANNERS


Cleanup

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files (if present)
• Cleanup! All Users
• Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program and DO NOT reboot when prompted.


AVG Anti-Spyware 7.5

• Run AVG A-s with it's updated definitions: (...it's important that all windows must be closed)
  This scan can take quite a while to run, so be prepared.
• Click Scanner
• Click on the Scan tab
• Click Complete System Scan to begin scanning.
  
  
  
  
  
• When the scan is complete click Recommended Action and change it to Quarantine (1),
• If not click Recommended Action and choose Quarantine from the popup menu. (2)
• At the bottom of the window click on the Apply all Actions button. (3)

When done, click the Save Scan Report button. (4) then click Save Report As and save it to your desktop.

IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.



Note: DO NOT USE the computer while AVG A/S is scanning. If Explorer or the Control Panel are opened some malware types will
reinfect your system or will not be cleaned properly.

----------------------------------------

SYSTEM RE-BOOT

Reboot into Normal Mode.

----------------------------------------


ON-LINE SCANS

Perform an online scan with Internet Explorer with Panda ActiveScan

1. Click on
   located at the bottom of the page.
2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
3. Enter your e-mail address, country, and state & click "Free Online Scan" * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on
  then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

----------------------------------------

FOLLOW-UP

Please return and post these items in the order listed:

Jotti results
c:\combofix.txt
AVG A/S
Panda scan
A new HJT log run in Normal Mode

Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode

Please let me know how your system is behaving.

K, Jotti file came up clean on ctfmon.exe

Ran combofix, but could not boot into safe mode.

Ran Hijack this, ticked the boxes you said. I am curious about the one for Alltel as it would have been something from my DSL ISP? Ticked it anyways.

Unhid files as told. Could not delete ctpmon.exe even after running Hijackthis.
Tried to shut it down in task manager but it keeps restarting. Tried shutting it down in msconfig to no avail. This file is a problem.

Ran Cleanup, AVG Anti-Spyware and Panda Scan.

Following are requested log files:

"Owner" - 07-01-22 8:13:02 Service Pack 2
ComboFix 07-01-21 - Running from: "C:\Documents and Settings\Owner\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\drivers\fad.sys
C:\INSTALL.LOG
C:\WINDOWS\system32\drivers\npf.sys


((((((((((((((((((((((((((((((( Files Created from 2006-12-22 to 2007-01-22 ))))))))))))))))))))))))))))))))))


2007-01-21 12:27 <DIR> d-------- C:\Program Files\RegistryCleaner
2007-01-20 08:18 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-01-20 01:44 593,836 --a------ C:\WINDOWS\system32\RegistryCleanerSetup.exe
2007-01-19 09:00 49,152 --a------ C:\pnxmrqtb.exe
2007-01-19 09:00 34,304 --a------ C:\WINDOWS\system32\ctpmon.exe
2007-01-16 21:58 <DIR> d-------- C:\Program Files\Malware-Wiped
2007-01-16 20:57 20,992 --a------ C:\WINDOWS\system32\gwquvw.dll
2007-01-16 20:57 <DIR> d-------- C:\Program Files\Video ActiveX Object
2007-01-16 18:55 <DIR> dr-h----- C:\$VAULT$.AVG
2007-01-15 02:05 <DIR> d-------- C:\Program Files\thriXXX
2007-01-15 02:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Yahoo!
2007-01-14 22:14 <DIR> d-------- C:\Program Files\Guild Wars
2007-01-13 17:17 <DIR> d-------- C:\Program Files\mIRC
2007-01-13 07:28 <DIR> d-------- C:\Program Files\Phonebook
2007-01-11 23:08 <DIR> d-------- C:\Program Files\Tibia
2007-01-11 21:36 <DIR> d-------- C:\Program Files\LimeWire
2007-01-11 19:07 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\Motive
2007-01-11 15:59 <DIR> d-------- C:\WINDOWS\Motive
2007-01-11 15:58 <DIR> d-------- C:\Program Files\ALLTEL DSL Check-up Center
2007-01-11 15:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\MotiveSysIDs
2007-01-11 15:56 69,632 --a------ C:\WINDOWS\system32\MCCDevice.dll
2007-01-11 15:56 6,048 --a------ C:\WINDOWS\system32\MCC16.dll
2007-01-11 15:05 589,824 --a------ C:\WINDOWS\system32\MCCDNSHLP_1-0-0_DSR.dll
2007-01-11 15:05 <DIR> d-------- C:\Program Files\Common Files\Motive
2007-01-11 15:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Motive
2007-01-11 15:03 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-01-11 15:03 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2007-01-11 15:03 171,280 --a------ C:\WINDOWS\system32\jit.dll
2007-01-11 15:03 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-01-11 15:02 945,424 --a------ C:\WINDOWS\system32\msjava.dll
2007-01-11 15:02 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2007-01-11 15:02 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2007-01-11 15:02 404,752 --a------ C:\WINDOWS\system32\javart.dll
2007-01-11 15:02 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2007-01-11 15:02 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2007-01-11 15:02 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2007-01-11 15:02 172,304 --a------ C:\WINDOWS\system32\jview.exe
2007-01-11 15:02 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2007-01-11 15:02 154,896 --a------ C:\WINDOWS\system32\msawt.dll
2007-01-11 15:02 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2007-01-11 15:02 113 --a------ C:\WINDOWS\system32\zonedon.reg
2007-01-11 15:02 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2006-12-27 20:49 <DIR> d-------- C:\Program Files\AWClient
2006-12-22 16:44 <DIR> d--h----- C:\WINDOWS\PIF


