Tech Support Forum banner
Cancel

Help! I don't know what to do!

Jump to Latest Follow
Status
Not open for further replies.
1 - 17 of 17 Posts
T

·
Registered
Joined
·
63 Posts
Discussion Starter · #1 · (Edited by Moderator)
Okay....

Last Thursday I stupidly tried to run a keygen from a site I didn't trust. Since then, I've gotten a ton of popups in IE and now Firefox. And AVG is CONSTANTLY popping up and saying files are infected. I say "heal", but nothing happens. I already had and ran Adaware, CCleaner, ZoneAlarm, AVG, and Registry Mechanic. AVG doesn't do ****. So I got SpywareBlaster and Avast! Antivirus. They don't work worth 2 ****s either. So I was going through my ZoneAlarm allowed programs and looking for things I didn't recognize. Here's what I found:


I googled ISHOST and found that.... it's bad. Although I'm not sure what it is or does. Could this be what's messing up my laptop? Could there be more, considering it was just one thing I ran? Here's the HijackThis log I recently ran.

Logfile of HijackThis v1.99.1
Scan saved at 7:05:35 PM, on 18/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\WINDOWS\system32\ntscrmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\PROGRA~1\McAfee\MSC\McLogCln.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\program files\mcafee\msc\mcupdui.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee\MSC\Updates\Installs\1\msc\mcinst.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [Ntscrmon] C:\WINDOWS\system32\ntscrmon.exe
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [McLogLch_exe] C:\Program Files\McAfee\MSC\McLogLch.exe
O4 - HKLM\..\Run: [0271021166492691mcinstcleanup] C:\DOCUME~1\TORROB~1\LOCALS~1\Temp\027102~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog
O4 - HKLM\..\RunOnce: [!mcagntps.dll] regsvr32.exe /s c:\PROGRA~1\mcafee.com\agent\mcagntps.dll
O4 - HKLM\..\RunOnce: [mcagent.exe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe -regserver
O4 - HKLM\..\RunOnce: [!mcmispps.dll] regsvr32.exe /s c:\PROGRA~1\mcafee\msc\mcmispps.dll
O4 - HKLM\..\RunOnce: [!mccfgpv.dll] regsvr32.exe /s c:\PROGRA~1\mcafee\msc\mccfgpv.dll
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: reico.bat
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=presario&pf=laptop
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: FireFly - Unknown owner - C:\Program Files\FireFly\WinDeBug.exe (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JiWire WiFi Monitoring (JiWireWireless) - JiWire, Inc. - c:\documents and settings\tor robinson\local settings\application data\yahoo\widget engine\jiwire_wi-fi_finder.widget\jiwirewifi.widget\contents\resources\jiwire.win\jiwirewifiwin.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - KALiNKOsoft - C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle_updater.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 
Ried

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
#3 ·
Hello torrobinson and welcome to TSF,

Please do not bump your thread prior to 48 hours. We work these logs oldest to newest so by bumping to keep yourself on Page 1, you essentially move yourself back on the list. :wink:

Also, please just copy/paste the HijackThis log directly into the reply box. Do not use quote or code tags around it and it makes it more difficult to read.

------------------------------

You have a few infections on board. No worries, we can clean this up, but in order to attack this in the most efficient manner, please do the following:

One of the infections you have recognizes HijackThis and prevents HJT from reading the registry locations where it resides as well as hiding other infections in those locations.

I'd like you to rename HijackThis.exe to torro.exe.
  • Navigate to C:\Program Files\Hijackthis\HijackThis.exe
  • Right click on HijackThis.exe
  • Select 'Rename'
  • Type in torro.exe
  • Press Enter.

Please run another scan with torro.exe and post that log here so we can get started. :sayyes:
 
Save Share
T

·
Registered
Joined
·
63 Posts
Discussion Starter · #4 ·
Sorry for the mistakes! :(

Here's the log after I renamed it to "torro.exe"

Logfile of HijackThis v1.99.1
Scan saved at 4:47:07 PM, on 19/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\PROGRA~1\McAfee\MSC\mcregist.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\WINDOWS\system32\ntscrmon.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\program files\mcafee\msc\mcupdui.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Hijackthis\torro.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\wdmecmyc.dll
O2 - BHO: &Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {B0187843-85B7-4B62-BCBD-058B7317025F} - C:\WINDOWS\system32\sstqo.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [Ntscrmon] C:\WINDOWS\system32\ntscrmon.exe
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\RunOnce: [mcupdmgr.exe] c:\PROGRA~1\mcafee\msc\mcupdmgr.exe -regserver
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: reico.bat
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=presario&pf=laptop
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: sstqo - C:\WINDOWS\system32\sstqo.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~2\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wincqt32 - C:\WINDOWS\SYSTEM32\wincqt32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: McAfee Application Installer Cleanup (0225281166571565) (0225281166571565mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\022528~1.EXE
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: FireFly - Unknown owner - C:\Program Files\FireFly\WinDeBug.exe (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JiWire WiFi Monitoring (JiWireWireless) - JiWire, Inc. - c:\documents and settings\tor robinson\local settings\application data\yahoo\widget engine\jiwire_wi-fi_finder.widget\jiwirewifi.widget\contents\resources\jiwire.win\jiwirewifiwin.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - KALiNKOsoft - C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle_updater.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 
Ried

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
#5 ·
Hiya,

Don't feel badly, currently no Anti Virus can effectively clean any of the infections present on your system--specialty tools and steps are required. :sayyes:

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

***************************************************

Before we begin, I realize you probably installed another Anti Virus program in an attempt to clean your system but, more than 1 Anti Virus can cause conflicts and confusion between the AV programs as well as system instability. Please choose and run only 1 and uninstall the other via the Add/Remove Programs in the Control Panel.

***************************************************

Please download SmitfraudFix (by S!Ri) to your Desktop.

-----------------------

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

  • Install AVG Anti Spyware
  • Double-click the icon on Desktop to launch AVG
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

---------------------------

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**


-------------------------------------

Close any open browsers.

-------------------------------------


Go to <<Start>> then <<Run>> then copy/paste the following red text into the Run box then click OK

"%userprofile%\desktop\combofix.exe" /v wdmecmyc sstqo wincqt32

When finished, it shall produce a log for you. We'll need that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


***************************************************

Click Start->Run - type services.msc & then click on the OK button
*Locate the service - FireFly
*Double-click on it to open the Properties dialog.
*Under the General tab:
*Stop the service by using the Stop button.
*Change the Startup type to Disabled & then click on the OK button.

Next, start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
*In the popup box that appears, type in the FireFly Click OK and allow reboot. Go directly to Safe Mode.

***************************************************

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

-----------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if it exists:

FireFly

-----------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

-----------------------------------

Using 'My Computer', navigate to and delete the following Folder

C:\Program Files\FireFly

-----------------------------------

Double-click on SmitfraudFix.exe to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot into Normal Windows.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

-----------------------------------

Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:
· "Security Info"
· "Warning Message"
· "Security Desktop"
· "Warning Homepage"
· "Desktop Uninstall"

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

-----------------------------------

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

-----------------------------------

Close ALL open Windows / Programs / Folders. Run AVG Anti-Spyware with it's updated definitions: IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, **Please ensure it is set to Quarantine then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).
**AVG Anti-Spyware is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner.

----------------------------------------------------

Reboot into Normal Mode.

----------------------------------------------------

Double-click on SmitfraudFix.exe to start the tool.
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

______________________________

Please run this online scan to search for any other files that may be lurking. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on
    located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on
    then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan
______________________________

Run another scan with HijackThis and save the log.
______________________________

Then post the following logs in your next reply, in the following order:

ComboFix.txt
c:\rapport.txt
AVG A/S log
Panda log
Hijackthis log
 
Save Share
T

·
Registered
Joined
·
63 Posts
Discussion Starter · #6 ·
Combofix.txt
"Tor Robinson" - 06-12-19 20:29:10.51 Service Pack 2
ComboFix 06-12-19.2W-BetaE2 - Running from: "C:\Documents and Settings\Tor Robinson\desktop"
Command switches used :: /v wdmecmyc sstqo wincqt32

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\wdmecmyc.dll
C:\WINDOWS\system32\sstqo.dll
C:\WINDOWS\system32\oqtss.bak1
C:\WINDOWS\system32\oqtss.bak2
C:\WINDOWS\system32\oqtss.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


"C:\WINDOWS\system32\oqtss.ini"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\WINDOWS\system32\211.exe
d:\autorun.inf
C:\WINDOWS\system32\ismini.exe
C:\WINDOWS\system32\components
C:\DOCUME~1\TORROB~1\Application Data\SearchToolbarCorp


((((((((((((((((((((((((((((((( Files Created from 2006-11-19 to 2006-12-19 ))))))))))))))))))))))))))))))))))


2006-12-19 20:41 <DIR> d-------- C:\WINDOWS\erdnt
2006-12-19 20:40 88,340 --a------ C:\WINDOWS\system32\fcsjcgnj.exe
2006-12-19 20:40 <DIR> d-------- C:\Program Files\VSAdd-in
2006-12-19 20:40 <DIR> d-------- C:\DOCUME~1\TORROB~1\APPLIC~1\SearchToolbarCorp
2006-12-19 20:39 44,052 --a------ C:\WINDOWS\system32\dakkdspd.dll
2006-12-19 20:06 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-18 19:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2006-12-18 19:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AVG7
2006-12-18 19:01 <DIR> d-------- C:\Program Files\Hijackthis
2006-12-18 18:41 24,911 --a------ C:\WINDOWS\system32\drivers\procguard.sys
2006-12-18 18:41 106,496 --a------ C:\WINDOWS\system32\procguard.dll
2006-12-18 18:41 <DIR> d-------- C:\Program Files\ProcessGuard
2006-12-18 18:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2006-12-17 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2006-12-17 14:11 <DIR> d-------- C:\Program Files\CCleaner
2006-12-17 13:49 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-12-17 13:48 <DIR> d-------- C:\DOCUME~1\TORROB~1\.housecall6.6
2006-12-14 22:12 <DIR> d-------- C:\Program Files\Planet Earth 3D Screensaver
2006-12-14 19:39 184,320 --a------ C:\WINDOWS\system32\EXECUTE.SCR
2006-12-14 19:39 150,528 --a------ C:\WINDOWS\system32\NTSCRMON.EXE
2006-12-14 19:39 130,048 --a------ C:\WINDOWS\system32\BLCKSCR.SCR
2006-12-14 19:39 <DIR> d-------- C:\Program Files\Posum
2006-12-14 19:38 299,520 --a------ C:\WINDOWS\uninst.exe
2006-12-14 18:13 88,340 --a------ C:\WINDOWS\system32\exadttrl.exe
2006-12-14 18:06 40,973 --ahs---- C:\WINDOWS\system32\iifdcax.dll
2006-12-14 17:31 <DIR> d-------- C:\Program Files\3D Space Tour
2006-12-14 17:26 <DIR> d-------- C:\WINDOWS\system32\GlobFX
2006-12-14 17:22 <DIR> d-------- C:\Program Files\GlobFX Technologies
2006-12-12 21:14 <DIR> d-------- C:\Program Files\TeXaide
2006-12-07 20:26 <DIR> d-------- C:\Program Files\ABBYY ScanTo Office 1.0
2006-12-06 17:33 9,931,703 --a------ C:\WINDOWS\LOST_screensaver.scr
2006-12-06 17:33 65,536 --a------ C:\WINDOWS\NCLAUNCH.EXe
2006-12-06 17:33 45,056 --a------ C:\WINDOWS\NCUNINST.EXe
2006-12-03 16:00 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2006-12-03 12:33 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2006-12-03 12:33 <DIR> d-------- C:\Fraps
2006-12-02 20:40 <DIR> d-------- C:\Program Files\ArtMoney
2006-12-02 18:58 <DIR> d-------- C:\Program Files\Alive Games
2006-12-02 18:58 <DIR> d-------- C:\DOCUME~1\TORROB~1\APPLIC~1\Alive Games
2006-12-01 19:49 <DIR> d-------- C:\Program Files\Axife Mouse Recorder DEMO
2006-11-24 17:40 <DIR> d-------- C:\Program Files\Deimos Rising
2006-11-19 01:38 <DIR> d-------- C:\3ed0a8390dd1fa38c93128e2df15be


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-19 20:42 6551 --a------ C:\Documents and Settings\Tor Robinson\Application Data\.googlewebacchosts
2006-12-19 20:40 -------- d-------- C:\Documents and Settings\Tor Robinson\Application Data\searchtoolbarcorp
2006-12-19 20:25 -------- d-------- C:\Program Files\mozilla firefox
2006-12-19 20:06 -------- d-------- C:\Program Files\grisoft
2006-12-19 17:26 -------- d-------- C:\Program Files\steam
2006-12-19 07:17 -------- d-------- C:\Program Files\jiwire
2006-12-18 19:56 -------- d-------- C:\Program Files\registry mechanic
2006-12-18 18:43 -------- d-------- C:\Documents and Settings\Tor Robinson\Application Data\utorrent
2006-12-17 14:12 -------- d-------- C:\Program Files\yahoo!
2006-12-15 23:26 -------- d--h----- C:\Program Files\installshield installation information
2006-12-15 23:26 -------- d-------- C:\Program Files\java
2006-12-12 23:14 -------- d-------- C:\Program Files\prodad
2006-12-12 19:08 -------- d-------- C:\Program Files\pinnacle
2006-12-10 16:25 -------- d-------- C:\Documents and Settings\Tor Robinson\Application Data\adobe
2006-12-02 18:58 -------- d-------- C:\Documents and Settings\Tor Robinson\Application Data\alive games
2006-11-24 17:42 20 --a------ C:\Documents and Settings\Tor Robinson\Application Data\deimos rising license.lcs
2006-11-12 20:51 -------- d-------- C:\Program Files\google
2006-11-09 15:52 -------- d-------- C:\Program Files\rapid-emailer
2006-11-07 22:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-04 11:31 -------- d-------- C:\Program Files\Common Files\systemrequirementslab
2006-11-04 11:31 -------- d-------- C:\Documents and Settings\Tor Robinson\Application Data\system requirements lab
2006-11-03 09:27 -------- d-------- C:\Program Files\quicktime
2006-11-02 23:13 -------- d-------- C:\Program Files\microsoft games
2006-11-02 22:55 -------- d-------- C:\Program Files\doom 3 demo
2006-10-27 18:26 -------- d-------- C:\Program Files\gustosoft
2006-10-26 06:08 40960 --a------ C:\WINDOWS\system32\frapsvid.dll
2006-10-25 14:45 -------- d-------- C:\Program Files\ipod
2006-10-24 17:39 -------- d-------- C:\Program Files\increment software
2006-10-24 16:37 -------- d---s---- C:\Documents and Settings\Tor Robinson\Application Data\microsoft
2006-10-23 17:09 -------- d-------- C:\Documents and Settings\Tor Robinson\Application Data\avedesk
2006-10-23 17:04 -------- d-------- C:\Program Files\avedesk
2006-10-22 18:23 -------- d-------- C:\Program Files\virtualdj
2006-10-22 11:34 -------- d-------- C:\Program Files\transparent screen lock
2006-10-20 20:51 -------- d-------- C:\Program Files\emersys
2006-10-19 22:47 -------- d-------- C:\Documents and Settings\Tor Robinson\Application Data\sony
2006-10-19 22:12 -------- d-------- C:\Program Files\techsmith
2006-10-19 06:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-13 05:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-08 09:50 2508 --a------ C:\Documents and Settings\Tor Robinson\Application Data\$_hpcst$.hpc
2006-09-29 22:20 4608 --a------ C:\WINDOWS\system32\w95inf32.dll
2006-09-29 22:20 2272 --a------ C:\WINDOWS\system32\w95inf16.dll
2006-09-22 03:00 45056 --a------ C:\WINDOWS\system32\csvidcap.dll
2006-09-22 03:00 102400 --a------ C:\WINDOWS\system32\tsccvid.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"AnyCaptureScreen"=""
"FreeRAM XP"="\"C:\\Program Files\\YourWare Solutions\\FreeRAM XP Pro\\FreeRAM XP Pro.exe\" -win"
"NCLaunch"="C:\\WINDOWS\\NCLAUNCH.EXe"
"!1_ProcessGuard_Startup"="\"C:\\Program Files\\ProcessGuard\\procguard.exe\" -minimize"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"hpWirelessAssistant"="C:\\Program Files\\hpq\\HP Wireless Assistant\\HP Wireless Assistant.exe"
"HP Software Update"="C:\\Program Files\\Hp\\HP Software Update\\HPWuSchd2.exe"
"QPService"="\"C:\\Program Files\\HP\\QuickPlay\\QPService.exe\""
"eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
"RecGuard"="C:\\Windows\\SMINST\\RecGuard.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
@=""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"USB2Check"="RUNDLL32.EXE \"C:\\WINDOWS\\system32\\PCLECoInst.dll\",CheckUSBController"
"UnlockerAssistant"="\"C:\\Program Files\\Unlocker\\UnlockerAssistant.exe\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"SSBkgdUpdate"="C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe -Embedding -boot"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"USBToolTip"="\"C:\\Program Files\\Pinnacle\\Shared Files\\Programs\\USBTip\\USBTip.exe\""
"Ntscrmon"="C:\\WINDOWS\\system32\\ntscrmon.exe"
"!1_pgaccount"="\"C:\\Program Files\\ProcessGuard\\pgaccount.exe\""
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:c0000004
"OriginalStateInfo"=hex:18,00,00,00,80,02,00,00,00,00,00,00,80,02,00,00,00,03,\
00,00,04,00,00,c0
"RestoredStateInfo"=hex:18,00,00,00,80,02,00,00,00,00,00,00,80,02,00,00,00,03,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"=dword:00000000
"DisableLockWorkstation"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoClose"=dword:00000000
"NoLogoff"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
"backup"="C:\\WINDOWS\\pss\\HP Photosmart Premier Fast Start.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqthb08.exe -s"
"item"="HP Photosmart Premier Fast Start"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RK Launcher.lnk]
"backup"="C:\\WINDOWS\\pss\\RK Launcher.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\RKLAUN~1\\RKLAUN~1.EXE "
"item"="RK Launcher"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideWindow.lnk]
"backup"="C:\\WINDOWS\\pss\\SideWindow.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Innobec\\SIDEWI~1\\Bin\\SIDEWI~1.EXE "
"item"="SideWindow"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Tor Robinson^Start Menu^Programs^Startup^CaptureWiz.lnk]
"backup"="C:\\WINDOWS\\pss\\CaptureWiz.lnkStartup"
"location"="Startup"
"item"="CaptureWiz"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Tor Robinson^Start Menu^Programs^Startup^Client Default.lnk]
"backup"="C:\\WINDOWS\\pss\\Client Default.lnkStartup"
"location"="Startup"
"item"="Client Default"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Tor Robinson^Start Menu^Programs^Startup^Dragon NaturallySpeaking.lnk]
"backup"="C:\\WINDOWS\\pss\\Dragon NaturallySpeaking.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\ScanSoft\\NATURA~1\\Program\\natspeak.exe /Quick"
"item"="Dragon NaturallySpeaking"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Tor Robinson^Start Menu^Programs^Startup^Rainlendar.lnk]
"backup"="C:\\WINDOWS\\pss\\Rainlendar.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\RAINLE~1\\RAINLE~1.EXE "
"item"="Rainlendar"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Actual Transparent Window]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ActualTransparentWindowCenter"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bittorrent"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Entbloess 2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ReflexVision"
"hkey"="HKCU"
"command"="C:\\Program Files\\Increment Software\\Reflex Vision\\ReflexVision.exe Start:Silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleDesktop"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="googletalk"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LClock]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LClock"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Longhorn SideBar]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SideBar"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinnacle Game Profiler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pinnacle"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\KALiNKOsoft\\Pinnacle Game Profiler\\pinnacle.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reflex Vision]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ReflexVision"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Increment Software\\Reflex Vision\\ReflexVision.exe\" Start:Silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Steam"
"hkey"="HKCU"
"command"="\"C:\\PacSteam\\\\Steam.exe\" -silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USBToolTip]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="USBTip"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Pinnacle\\Shared Files\\Programs\\USBTip\\USBTip.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 06-12-19 20:55:23.81