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-22 08:07 -------- d-------- C:\Program Files\mozilla firefox
2007-01-20 17:52 -------- d-------- C:\Program Files\spyware doctor
2007-01-20 12:04 -------- d-------- C:\Program Files\uphclean
2007-01-20 12:04 -------- d-------- C:\Program Files\spywareguard
2007-01-20 07:25 -------- d-------- C:\Program Files\sunbelt software
2007-01-20 07:23 -------- d-------- C:\DOCUME~1\Owner\Application Data\dmcache
2007-01-18 16:50 -------- d-------- C:\Program Files\spywareblaster
2007-01-18 08:37 -------- d-------- C:\Program Files\peoplepc
2007-01-18 08:26 -------- d-------- C:\DOCUME~1\Owner\Application Data\avg7
2007-01-17 00:03 -------- d-------- C:\Program Files\diablo ii
2007-01-15 02:02 -------- d-------- C:\Program Files\yahoo!
2007-01-11 17:04 -------- d---s---- C:\DOCUME~1\Owner\Application Data\microsoft
2007-01-07 22:51 43520 --a------ C:\WINDOWS\system32\cmdlineext03.dll
2006-10-23 09:51 202424 --a------ C:\WINDOWS\system32\idmmbc.dll
2006-10-14 09:56 21176 --a------ C:\DOCUME~1\Owner\Application Data\gdipfontcachev1.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"Motive SmartBridge"="C:\\PROGRA~1\\ALLTEL~1\\SMARTB~1\\MotiveSB.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"ctpmon"="ctpmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctpmon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctpmon"
"hkey"="HKLM"
"command"="ctpmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""
"{076394AD-7FDD-44EF-A075-32C68DBAB99B}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"none"="C:\\Program Files\\Video ActiveX Object\\pmsngr.exe"
"isamonitor.exe"="C:\\Program Files\\Video ActiveX Object\\isamonitor.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=hex:01,00,00,00
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0




~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070120-181625-192
O4 - HKLM\..\Run: [ctpmon] ctpmon.exe
backup-20070120-181615-863
O4 - HKLM\..\Run: [ctpmon] ctpmon.exe
backup-20070120-181430-189
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20070120-181430-210
O4 - HKLM\..\Run: [ctpmon] ctpmon.exe
backup-20070120-180351-605
O4 - HKLM\..\Run: [ctpmon] ctpmon.exe
backup-20070120-180351-460
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
backup-20070118-081820-416
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video ActiveX Object\isaddon.dll
Completion time: 07-01-22 8:22:03

------------------------------------------------------------------

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:50:36 AM 1/22/2007

+ Scan result:



C:\Program Files\Video ActiveX Object -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Video ActiveX Object\ot.ico -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Video ActiveX Object\ts.ico -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1757981266-57989841-682003330-1003\Software\Internet Security -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1757981266-57989841-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1757981266-57989841-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} -> Adware.Generic : Cleaned with backup (quarantined).
C:\WINDOWS\system32\gwquvw.dll -> Adware.WorldSecurityOnline : Cleaned with backup (quarantined).