Rapport.txt
SmitFraudFix v2.131

Scan done at 21:09:26.10, 19/12/2006
Run from C:\Documents and Settings\Tor Robinson\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

AVG log
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:21:09 PM 19/12/2006

+ Scan result:



C:\WINDOWS\system32\iifdcax.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP185\A0100443.exe -> Backdoor.Delf.agq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP185\A0100032.exe -> Downloader.Zlob.bfb : Cleaned with backup (quarantined).
C:\Program Files\Multi Theft Auto\MTAClient.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
:mozilla.129:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.130:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.131:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.132:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.156:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.230:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.231:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.92:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.93:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.94:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.95:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.96:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.97:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.300:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.163:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.164:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.165:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.174:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.175:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.176:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.177:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.178:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.212:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned.
:mozilla.238:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Tor Robinson\Cookies\tor [email protected][2].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.62:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.63:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.64:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.65:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.171:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.211:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.242:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.70:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.71:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.72:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.73:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.74:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.75:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.76:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.77:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.78:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.79:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.303:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.166:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.167:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.168:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.169:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.170:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.111:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.112:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.113:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.152:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.153:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.154:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.155:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.244:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Trafic : Cleaned.
:mozilla.100:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.101:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.102:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.99:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Tor Robinson\Cookies\tor [email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.123:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.124:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.125:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.126:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.127:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.128:C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\Program Files\VSAdd-in\VSAdd-in.dll -> Trojan.Agent.acl : Cleaned with backup (quarantined).


::Report end

Panda Log

Incident Status Location

Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt[.azjmp.com/]
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt[.ct.360i.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt[.go.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt[.errorsafe.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Tor Robinson\Cookies\tor [email protected][2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Tor Robinson\Desktop\SmitfraudFix\Process.exe

Hijackthis Log
Logfile of HijackThis v1.99.1
Scan saved at 12:07:57 AM, on 20/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\WINDOWS\system32\ntscrmon.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\torro.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\dakkdspd.dll
O2 - BHO: &Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: (no name) - {D1248417-0AC7-4764-8003-C221C1977B6D} - C:\WINDOWS\system32\sstqo.dll (file missing)
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [Ntscrmon] C:\WINDOWS\system32\ntscrmon.exe
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: reico.bat
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=presario&pf=laptop
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: sstqo - C:\WINDOWS\system32\sstqo.dll (file missing)
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~2\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JiWire WiFi Monitoring (JiWireWireless) - JiWire, Inc. - c:\documents and settings\tor robinson\local settings\application data\yahoo\widget engine\jiwire_wi-fi_finder.widget\jiwirewifi.widget\contents\resources\jiwire.win\jiwirewifiwin.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - KALiNKOsoft - C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle_updater.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 
Ried

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
#7 · (Edited)
Hello torrobinson,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

***************************************************

Go to <<Start>> then <<Run>> then copy/paste the following red text into the Run box then click OK

"%userprofile%\desktop\combofix.exe" /v dakkdspd iifdcax

When finished, it shall produce a log for you. We'll need that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


-----------------------------------

Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\dakkdspd.dll
O2 - BHO: (no name) - {D1248417-0AC7-4764-8003-C221C1977B6D} - C:\WINDOWS\system32\sstqo.dll (file missing)
O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O20 - Winlogon Notify: sstqo - C:\WINDOWS\system32\sstqo.dll (file missing)

Click 'Fix Checked' and close HijackThis.

-----------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

-----------------------------------

Using 'My Computer', navigate to and delete the following Files and Folders if they still exist.

C:\WINDOWS\system32\fcsjcgnj.exe
C:\WINDOWS\system32\exadttrl.exe
C:\Program Files\VSAdd-in
C:\Documents and Settings\Tor Robinson\Application Data\searchtoolbarcorp

**If any of the above resist deletion, boot into Safe Mode and delete.

-----------------------------------

Clear Mozilla Firefox cookies: (you do not need to be online to do this)

Open the Mozilla Browser, Click Tools>Options>Privacy>Cookies>Clear

-----------------------------------

Clear Internet Explorer Cookies: (you do not need to be connected to the internet to perform this)

Launch Internet Explorer>Tools>Internet Options>Delete Cookies

-----------------------------------

Reboot your system.

-----------------------------------

I'd like to use a different online scanner this time to see if it reveals anything further:

Please perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
        [*]Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

-----------------------------------

Create an Uninstall List:
Open HijackThis
*Click on the "Configure" button on the bottom right
*Click on the tab "Misc Tools"
*Click on the Box that says "Open Uninstall Manager"
*Click on the button "Save list"
The list will automatically be saved in your HijackThis folder.

Please copy and paste the uninstall_list.txt here.

-----------------------------------

Run a new scan with HijackThis and save the log.

-----------------------------------

Please include the following in your next reply:

ComboFix.txt
Kaspersky results
uninstall_list.txt
New HijackThis log
Update on system behavior
 
Save Share
T

·
Registered
Joined
·
63 Posts
Discussion Starter · #8 ·
Sorry for taking so long... some of those scans took a while!

ComboFix.txt
"Tor Robinson" - 06-12-21 21:16:56.35 Service Pack 2
ComboFix 06-12-19.2W-BetaE2 - Running from: "C:\Documents and Settings\Tor Robinson\desktop"
Command switches used :: /v dakkdspd iifdcax

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dakkdspd.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\TORROB~1\Application Data\SearchToolbarCorp
C:\Program Files\VSAdd-in


((((((((((((((((((((((((((((((( Files Created from 2006-11-21 to 2006-12-21 ))))))))))))))))))))))))))))))))))


2006-12-19 23:13 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-19 21:09 4,626 --a------ C:\WINDOWS\system32\tmp.reg
2006-12-19 20:41 <DIR> d-------- C:\WINDOWS\erdnt
2006-12-19 20:40 88,340 --a------ C:\WINDOWS\system32\fcsjcgnj.exe
2006-12-19 20:06 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-18 19:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2006-12-18 19:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AVG7
2006-12-18 19:01 <DIR> d-------- C:\Program Files\Hijackthis
2006-12-18 18:41 24,911 --a------ C:\WINDOWS\system32\drivers\procguard.sys
2006-12-18 18:41 106,496 --a------ C:\WINDOWS\system32\procguard.dll
2006-12-18 18:41 <DIR> d-------- C:\Program Files\ProcessGuard
2006-12-18 18:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2006-12-17 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2006-12-17 14:11 <DIR> d-------- C:\Program Files\CCleaner
2006-12-17 13:49 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-12-17 13:48 <DIR> d-------- C:\DOCUME~1\TORROB~1\.housecall6.6
2006-12-14 22:12 <DIR> d-------- C:\Program Files\Planet Earth 3D Screensaver
2006-12-14 19:39 184,320 --a------ C:\WINDOWS\system32\EXECUTE.SCR
2006-12-14 19:39 150,528 --a------ C:\WINDOWS\system32\NTSCRMON.EXE
2006-12-14 19:39 130,048 --a------ C:\WINDOWS\system32\BLCKSCR.SCR
2006-12-14 19:39 <DIR> d-------- C:\Program Files\Posum
2006-12-14 19:38 299,520 --a------ C:\WINDOWS\uninst.exe
2006-12-14 18:13 88,340 --a------ C:\WINDOWS\system32\exadttrl.exe
2006-12-14 17:31 <DIR> d-------- C:\Program Files\3D Space Tour
2006-12-14 17:26 <DIR> d-------- C:\WINDOWS\system32\GlobFX
2006-12-14 17:22 <DIR> d-------- C:\Program Files\GlobFX Technologies
2006-12-12 21:14 <DIR> d-------- C:\Program Files\TeXaide
2006-12-07 20:26 <DIR> d-------- C:\Program Files\ABBYY ScanTo Office 1.0
2006-12-06 17:33 9,931,703 --a------ C:\WINDOWS\LOST_screensaver.scr
2006-12-06 17:33 65,536 --a------ C:\WINDOWS\NCLAUNCH.EXe
2006-12-06 17:33 45,056 --a------ C:\WINDOWS\NCUNINST.EXe
2006-12-03 16:00 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2006-12-03 12:33 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2006-12-03 12:33 <DIR> d-------- C:\Fraps
2006-12-02 20:40 <DIR> d-------- C:\Program Files\ArtMoney
2006-12-02 18:58 <DIR> d-------- C:\Program Files\Alive Games
2006-12-02 18:58 <DIR> d-------- C:\DOCUME~1\TORROB~1\APPLIC~1\Alive Games
2006-12-01 19:49 <DIR> d-------- C:\Program Files\Axife Mouse Recorder DEMO
2006-11-24 17:40 <DIR> d-------- C:\Program Files\Deimos Rising