::Report end

------------------------------------------------------------------
Panda Scan

Incident Status Location

Potentially unwanted tool:application/regclean32 Not disinfected C:\Documents and Settings\Owner\Desktop\Registry Cleaner.lnk

------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:41:43 PM, on 1/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctpmon.exe
C:\WINDOWS\system32\ctpmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\ALLTEL DSL Check-up Center\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ctpmon] ctpmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Windstream Broadband Check-up Center.lnk = C:\Program Files\ALLTEL DSL Check-up Center\bin\matcli.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/WINDSTREAM/static/controls/WebflowActiveXInstaller_2-0-0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135986178421
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\system32\ZipToA.exe

System not bad. Keeps getting a popup to download "Registry Cleaner" that says is from Microsoft, which I thunk one of the kids hit ok on the other day and it is still on the system. It will be going in the trash soon. But that darn ctpmon.exe file is a bugger.

Registry Cleaner is a legit program. Some people use registry cleaners regularly and others won't go near them. I guess it's more on personal preference, keeping in mind that deleting the wrong registry entry can affect the operation of your system. Please let me know if you want to keep it. If not, we'll get rid of it in the next round

Speaking of registry entries, ComboFix shows a SmitFraud infection. Please download this tool and post the log.



SMITFRAUD FIX

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Double-click smitfraudfix.exe to start the tool.
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

The log will be at c:\rapport.txt

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

SmitFraudFix v2.133

Scan done at 15:26:38.51, Mon 01/22/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

C:\DOCUME~1\Owner\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this
webpage would not be available when you're carrying out the fix.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

We are getting there. Let's get rid of some more junk brought out in ComboFix.


----------------------------------------

DOWNLOADS


REGISTRY FIX

Download the attached horace.zip file at the bottom of this post to your desktop. Double click on the zip folder,
then double click on the .reg file within.
Click yes to allow it to merge into your registry.


----------------------------------------

SAFE MODE RE-BOOT

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

----------------------------------------

FIXES AND DELETIONS


Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Malware-Wiped
Video ActiveX Object

----------------------------------------

UNHIDE HIDDEN FILES

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

----------------------------------------
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\Malware-Wiped
C:\Program Files\Video ActiveX Object

C:\pnxmrqtb.exe

C:\WINDOWS\system32\gwquvw.dll
C:\WINDOWS\system32\jview.exe
C:\WINDOWS\system32\ctpmon.exe

----------------------------------------

SmitFraud - OPTION 2

Double-click on SmitfraudFix.exe to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter.

The tool will create a log named c:\rapport.txt in the root of your drive, eg: Local Disk C: (C:rapport.txt) or partition where your
operating system is installed. Please post that log along with all others requested in your next reply.

----------------------------------------

SECURE DESKTOP


Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:

• "Security Info"
• "Warning Message"
• "Security Desktop"
• "Warning Homepage"
• "Desktop Uninstall"

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

----------------------------------------

SYSTEM RE-BOOT

Reboot into Normal Mode.

----------------------------------------

SmitFraud - OPTION 3

Double-click on SmitfraudFix.exe to start the tool.
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.



Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford.
For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

----------------------------------------

ON-LINE SCANS


Kaspersky - Extended

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
      [*]Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect.
  We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

----------------------------------------

FOLLOW-UP

Please return and post these items in the order listed:

c:\rapport.txt from SmitFraud
Kaspersky scan
A new HJT log run in Normal Mode

Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode

Please let me know how your system is behaving.

Also, please do this:

FILE SUBMISSION

Please submit the below file to:

Malware Submission]


Under link to topic where this file was requested copy/paste

http://www.techsupportforum.com/newreply.php?do=newreply&noquote=1&p=769874


Under Browse to the file you want to submit, copy/paste

c:\wndows\system32\ctpmon.exe


Leave any comments you may wish.

Click on Send File button.

Ok, all the above steps taken. Here are the reports you asked for.

SmitFraudFix v2.133

Scan done at 16:43:40.84, Tue 01/23/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, January 23, 2007 6:23:09 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 23/01/2007
Kaspersky Anti-Virus database records: 261224
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 108444
Number of viruses found: 7
Number of infected objects: 22 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:13:47

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe PE_Patch.UPX: infected - 2 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Sunbelt Software\CounterSpy\SunEventsData.sdb Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_59c.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF1357.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF5358.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF547C.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFE554.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\My Documents\Downloads\Programs\setup.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.bjx skipped
C:\Documents and Settings\Owner\My Documents\Downloads\Programs\setup.exe/stream Infected: Trojan-Downloader.Win32.Zlob.bjx skipped
C:\Documents and Settings\Owner\My Documents\Downloads\Programs\setup.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Owner\My Documents\Downloads\Programs\setup.exe UPX: infected - 2 skipped
C:\Documents and Settings\Owner\My Documents\Downloads\Programs\setup.exe PE_Patch.UPX: infected - 2 skipped
C:\Documents and Settings\Owner\My Documents\Downloads\Programs\setup_2.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.bku skipped
C:\Documents and Settings\Owner\My Documents\Downloads\Programs\setup_2.exe/stream Infected: Trojan-Downloader.Win32.Zlob.bku skipped
C:\Documents and Settings\Owner\My Documents\Downloads\Programs\setup_2.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Owner\My Documents\Downloads\Programs\setup_2.exe UPX: infected - 2 skipped
C:\Documents and Settings\Owner\My Documents\Downloads\Programs\setup_2.exe PE_Patch.UPX: infected - 2 skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ALLTEL DSL Check-up Center\log\mpbtn.log Object is locked skipped
C:\Program Files\ALLTEL DSL Check-up Center\SmartBridge\AlertFilter.log Object is locked skipped
C:\Program Files\ALLTEL DSL Check-up Center\SmartBridge\log\httpclient.log Object is locked skipped
C:\Program Files\ALLTEL DSL Check-up Center\SmartBridge\SmartBridge.log Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{54B173AC-C7E4-4773-B00D-B289C8EBE086}\RP342\A0103569.com Infected: Backdoor.Win32.SdBot.aad skipped
C:\System Volume Information\_restore{54B173AC-C7E4-4773-B00D-B289C8EBE086}\RP342\A0103570.com Infected: Backdoor.Win32.SdBot.aad skipped
C:\System Volume Information\_restore{54B173AC-C7E4-4773-B00D-B289C8EBE086}\RP349\A0107642.exe Infected: Backdoor.Win32.SdBot.aad skipped
C:\System Volume Information\_restore{54B173AC-C7E4-4773-B00D-B289C8EBE086}\RP349\A0107643.exe Infected: Backdoor.Win32.SdBot.aad skipped
C:\System Volume Information\_restore{54B173AC-C7E4-4773-B00D-B289C8EBE086}\RP349\A0107644.dll Infected: not-a-virus:AdWare.Win32.Agent.ac skipped
C:\System Volume Information\_restore{54B173AC-C7E4-4773-B00D-B289C8EBE086}\RP352\A0132918.exe Object is locked skipped
C:\System Volume Information\_restore{54B173AC-C7E4-4773-B00D-B289C8EBE086}\RP352\A0136119.dll Infected: not-a-virus:FraudTool.Win32.WorldSecurityOnline.c skipped
C:\System Volume Information\_restore{54B173AC-C7E4-4773-B00D-B289C8EBE086}\RP353\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Logfile of HijackThis v1.99.1
Scan saved at 6:24:45 PM, on 1/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\ALLTEL DSL Check-up Center\bin\mpbtn.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Windstream Broadband Check-up Center.lnk = C:\Program Files\ALLTEL DSL Check-up Center\bin\matcli.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/WINDSTREAM/static/controls/WebflowActiveXInstaller_2-0-0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135986178421
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\system32\ZipToA.exe

cptmon.exe is an interesting piece of malware which doesn't like to go quietly and it appears to download rogue Registry Cleaners.
I want to check and make sure it's gone as it appears to rejuvenite itself and clean out the remaining malware in your system.



----------------------------------------

CPTMON DELETION

Please check and see it it is still in TAsk Manager

• Open Task Manager
• Go to Start>>Run and type in taskmgr
  
  
  
  
• select the Processes tab
• Scroll down to cptmon.exe
• Right click on the process
• Select End Process Tree
• Close Task Manager

----------------------------------------

REGISTRY FIX

We need to finish cleaning out the bad registry entries.

Download the attached horace1.zip file at the bottom of this post to your desktop. Double click on the zip folder,
then double click on the .reg file within.
Click yes to allow it to merge into your registry.