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-21 21:17 9159 --a------ C:\Documents and Settings\Tor Robinson\Application Data\.googlewebacchosts
2006-12-21 19:06 -------- d-------- C:\Documents and Settings\Tor Robinson\Application Data\utorrent
2006-12-21 17:53 -------- d-------- C:\Program Files\mozilla firefox
2006-12-21 16:37 -------- d-------- C:\Program Files\jiwire
2006-12-21 16:28 -------- d-------- C:\Program Files\steam
2006-12-19 23:19 -------- d-------- C:\Program Files\quicktime
2006-12-19 23:19 -------- d-------- C:\Program Files\msn messenger
2006-12-19 23:19 -------- d-------- C:\Program Files\microsoft activesync
2006-12-19 23:19 -------- d-------- C:\Program Files\itunes
2006-12-19 23:19 -------- d-------- C:\Program Files\Common Files\lightscribe
2006-12-19 20:06 -------- d-------- C:\Program Files\grisoft
2006-12-18 19:56 -------- d-------- C:\Program Files\registry mechanic
2006-12-17 14:12 -------- d-------- C:\Program Files\yahoo!
2006-12-15 23:26 -------- d--h----- C:\Program Files\installshield installation information
2006-12-15 23:26 -------- d-------- C:\Program Files\java
2006-12-12 23:14 -------- d-------- C:\Program Files\prodad
2006-12-12 19:08 -------- d-------- C:\Program Files\pinnacle
2006-12-10 16:25 -------- d-------- C:\Documents and Settings\Tor Robinson\Application Data\adobe
2006-12-02 18:58 -------- d-------- C:\Documents and Settings\Tor Robinson\Application Data\alive games
2006-11-24 17:42 20 --a------ C:\Documents and Settings\Tor Robinson\Application Data\deimos rising license.lcs
2006-11-12 20:51 -------- d-------- C:\Program Files\google
2006-11-09 15:52 -------- d-------- C:\Program Files\rapid-emailer
2006-11-07 22:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-04 11:31 -------- d-------- C:\Program Files\Common Files\systemrequirementslab
2006-11-04 11:31 -------- d-------- C:\Documents and Settings\Tor Robinson\Application Data\system requirements lab
2006-11-02 23:13 -------- d-------- C:\Program Files\microsoft games
2006-11-02 22:55 -------- d-------- C:\Program Files\doom 3 demo
2006-10-27 18:26 -------- d-------- C:\Program Files\gustosoft
2006-10-26 06:08 40960 --a------ C:\WINDOWS\system32\frapsvid.dll
2006-10-25 14:45 -------- d-------- C:\Program Files\ipod
2006-10-24 17:39 -------- d-------- C:\Program Files\increment software
2006-10-24 16:37 -------- d---s---- C:\Documents and Settings\Tor Robinson\Application Data\microsoft
2006-10-23 17:09 -------- d-------- C:\Documents and Settings\Tor Robinson\Application Data\avedesk
2006-10-23 17:04 -------- d-------- C:\Program Files\avedesk
2006-10-22 18:23 -------- d-------- C:\Program Files\virtualdj
2006-10-22 11:34 -------- d-------- C:\Program Files\transparent screen lock
2006-10-19 06:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-13 05:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-08 09:50 2508 --a------ C:\Documents and Settings\Tor Robinson\Application Data\$_hpcst$.hpc
2006-09-29 22:20 4608 --a------ C:\WINDOWS\system32\w95inf32.dll
2006-09-29 22:20 2272 --a------ C:\WINDOWS\system32\w95inf16.dll
2006-09-22 03:00 45056 --a------ C:\WINDOWS\system32\csvidcap.dll
2006-09-22 03:00 102400 --a------ C:\WINDOWS\system32\tsccvid.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"AnyCaptureScreen"=""
"FreeRAM XP"="\"C:\\Program Files\\YourWare Solutions\\FreeRAM XP Pro\\FreeRAM XP Pro.exe\" -win"
"NCLaunch"="C:\\WINDOWS\\NCLAUNCH.EXe"
"!1_ProcessGuard_Startup"="\"C:\\Program Files\\ProcessGuard\\procguard.exe\" -minimize"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"hpWirelessAssistant"="C:\\Program Files\\hpq\\HP Wireless Assistant\\HP Wireless Assistant.exe"
"HP Software Update"="C:\\Program Files\\Hp\\HP Software Update\\HPWuSchd2.exe"
"QPService"="\"C:\\Program Files\\HP\\QuickPlay\\QPService.exe\""
"eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
"RecGuard"="C:\\Windows\\SMINST\\RecGuard.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
@=""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"USB2Check"="RUNDLL32.EXE \"C:\\WINDOWS\\system32\\PCLECoInst.dll\",CheckUSBController"
"UnlockerAssistant"="\"C:\\Program Files\\Unlocker\\UnlockerAssistant.exe\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"SSBkgdUpdate"="C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe -Embedding -boot"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"USBToolTip"="\"C:\\Program Files\\Pinnacle\\Shared Files\\Programs\\USBTip\\USBTip.exe\""
"Ntscrmon"="C:\\WINDOWS\\system32\\ntscrmon.exe"
"!1_pgaccount"="\"C:\\Program Files\\ProcessGuard\\pgaccount.exe\""
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"=dword:00000000
"DisableLockWorkstation"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoClose"=dword:00000000
"NoLogoff"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
"backup"="C:\\WINDOWS\\pss\\HP Photosmart Premier Fast Start.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqthb08.exe -s"
"item"="HP Photosmart Premier Fast Start"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RK Launcher.lnk]
"backup"="C:\\WINDOWS\\pss\\RK Launcher.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\RKLAUN~1\\RKLAUN~1.EXE "
"item"="RK Launcher"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideWindow.lnk]
"backup"="C:\\WINDOWS\\pss\\SideWindow.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Innobec\\SIDEWI~1\\Bin\\SIDEWI~1.EXE "
"item"="SideWindow"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Tor Robinson^Start Menu^Programs^Startup^CaptureWiz.lnk]
"backup"="C:\\WINDOWS\\pss\\CaptureWiz.lnkStartup"
"location"="Startup"
"item"="CaptureWiz"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Tor Robinson^Start Menu^Programs^Startup^Client Default.lnk]
"backup"="C:\\WINDOWS\\pss\\Client Default.lnkStartup"
"location"="Startup"
"item"="Client Default"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Tor Robinson^Start Menu^Programs^Startup^Dragon NaturallySpeaking.lnk]
"backup"="C:\\WINDOWS\\pss\\Dragon NaturallySpeaking.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\ScanSoft\\NATURA~1\\Program\\natspeak.exe /Quick"
"item"="Dragon NaturallySpeaking"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Tor Robinson^Start Menu^Programs^Startup^Rainlendar.lnk]
"backup"="C:\\WINDOWS\\pss\\Rainlendar.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\RAINLE~1\\RAINLE~1.EXE "
"item"="Rainlendar"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Actual Transparent Window]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ActualTransparentWindowCenter"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bittorrent"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Entbloess 2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ReflexVision"
"hkey"="HKCU"
"command"="C:\\Program Files\\Increment Software\\Reflex Vision\\ReflexVision.exe Start:Silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleDesktop"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="googletalk"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LClock]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LClock"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Longhorn SideBar]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SideBar"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinnacle Game Profiler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pinnacle"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\KALiNKOsoft\\Pinnacle Game Profiler\\pinnacle.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reflex Vision]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ReflexVision"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Increment Software\\Reflex Vision\\ReflexVision.exe\" Start:Silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Steam"
"hkey"="HKCU"
"command"="\"C:\\PacSteam\\\\Steam.exe\" -silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USBToolTip]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="USBTip"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Pinnacle\\Shared Files\\Programs\\USBTip\\USBTip.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 06-12-21 21:30:15.78
C:\ComboFix2.txt ... 06-12-19 20:55

Kaspersky results:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, December 22, 2006 12:42:08 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 22/12/2006
Kaspersky Anti-Virus database records: 253477
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 151671
Number of viruses found: 15
Number of infected objects: 22 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:28:43