----------------------------------------

SAFE MODE RE-BOOT

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

----------------------------------------

FIXES AND DELETIONS


Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

RegistryCleaner>>>This is a Rogue program, however, if you want it, disregard the deletion


----------------------------------------

UNHIDE HIDDEN FILES

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

----------------------------------------

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.


C:\Documents and Settings\Owner\My Documents\Downloads\Programs\setup.exe
C:\Documents and Settings\Owner\My Documents\Downloads\Programs\setup.exe UPX
C:\Documents and Settings\Owner\My Documents\Downloads\Programs\setup.exe PE_Patch.UPX
C:\Documents and Settings\Owner\My Documents\Downloads\Programs\setup_2.exe
C:\Documents and Settings\Owner\My Documents\Downloads\Programs\setup_2.exe UPX
C:\Documents and Settings\Owner\My Documents\Downloads\Programs\setup_2.exe PE_Patch.UPX

C:\WINDOWS\system32\RegistryCleanerSetup.exe>>>This is a Rogue program, however, if you want it, disregard the deletion

C:\Program Files\RegistryCleaner>>>This is a Rogue program, however, if you want it, disregard the deletion

----------------------------------------

ComboFix - 2nd Run


2. Double click combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

----------------------------------------

Create an uninstall list:

• Open HiJackThis
• Click on the configure button on the bottom right
• Click on the tab "Misc Tools"
• Click on the Box that says "Open Uninstall Manager"
• Click on the button "Save list"
• Copy and past the List from the notepad file into your post

----------------------------------------

SYSTEM REPAIR ENGINEER

Please download this tool >http://www.kztechs.com/sreng/sreng2.zip]System Repair Engineer

• Extract it to it's own folder & double click SREng.exe to run it
  
  
• Select 'Smart Scan' & tick "Verify Digital Signatures"
  
  
• Click on the [Scan] button
  
  
• When finished, click on the [Save Reports] button & save the log to Desktop
  
  
• Attach the log in your next reply. Dont post it

Note: You may have to rename SREngLog.log to SREngLog.txt before attaching

----------------------------------------

FOLLOW-UP

Please return and post these items in the order listed:

c:\combofix.txt
Uninstall list
SREng log attached

Please let me know how your system is behaving.

"Owner" - 07-01-24 14:00:51 Service Pack 2
ComboFix 07-01-21 - Running from: "C:\Documents and Settings\Owner\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-24 to 2007-01-24 ))))))))))))))))))))))))))))))))))


2007-01-23 16:55 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-01-22 15:26 2,206 --a------ C:\WINDOWS\system32\tmp.reg
2007-01-20 08:18 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-01-16 18:55 <DIR> dr-h----- C:\$VAULT$.AVG
2007-01-15 02:05 <DIR> d-------- C:\Program Files\thriXXX
2007-01-15 02:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Yahoo!
2007-01-14 22:14 <DIR> d-------- C:\Program Files\Guild Wars
2007-01-13 17:17 <DIR> d-------- C:\Program Files\mIRC
2007-01-13 07:28 <DIR> d-------- C:\Program Files\Phonebook
2007-01-11 23:08 <DIR> d-------- C:\Program Files\Tibia
2007-01-11 21:36 <DIR> d-------- C:\Program Files\LimeWire
2007-01-11 19:07 <DIR> d-------- C:\DOCUME~1\Owner\Application Data\Motive
2007-01-11 15:59 <DIR> d-------- C:\WINDOWS\Motive
2007-01-11 15:58 <DIR> d-------- C:\Program Files\ALLTEL DSL Check-up Center
2007-01-11 15:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\MotiveSysIDs
2007-01-11 15:56 69,632 --a------ C:\WINDOWS\system32\MCCDevice.dll
2007-01-11 15:56 6,048 --a------ C:\WINDOWS\system32\MCC16.dll
2007-01-11 15:05 589,824 --a------ C:\WINDOWS\system32\MCCDNSHLP_1-0-0_DSR.dll
2007-01-11 15:05 <DIR> d-------- C:\Program Files\Common Files\Motive
2007-01-11 15:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Motive
2007-01-11 15:03 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-01-11 15:03 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2007-01-11 15:03 171,280 --a------ C:\WINDOWS\system32\jit.dll
2007-01-11 15:03 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-01-11 15:02 945,424 --a------ C:\WINDOWS\system32\msjava.dll
2007-01-11 15:02 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2007-01-11 15:02 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2007-01-11 15:02 404,752 --a------ C:\WINDOWS\system32\javart.dll
2007-01-11 15:02 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2007-01-11 15:02 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2007-01-11 15:02 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2007-01-11 15:02 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2007-01-11 15:02 154,896 --a------ C:\WINDOWS\system32\msawt.dll
2007-01-11 15:02 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2007-01-11 15:02 113 --a------ C:\WINDOWS\system32\zonedon.reg
2007-01-11 15:02 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2006-12-27 20:49 <DIR> d-------- C:\Program Files\AWClient