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\0102\0314\values Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\02E6759D.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\048F47CA.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04AC41A9.tmp Infected: not-a-virus:AdWare.Win32.SurfSide.j skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\06B3556E.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\06B3556E.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\06B3556E.exe NSIS: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\06B3556E.exe CryptFF: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\07333AE2.exe Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B937C11.exe Infected: Trojan-Downloader.Win32.Adload.ck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\48A06F58.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bi skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\567B627E.def Infected: not-a-virus:porn-Dialer.Win32.PluginAccess.s skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5EED4437.tmp Infected: Packed.Win32.Klone.g skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tor Robinson\Application Data\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\Tor Robinson\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Tor Robinson\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Tor Robinson\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Tor Robinson\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Tor Robinson\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Tor Robinson\Desktop\SmitfraudFix.exe PE_Patch.UPX: infected - 2 skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_346.wmdb Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Temp\googlewebaccclient.exe.log Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Temp\GoogleWebAccelerator.pac Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Temp\GoogleWebAcceleratorCache Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Temp\GoogleWebAccWarden.exe.log Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Temp\Perflib_Perfdata_6e0.dat Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Temp\Perflib_Perfdata_86c.dat Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Temp\Perflib_Perfdata_a1c.dat Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Temp\WCESLog.log Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tor Robinson\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Tor Robinson\ntuser.dat.LOG Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP185\A0100457.exe Infected: Backdoor.Win32.GrayBird.ma skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\TORS.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Pc.Scr Infected: Trojan-PSW.Win32.Delf.lx skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\procguard.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd8749.sys Object is locked skipped
C:\WINDOWS\system32\exadttrl.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\WINDOWS\system32\fcsjcgnj.exe Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\pghash.dat Object is locked skipped
C:\WINDOWS\system32\pguard.dat Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT02980.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT05f84.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

uninstall_list.txt:
µTorrent
ABBYY ScanTo Office 1.0
Ad-Aware SE Personal
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 6.0.1
Adobe Stock Photos 1.0
Apple Software Update
ArtMoney SE v7.21
Athlon 64 Processor Driver
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVG Anti-Spyware 7.5
AVG Free Edition
Axife Mouse Recorder DEMO 5.01
Backburner
BitTorrent 4.22.1
Camtasia Studio 4
CCleaner (remove only)
CDisplay 1.8
Conexant AC-Link Audio
Core FTP LE 1.3c
Counter-Strike: Source
Customer Experience Enhancement
CuteFTP 8 Home
Data Fax SoftModem with SmartCP
DiamondCS ProcessGuard v3.150
Digital Media Converter 2.62
DivX
DivX Converter
DivX Player
DivX Web Player
Dragon NaturallySpeaking 8
DukesterX 1.5.1
Earth 3D Space Tour screensaver v1.1
Easy Internet Sign-up
Entisoft Pocket Tablet
Execute Screen Saver Utility
FATE from Hewlett-Packard Laptops (remove only)
Final Fantasy VII - Ultima Edition
FlyakiteOSX
Fraps
Galaxy 3D Space Tour screensaver v1.0
Game Maker 6.1
GameSpy Arcade
GDivX Zenith Player
GlobFX Web Player
Google Earth
Google Talk (remove only)
Google Web Accelerator
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB909394)
HP DVD Play 2.0
HP Extended Capabilities 4.7
HP Game Console and games
HP Help and Support
HP Imaging Device Functions 6.0
HP Integrated Module with Bluetooth wireless technology
HP Photosmart Premier Software 6.0
HP PSC & OfficeJet 4.7
HP Software Update
HP User Guides 0024
HP User Guides--System Recovery
HP Wireless Assistant 2.00 B3
IconPackager
ImgBurn (Remove Only)
Innobec SideWindow (remove only)
iPod for Windows 2005-11-17
iPod for Windows 2006-01-10
ISO Recorder
iTunes
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.1_04
Jupiter 3D Space Tour screensaver v1.0
Kaspersky Online Scanner
KhalSetup
LightScribe Applications
LimeWire 4.12.6
Logitech SetPoint
LOST_screensaver Screen Saver
Macromedia Contribute 3.11
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8
Macromedia Flash Player 8 Plugin
Macromedia Shockwave Player
Mah Jong Quest from Hewlett-Packard Laptops (remove only)
MapleStory
Mars 3D Space Tour screensaver v1.1
Maven3D Trial
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft ActiveSync 4.0
Microsoft Halo
Microsoft Money 2006
Microsoft Office Professional Edition 2003
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft User-Mode Driver Framework Feature Pack 1.0.0 (Pre-Release 5348)
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Journal Viewer
Microsoft Works
mIRC
Moon 3D Space Tour screensaver v1.1
Mozilla Firefox (2.0.0.1)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 Parser and SDK
Multi Theft Auto
muvee autoProducer 4.5
NetFront v3.1 for Pocket PC (PPC3ARENR10D)
Oasis from Hewlett-Packard Laptops (remove only)
ObjectDock
Office 2003 Trial Assistant
OIN
Paltalk Messenger
Panda ActiveScan
Pinnacle Game Profiler
Pinnacle USB device drivers
Pinnacle USB device drivers 2
Polar Bowler from Hewlett-Packard Laptops (remove only)
Polar Golfer from Hewlett-Packard Laptops (remove only)
Project64 1.6
Quick Launch Buttons 5.20 F2
QuickTime
Rainlendar (remove only)
RealPlayer
Reflex Vision 3.0.2
Registry Mechanic 6.0
Saturn 3D Space Tour screensaver v1.0
SCRABBLE from Hewlett-Packard Laptops (remove only)
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Skype 2.5
Smart Reversi version 2.81
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
Sony Media Manager 2.2
Sony Vegas 7.0a
Southway Corporation MultiIE v3.10-d0059
Steam
StepMania CVS 4.0 (remove only)
Synaptics Pointing Device Driver
System Requirements Lab
TeXaide 4
Texas Instruments PCIxx21/x515/xx12 drivers.
TourSetup
Tradewinds from Hewlett-Packard Laptops (remove only)
Transparent Screen Lock for Win2000 NT and XP v 2.10
Unlocker 1.8.3
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Virtual Desktop Manager Powertoy for Windows XP
Virtual DJ - Atomix Productions
WildTangent Web Driver
WindowBlinds
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Tools 4.0
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884575
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885464
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB888402
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892559
WinRAR archiver
WinZip
Wireless Home Network Setup
WorldCast 3.1
Yahoo! Toolbar
Yahoo! Widget Engine
zbattle.net 1.09 SR-1 beta
ZoneAlarm

New Hijackthis Log:
Logfile of HijackThis v1.99.1
Scan saved at 4:48:41 PM, on 22/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
c:\documents and settings\tor robinson\local settings\application data\yahoo\widget engine\jiwire_wi-fi_finder.widget\jiwirewifi.widget\contents\resources\jiwire.win\jiwirewifiwin.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\WINDOWS\system32\ntscrmon.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\torro.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [Ntscrmon] C:\WINDOWS\system32\ntscrmon.exe
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: reico.bat
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=presario&pf=laptop
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~2\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JiWire WiFi Monitoring (JiWireWireless) - JiWire, Inc. - c:\documents and settings\tor robinson\local settings\application data\yahoo\widget engine\jiwire_wi-fi_finder.widget\jiwirewifi.widget\contents\resources\jiwire.win\jiwirewifiwin.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - KALiNKOsoft - C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle_updater.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Update on system behaviour:


It's pretty good! I got ONE pop-up a few days ago, and haven't gotten ANY since!
 
Ried

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
#9 ·
Hi,

Still have a bit more to do. :smile:

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

***************************************************

Download KillBox http://www.greyknight17.com/spy/KillBox.exe. (it's important that you get version v2.0.0.175)

-------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs)

Java 2 Runtime Environment, SE v1.4.1_04
OIN

-----------------------------------

Delete the following folder:

C:\Program Files\OIN

-----------------------------------

Clear out Norton's Quarantine folder. If you're unsure on how to do it, you can use Symantec's guide.

-----------------------------------

Launch KillBox.exe & select the following options:
  • delete on Reboot
Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\WINDOWS\system32\fcsjcgnj.exe
C:\WINDOWS\system32\exadttrl.exe
C:\WINDOWS\Pc.Scr


Go to the File menu, and choose Paste from Clipboard
*Click on the dropdown menu next to Full Path of File to Delete field.
*Verify that the filenames you pasted are found there

Select/tick the following:

* Delete on Reboot
* End Explorer Shell While Killing File
Click the RED X button.

Click Yes at the 'Delete on Reboot' prompt. Click YES at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.

-----------------------------------

Run another online scan at Kaspersky and save the results.

-----------------------------------

Please run combofix.exe once again

-----------------------------------

Include both reports in your next reply:

Kaspersky results
ComboFix.txt
 
Save Share
T

·
Registered
Joined
·
63 Posts
Discussion Starter · #10 ·
Ahhhh sorry it's taken so long..... my apologies

Kaspersky results
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, January 04, 2007 2:23:56 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 4/01/2007
Kaspersky Anti-Virus database records: 255992
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 154452
Number of viruses found: 13
Number of infected objects: 19 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:25:09

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\0102\0314\values Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\02E6759D.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\048F47CA.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04AC41A9.tmp Infected: not-a-virus:AdWare.Win32.SurfSide.j skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\06B3556E.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\06B3556E.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\06B3556E.exe NSIS: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\06B3556E.exe CryptFF: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\07333AE2.exe Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B937C11.exe Infected: Trojan-Downloader.Win32.Adload.ck skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\48A06F58.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bi skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\567B627E.def Infected: not-a-virus:porn-Dialer.Win32.PluginAccess.s skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5EED4437.tmp Infected: Packed.Win32.Klone.g skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tor Robinson\Application Data\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\cert8.db Object is locked skipped
C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\history.dat Object is locked skipped
C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\key3.db Object is locked skipped
C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\parent.lock Object is locked skipped
C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Tor Robinson\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Tor Robinson\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Tor Robinson\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Tor Robinson\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Tor Robinson\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Tor Robinson\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Tor Robinson\Desktop\SmitfraudFix.exe PE_Patch.UPX: infected - 2 skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Application Data\Mozilla\Firefox\Profiles\v13pph45.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Temp\fla572.tmp Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Temp\googlewebaccclient.exe.log Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Temp\GoogleWebAccelerator.pac Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Temp\GoogleWebAcceleratorCache Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Temp\GoogleWebAccWarden.exe.log Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Temp\Perflib_Perfdata_110.dat Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Temp\Perflib_Perfdata_6c4.dat Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Temp\Perflib_Perfdata_ad8.dat Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Temp\Perflib_Perfdata_df0.dat Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Temp\WCESLog.log Object is locked skipped
C:\Documents and Settings\Tor Robinson\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tor Robinson\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Tor Robinson\ntuser.dat.LOG Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP185\A0100457.exe Infected: Backdoor.Win32.GrayBird.ma skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\TORS.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{C3DFE990-3A87-4E4F-8EC9-83A19CF00E89}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\procguard.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd8749.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\pghash.dat Object is locked skipped
C:\WINDOWS\system32\pguard.dat Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_308.dat Object is locked skipped
C:\WINDOWS\Temp\ZLT00e28.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT06660.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Combofix.txt
"Tor Robinson" - 07-01-04 14:30:12.01 Service Pack 2
ComboFix 06-12-19.2W-BetaE2 - Running from: "C:\Documents and Settings\Tor Robinson\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-04 to 2007-01-04 ))))))))))))))))))))))))))))))))))


2006-12-31 01:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Bluetooth
2006-12-31 01:03 53,760 --a------ C:\WINDOWS\system32\drivers\vfwwdm32.dll
2006-12-31 01:02 <DIR> d-------- C:\Program Files\IVT Corporation
2006-12-30 00:07 <DIR> d-------- C:\Program Files\GlovePie
2006-12-27 22:29 <DIR> d-------- C:\Program Files\BatteryMon
2006-12-25 15:25 <DIR> d-------- C:\DOCUME~1\TORROB~1\APPLIC~1\ATI
2006-12-25 15:21 520,192 --------- C:\WINDOWS\system32\ati2sgag.exe
2006-12-25 15:19 <DIR> d-------- C:\ATI
2006-12-23 17:52 <DIR> d-------- C:\Program Files\Ultra Fractal 4
2006-12-23 17:52 <DIR> d-------- C:\DOCUME~1\TORROB~1\APPLIC~1\Ultra Fractal 4
2006-12-21 22:03 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2006-12-19 23:13 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-19 21:09 4,626 --a------ C:\WINDOWS\system32\tmp.reg
2006-12-19 20:41 <DIR> d-------- C:\WINDOWS\erdnt
2006-12-19 20:06 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-18 19:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2006-12-18 19:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AVG7
2006-12-18 19:01 <DIR> d-------- C:\Program Files\Hijackthis
2006-12-18 18:41 24,911 --a------ C:\WINDOWS\system32\drivers\procguard.sys
2006-12-18 18:41 106,496 --a------ C:\WINDOWS\system32\procguard.dll
2006-12-18 18:41 <DIR> d-------- C:\Program Files\ProcessGuard
2006-12-18 18:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2006-12-17 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2006-12-17 14:11 <DIR> d-------- C:\Program Files\CCleaner
2006-12-17 13:49 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-12-17 13:48 <DIR> d-------- C:\DOCUME~1\TORROB~1\.housecall6.6
2006-12-14 22:12 <DIR> d-------- C:\Program Files\Planet Earth 3D Screensaver
2006-12-14 19:39 184,320 --a------ C:\WINDOWS\system32\EXECUTE.SCR
2006-12-14 19:39 150,528 --a------ C:\WINDOWS\system32\NTSCRMON.EXE
2006-12-14 19:39 130,048 --a------ C:\WINDOWS\system32\BLCKSCR.SCR
2006-12-14 19:39 <DIR> d-------- C:\Program Files\Posum
2006-12-14 19:38 299,520 --a------ C:\WINDOWS\uninst.exe
2006-12-14 17:31 <DIR> d-------- C:\Program Files\3D Space Tour
2006-12-14 17:26 <DIR> d-------- C:\WINDOWS\system32\GlobFX
2006-12-14 17:22 <DIR> d-------- C:\Program Files\GlobFX Technologies
2006-12-12 21:14 <DIR> d-------- C:\Program Files\TeXaide
2006-12-07 20:26 <DIR> d-------- C:\Program Files\ABBYY ScanTo Office 1.0
2006-12-06 17:33 9,931,703 --a------ C:\WINDOWS\LOST_screensaver.scr
2006-12-06 17:33 65,536 --a------ C:\WINDOWS\NCLAUNCH.EXe
2006-12-06 17:33 45,056 --a------ C:\WINDOWS\NCUNINST.EXe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-04 04:29 -------- d-------- C:\Program Files\jiwire
2007-01-04 04:08 17670 --a------ C:\DOCUME~1\TORROB~1\Application Data\.googlewebacchosts
2007-01-04 03:44 -------- d-------- C:\Program Files\mozilla firefox
2007-01-04 03:26 -------- d-------- C:\DOCUME~1\TORROB~1\Application Data\utorrent
2007-01-02 18:20 -------- d-------- C:\Program Files\steam
2006-12-25 15:25 -------- d-------- C:\DOCUME~1\TORROB~1\Application Data\ati
2006-12-25 15:21 -------- d-------- C:\Program Files\ati technologies
2006-12-24 01:13 -------- d-------- C:\Program Files\artmoney
2006-12-23 17:52 -------- d-------- C:\DOCUME~1\TORROB~1\Application Data\ultra fractal 4
2006-12-19 23:19 -------- d-------- C:\Program Files\quicktime
2006-12-19 23:19 -------- d-------- C:\Program Files\msn messenger
2006-12-19 23:19 -------- d-------- C:\Program Files\microsoft activesync
2006-12-19 23:19 -------- d-------- C:\Program Files\itunes
2006-12-19 23:19 -------- d-------- C:\Program Files\Common Files\lightscribe
2006-12-19 20:06 -------- d-------- C:\Program Files\grisoft
2006-12-18 19:56 -------- d-------- C:\Program Files\registry mechanic
2006-12-17 14:12 -------- d-------- C:\Program Files\yahoo!
2006-12-15 23:26 -------- d--h----- C:\Program Files\installshield installation information
2006-12-15 23:26 -------- d-------- C:\Program Files\java
2006-12-15 22:46 -------- d-------- C:\Program Files\deimos rising
2006-12-12 23:14 -------- d-------- C:\Program Files\prodad
2006-12-12 19:08 -------- d-------- C:\Program Files\pinnacle
2006-12-10 16:25 -------- d-------- C:\DOCUME~1\TORROB~1\Application Data\adobe
2006-12-02 18:58 -------- d-------- C:\Program Files\alive games
2006-12-02 18:58 -------- d-------- C:\DOCUME~1\TORROB~1\Application Data\alive games
2006-12-01 19:49 -------- d-------- C:\Program Files\axife mouse recorder demo
2006-11-24 17:42 20 --a------ C:\DOCUME~1\TORROB~1\Application Data\deimos rising license.lcs
2006-11-21 20:25 2829824 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2006-11-21 20:25 261120 --a------ C:\WINDOWS\system32\ati2dvag.dll
2006-11-21 20:20 118784 --a------ C:\WINDOWS\system32\atipdlxx.dll
2006-11-21 20:20 106496 --a------ C:\WINDOWS\system32\oemdspif.dll
2006-11-21 20:19 90112 --a------ C:\WINDOWS\system32\ati2evxx.dll
2006-11-21 20:19 42496 --a------ C:\WINDOWS\system32\ati2edxx.dll
2006-11-21 20:19 26112 --a------ C:\WINDOWS\system32\ati2mdxx.exe
2006-11-21 20:18 430080 --a------ C:\WINDOWS\system32\ati2evxx.exe
2006-11-21 20:17 53248 --a------ C:\WINDOWS\system32\atiddc.dll
2006-11-21 20:12 2526688 --a------ C:\WINDOWS\system32\ati3duag.dll
2006-11-21 20:11 5279744 --a------ C:\WINDOWS\system32\atioglxx.dll
2006-11-21 20:08 1090016 --a------ C:\WINDOWS\system32\ativvaxx.dll
2006-11-21 19:57 217088 --a------ C:\WINDOWS\system32\atikvmag.dll
2006-11-21 19:56 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
2006-11-21 19:51 294912 --a------ C:\WINDOWS\system32\ati2cqag.dll
2006-11-21 19:50 6684672 --a------ C:\WINDOWS\system32\atioglx1.dll
2006-11-21 19:49 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2006-11-21 19:21 303104 --a------ C:\WINDOWS\system32\atidemgr.dll
2006-11-12 20:51 -------- d-------- C:\Program Files\google
2006-11-09 15:52 -------- d-------- C:\Program Files\rapid-emailer
2006-11-07 22:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-04 11:31 -------- d-------- C:\Program Files\Common Files\systemrequirementslab
2006-11-04 11:31 -------- d-------- C:\DOCUME~1\TORROB~1\Application Data\system requirements lab
2006-10-26 06:08 40960 --a------ C:\WINDOWS\system32\frapsvid.dll
2006-10-19 06:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-13 05:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-08 09:50 2508 --a------ C:\DOCUME~1\TORROB~1\Application Data\$_hpcst$.hpc