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-24 10:23 -------- d-------- C:\Program Files\mozilla firefox
2007-01-23 16:10 -------- d-------- C:\Program Files\spywareblaster
2007-01-22 10:25 -------- d-------- C:\Program Files\uphclean
2007-01-22 10:25 -------- d-------- C:\Program Files\spywareguard
2007-01-22 10:25 -------- d-------- C:\Program Files\spyware doctor
2007-01-20 07:25 -------- d-------- C:\Program Files\sunbelt software
2007-01-20 07:23 -------- d-------- C:\DOCUME~1\Owner\Application Data\dmcache
2007-01-18 08:37 -------- d-------- C:\Program Files\peoplepc
2007-01-18 08:26 -------- d-------- C:\DOCUME~1\Owner\Application Data\avg7
2007-01-17 00:03 -------- d-------- C:\Program Files\diablo ii
2007-01-15 02:02 -------- d-------- C:\Program Files\yahoo!
2007-01-11 17:04 -------- d---s---- C:\DOCUME~1\Owner\Application Data\microsoft
2007-01-07 22:51 43520 --a------ C:\WINDOWS\system32\cmdlineext03.dll
2006-10-14 09:56 21176 --a------ C:\DOCUME~1\Owner\Application Data\gdipfontcachev1.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"Motive SmartBridge"="C:\\PROGRA~1\\ALLTEL~1\\SMARTB~1\\MotiveSB.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""
"{076394AD-7FDD-44EF-A075-32C68DBAB99B}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=hex:01,00,00,00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


Completion time: 07-01-24 14:08:49
C:\ComboFix2.txt ... 07-01-23 14:22
C:\ComboFix3.txt ... 07-01-22 08:22
-------------------------------------------------------------
Ad-Aware SE Professional
AOL Instant Messenger
AOL Uninstaller (Choose which Products to Remove)
AVG Anti-Spyware 7.5
AVG Free Edition
Broadcom 440x 10/100 Integrated Controller
Broadcom Management Programs
CardRd81
CCleaner (remove only)
CCScore
CleanUp!
CR2
Dell Media Experience
Dell Photo Printer 720
Dell Photo Printer 720 Logger
Dell ResourceCD
Dell Support 5.0.0 (630)
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSEMAIL
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
ESSvpaht
ESSvpot
Guild Wars
HijackThis 1.99.1
HLPIndex
HLPPDOCK
HLPSFO
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Extreme Graphics Driver
Internet Download Manager
IomegaWare
J2SE Runtime Environment 5.0 Update 9
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Kaspersky Online Scanner
Kodak EasyShare software
KSU
LimeWire 4.12.6
Lyra Jukebox Applications
Macromedia Flash Player 8
MCR_screensaver
Microsoft Interactive Training
Microsoft Office XP Media Content
Microsoft Office XP Standard for Students and Teachers
mIRC
Mozilla Firefox (1.5.0.9)
MSConfig CleanUp 1.2
Notifier
OfotoXMI
OTtBP
OTtBPSDK
Panda ActiveScan
Pooh Knows Your Name
QuickTime
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB912919)
SFR
SFR2
SHASTA
SKIN0001
SKINXSDK
Sonic Update Manager
SoundMAX
Spybot - Search & Destroy 1.4
Spyware Doctor 4.0
SpywareBlaster v3.5.1
SpywareGuard v2.2
Sunbelt CounterSpy
Sunbelt Kerio Personal Firewall
Tibia 7.92
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
User Profile Hive Cleanup Service
Viewpoint Media Player
VPRINTOL
WebCyberCoach 3.2 PSA
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windstream Broadband Check-up Center
WinPatrol
WinRAR archiver
WIRELESS
Yahoo! Install Manager
Yahoo! Messenger
Yahoo! Toolbar