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"AnyCaptureScreen"=""
"FreeRAM XP"="\"C:\\Program Files\\YourWare Solutions\\FreeRAM XP Pro\\FreeRAM XP Pro.exe\" -win"
"NCLaunch"="C:\\WINDOWS\\NCLAUNCH.EXe"
"!1_ProcessGuard_Startup"="\"C:\\Program Files\\ProcessGuard\\procguard.exe\" -minimize"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"hpWirelessAssistant"="C:\\Program Files\\hpq\\HP Wireless Assistant\\HP Wireless Assistant.exe"
"HP Software Update"="C:\\Program Files\\Hp\\HP Software Update\\HPWuSchd2.exe"
"QPService"="\"C:\\Program Files\\HP\\QuickPlay\\QPService.exe\""
"eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
"RecGuard"="C:\\Windows\\SMINST\\RecGuard.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
@=""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"USB2Check"="RUNDLL32.EXE \"C:\\WINDOWS\\system32\\PCLECoInst.dll\",CheckUSBController"
"UnlockerAssistant"="\"C:\\Program Files\\Unlocker\\UnlockerAssistant.exe\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"SSBkgdUpdate"="C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe -Embedding -boot"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"USBToolTip"="\"C:\\Program Files\\Pinnacle\\Shared Files\\Programs\\USBTip\\USBTip.exe\""
"Ntscrmon"="C:\\WINDOWS\\system32\\ntscrmon.exe"
"!1_pgaccount"="\"C:\\Program Files\\ProcessGuard\\pgaccount.exe\""
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\CLIStart.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"=dword:00000001
"DisableLockWorkstation"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoClose"=dword:00000001
"NoLogoff"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
"backup"="C:\\WINDOWS\\pss\\HP Photosmart Premier Fast Start.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqthb08.exe -s"
"item"="HP Photosmart Premier Fast Start"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RK Launcher.lnk]
"backup"="C:\\WINDOWS\\pss\\RK Launcher.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\RKLAUN~1\\RKLAUN~1.EXE "
"item"="RK Launcher"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideWindow.lnk]
"backup"="C:\\WINDOWS\\pss\\SideWindow.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Innobec\\SIDEWI~1\\Bin\\SIDEWI~1.EXE "
"item"="SideWindow"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Tor Robinson^Start Menu^Programs^Startup^CaptureWiz.lnk]
"backup"="C:\\WINDOWS\\pss\\CaptureWiz.lnkStartup"
"location"="Startup"
"item"="CaptureWiz"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Tor Robinson^Start Menu^Programs^Startup^Client Default.lnk]
"backup"="C:\\WINDOWS\\pss\\Client Default.lnkStartup"
"location"="Startup"
"item"="Client Default"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Tor Robinson^Start Menu^Programs^Startup^Dragon NaturallySpeaking.lnk]
"backup"="C:\\WINDOWS\\pss\\Dragon NaturallySpeaking.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\ScanSoft\\NATURA~1\\Program\\natspeak.exe /Quick"
"item"="Dragon NaturallySpeaking"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Tor Robinson^Start Menu^Programs^Startup^Rainlendar.lnk]
"backup"="C:\\WINDOWS\\pss\\Rainlendar.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\RAINLE~1\\RAINLE~1.EXE "
"item"="Rainlendar"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Actual Transparent Window]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ActualTransparentWindowCenter"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bittorrent"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Entbloess 2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ReflexVision"
"hkey"="HKCU"
"command"="C:\\Program Files\\Increment Software\\Reflex Vision\\ReflexVision.exe Start:Silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleDesktop"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="googletalk"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LClock]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LClock"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Longhorn SideBar]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SideBar"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinnacle Game Profiler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pinnacle"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\KALiNKOsoft\\Pinnacle Game Profiler\\pinnacle.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reflex Vision]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ReflexVision"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Increment Software\\Reflex Vision\\ReflexVision.exe\" Start:Silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Steam"
"hkey"="HKCU"
"command"="\"C:\\PacSteam\\\\Steam.exe\" -silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USBToolTip]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="USBTip"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Pinnacle\\Shared Files\\Programs\\USBTip\\USBTip.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 07-01-04 14:47:01.09
C:\ComboFix2.txt ... 06-12-21 21:30
C:\ComboFix3.txt ... 06-12-19 20:55
 
Ried

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
#11 ·
Hello--I thought I had lost you. :smile:

Kaspersky is reporting infections that are already locked away in your Norton Quarantine.

Clear out Norton's Quarantine folder. If you're unsure on how to do it, you can use Symantec's guide.

How is your system behaving?
 
Save Share
T

·
Registered
Joined
·
63 Posts
Discussion Starter · #12 · (Edited)
Hmmmm... having some trouble doing that. I can't seem to find Norton Antivirus. I've looked everywhere and concluded I must have uninstalled it.
So I installed the trial of NAV 2007 and as I suspected, the quarentine section was empty...


:S ???

Behavior:
No popups or anything yet, however I am having a problem that may or may not be related to a virus: I lose the ability to use the Task Manager. I have to run

"REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f"

I use it, but when I boot up the next day, it doesn't stay available and I must do it again.

I also can't shutdown or restart from the start menu anymore (and yes, I am the "administrator"). I have to log out, and then tell it to shut down.

Also, (and it's probably related), ever since I've had these recent problems, starting up and shutting down have taken DOUBLE the time.

Yeah..... icky... :(
 
Ried

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
#13 ·
Delete your current version of Combofix.exe as it has since been updated:


Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

-------------------------------------

Close any open browsers.

-------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Post the ComboFix.txt in your next reply along with a new HijackThis log.
 
Save Share
T

·
Registered
Joined
·
63 Posts
Discussion Starter · #14 ·
Combofix log

"Tor Robinson" - 07-01-06 1:09:14 Service Pack 2
ComboFix 07-01-06W-BetaE2 - Running from: "C:\Documents and Settings\Tor Robinson\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-06 to 2007-01-06 ))))))))))))))))))))))))))))))))))


2007-01-05 01:06 <DIR> d--h----- C:\WINDOWS\PIF
2007-01-05 00:31 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-01-05 00:29 48,824 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-01-05 00:29 108,728 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-12-31 01:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Bluetooth
2006-12-31 01:03 53,760 --a------ C:\WINDOWS\system32\drivers\vfwwdm32.dll
2006-12-31 01:02 <DIR> d-------- C:\Program Files\IVT Corporation
2006-12-30 00:07 <DIR> d-------- C:\Program Files\GlovePie
2006-12-27 22:29 <DIR> d-------- C:\Program Files\BatteryMon
2006-12-25 15:25 <DIR> d-------- C:\DOCUME~1\TORROB~1\Application Data\ATI
2006-12-25 15:21 520,192 --------- C:\WINDOWS\system32\ati2sgag.exe
2006-12-25 15:19 <DIR> d-------- C:\ATI
2006-12-23 17:52 <DIR> d-------- C:\Program Files\Ultra Fractal 4
2006-12-23 17:52 <DIR> d-------- C:\DOCUME~1\TORROB~1\Application Data\Ultra Fractal 4
2006-12-21 22:03 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2006-12-19 23:13 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-19 21:09 4,626 --a------ C:\WINDOWS\system32\tmp.reg
2006-12-19 20:41 <DIR> d-------- C:\WINDOWS\erdnt
2006-12-19 20:06 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-18 19:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Lavasoft
2006-12-18 19:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\AVG7
2006-12-18 19:01 <DIR> d-------- C:\Program Files\Hijackthis
2006-12-18 18:41 24,911 --a------ C:\WINDOWS\system32\drivers\procguard.sys
2006-12-18 18:41 106,496 --a------ C:\WINDOWS\system32\procguard.dll
2006-12-18 18:41 <DIR> d-------- C:\Program Files\ProcessGuard
2006-12-18 18:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\McAfee
2006-12-17 15:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Yahoo! Companion
2006-12-17 14:11 <DIR> d-------- C:\Program Files\CCleaner
2006-12-17 13:49 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-12-17 13:48 <DIR> d-------- C:\DOCUME~1\TORROB~1\.housecall6.6
2006-12-14 22:12 <DIR> d-------- C:\Program Files\Planet Earth 3D Screensaver
2006-12-14 19:39 184,320 --a------ C:\WINDOWS\system32\EXECUTE.SCR
2006-12-14 19:39 150,528 --a------ C:\WINDOWS\system32\NTSCRMON.EXE
2006-12-14 19:39 130,048 --a------ C:\WINDOWS\system32\BLCKSCR.SCR
2006-12-14 19:39 <DIR> d-------- C:\Program Files\Posum
2006-12-14 19:38 299,520 --a------ C:\WINDOWS\uninst.exe
2006-12-14 17:31 <DIR> d-------- C:\Program Files\3D Space Tour
2006-12-14 17:26 <DIR> d-------- C:\WINDOWS\system32\GlobFX
2006-12-14 17:22 <DIR> d-------- C:\Program Files\GlobFX Technologies
2006-12-12 21:14 <DIR> d-------- C:\Program Files\TeXaide
2006-12-07 20:26 <DIR> d-------- C:\Program Files\ABBYY ScanTo Office 1.0
2006-12-06 17:33 9,931,703 --a------ C:\WINDOWS\LOST_screensaver.scr
2006-12-06 17:33 65,536 --a------ C:\WINDOWS\NCLAUNCH.EXe
2006-12-06 17:33 45,056 --a------ C:\WINDOWS\NCUNINST.EXe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-06 01:08 19142 --a------ C:\DOCUME~1\TORROB~1\Application Data\.googlewebacchosts
2007-01-06 01:08 -------- d-------- C:\DOCUME~1\TORROB~1\Application Data\utorrent
2007-01-06 01:00 -------- d-------- C:\Program Files\mozilla firefox
2007-01-06 00:48 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-01-05 22:09 -------- d-------- C:\Program Files\jiwire
2007-01-05 00:40 -------- d-------- C:\Program Files\symantec
2007-01-02 18:20 -------- d-------- C:\Program Files\steam
2006-12-25 15:21 -------- d-------- C:\Program Files\ati technologies
2006-12-24 01:13 -------- d-------- C:\Program Files\artmoney
2006-12-19 23:19 -------- d-------- C:\Program Files\quicktime
2006-12-19 23:19 -------- d-------- C:\Program Files\msn messenger
2006-12-19 23:19 -------- d-------- C:\Program Files\microsoft activesync
2006-12-19 23:19 -------- d-------- C:\Program Files\itunes
2006-12-19 23:19 -------- d-------- C:\Program Files\Common Files\lightscribe
2006-12-19 20:06 -------- d-------- C:\Program Files\grisoft
2006-12-18 19:56 -------- d-------- C:\Program Files\registry mechanic
2006-12-17 14:12 -------- d-------- C:\Program Files\yahoo!
2006-12-15 23:26 -------- d--h----- C:\Program Files\installshield installation information
2006-12-15 23:26 -------- d-------- C:\Program Files\java
2006-12-15 22:46 -------- d-------- C:\Program Files\deimos rising
2006-12-12 23:14 -------- d-------- C:\Program Files\prodad
2006-12-12 19:08 -------- d-------- C:\Program Files\pinnacle
2006-12-10 16:25 -------- d-------- C:\DOCUME~1\TORROB~1\Application Data\adobe
2006-12-02 18:58 -------- d-------- C:\Program Files\alive games
2006-12-02 18:58 -------- d-------- C:\DOCUME~1\TORROB~1\Application Data\alive games
2006-12-01 19:49 -------- d-------- C:\Program Files\axife mouse recorder demo
2006-11-24 17:42 20 --a------ C:\DOCUME~1\TORROB~1\Application Data\deimos rising license.lcs
2006-11-21 20:25 2829824 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2006-11-21 20:25 261120 --a------ C:\WINDOWS\system32\ati2dvag.dll
2006-11-21 20:20 118784 --a------ C:\WINDOWS\system32\atipdlxx.dll
2006-11-21 20:20 106496 --a------ C:\WINDOWS\system32\oemdspif.dll
2006-11-21 20:19 90112 --a------ C:\WINDOWS\system32\ati2evxx.dll
2006-11-21 20:19 42496 --a------ C:\WINDOWS\system32\ati2edxx.dll
2006-11-21 20:19 26112 --a------ C:\WINDOWS\system32\ati2mdxx.exe
2006-11-21 20:18 430080 --a------ C:\WINDOWS\system32\ati2evxx.exe
2006-11-21 20:17 53248 --a------ C:\WINDOWS\system32\atiddc.dll
2006-11-21 20:12 2526688 --a------ C:\WINDOWS\system32\ati3duag.dll
2006-11-21 20:11 5279744 --a------ C:\WINDOWS\system32\atioglxx.dll
2006-11-21 20:08 1090016 --a------ C:\WINDOWS\system32\ativvaxx.dll
2006-11-21 19:57 217088 --a------ C:\WINDOWS\system32\atikvmag.dll
2006-11-21 19:56 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
2006-11-21 19:51 294912 --a------ C:\WINDOWS\system32\ati2cqag.dll
2006-11-21 19:50 6684672 --a------ C:\WINDOWS\system32\atioglx1.dll
2006-11-21 19:49 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2006-11-21 19:21 303104 --a------ C:\WINDOWS\system32\atidemgr.dll
2006-11-12 20:51 -------- d-------- C:\Program Files\google
2006-11-09 15:52 -------- d-------- C:\Program Files\rapid-emailer
2006-11-07 22:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-26 06:08 40960 --a------ C:\WINDOWS\system32\frapsvid.dll
2006-10-19 06:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-13 05:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-08 09:50 2508 --a------ C:\DOCUME~1\TORROB~1\Application Data\$_hpcst$.hpc


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"AnyCaptureScreen"=""
"FreeRAM XP"="\"C:\\Program Files\\YourWare Solutions\\FreeRAM XP Pro\\FreeRAM XP Pro.exe\" -win"
"NCLaunch"="C:\\WINDOWS\\NCLAUNCH.EXe"
"!1_ProcessGuard_Startup"="\"C:\\Program Files\\ProcessGuard\\procguard.exe\" -minimize"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"hpWirelessAssistant"="C:\\Program Files\\hpq\\HP Wireless Assistant\\HP Wireless Assistant.exe"
"HP Software Update"="C:\\Program Files\\Hp\\HP Software Update\\HPWuSchd2.exe"
"QPService"="\"C:\\Program Files\\HP\\QuickPlay\\QPService.exe\""
"eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
"RecGuard"="C:\\Windows\\SMINST\\RecGuard.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
@=""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"USB2Check"="RUNDLL32.EXE \"C:\\WINDOWS\\system32\\PCLECoInst.dll\",CheckUSBController"
"UnlockerAssistant"="\"C:\\Program Files\\Unlocker\\UnlockerAssistant.exe\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"SSBkgdUpdate"="C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe -Embedding -boot"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"USBToolTip"="\"C:\\Program Files\\Pinnacle\\Shared Files\\Programs\\USBTip\\USBTip.exe\""
"Ntscrmon"="C:\\WINDOWS\\system32\\ntscrmon.exe"
"!1_pgaccount"="\"C:\\Program Files\\ProcessGuard\\pgaccount.exe\""
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\CLIStart.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
"backup"="C:\\WINDOWS\\pss\\HP Photosmart Premier Fast Start.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqthb08.exe -s"
"item"="HP Photosmart Premier Fast Start"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RK Launcher.lnk]
"backup"="C:\\WINDOWS\\pss\\RK Launcher.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\RKLAUN~1\\RKLAUN~1.EXE "
"item"="RK Launcher"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideWindow.lnk]
"backup"="C:\\WINDOWS\\pss\\SideWindow.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Innobec\\SIDEWI~1\\Bin\\SIDEWI~1.EXE "
"item"="SideWindow"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Tor Robinson^Start Menu^Programs^Startup^CaptureWiz.lnk]
"backup"="C:\\WINDOWS\\pss\\CaptureWiz.lnkStartup"
"location"="Startup"
"item"="CaptureWiz"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Tor Robinson^Start Menu^Programs^Startup^Client Default.lnk]
"backup"="C:\\WINDOWS\\pss\\Client Default.lnkStartup"
"location"="Startup"
"item"="Client Default"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Tor Robinson^Start Menu^Programs^Startup^Dragon NaturallySpeaking.lnk]
"backup"="C:\\WINDOWS\\pss\\Dragon NaturallySpeaking.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\ScanSoft\\NATURA~1\\Program\\natspeak.exe /Quick"
"item"="Dragon NaturallySpeaking"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Tor Robinson^Start Menu^Programs^Startup^Rainlendar.lnk]
"backup"="C:\\WINDOWS\\pss\\Rainlendar.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\RAINLE~1\\RAINLE~1.EXE "
"item"="Rainlendar"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Actual Transparent Window]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ActualTransparentWindowCenter"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bittorrent"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Entbloess 2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ReflexVision"
"hkey"="HKCU"
"command"="C:\\Program Files\\Increment Software\\Reflex Vision\\ReflexVision.exe Start:Silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleDesktop"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="googletalk"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LClock]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LClock"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Longhorn SideBar]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SideBar"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinnacle Game Profiler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pinnacle"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\KALiNKOsoft\\Pinnacle Game Profiler\\pinnacle.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reflex Vision]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ReflexVision"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Increment Software\\Reflex Vision\\ReflexVision.exe\" Start:Silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Steam"
"hkey"="HKCU"
"command"="\"C:\\PacSteam\\\\Steam.exe\" -silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USBToolTip]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="USBTip"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Pinnacle\\Shared Files\\Programs\\USBTip\\USBTip.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"=dword:00000001
"DisableLockWorkstation"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoClose"=dword:00000001
"NoLogoff"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Tor Robinson.job

Completion time: 07-01-06 1:15:53
C:\ComboFix2.txt ... 07-01-04 14:47
C:\ComboFix3.txt ... 06-12-21 21:30
 
Ried

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
#15 · (Edited)
Hiya,

Download the attached torro.zip file to your desktop.

Double click on the zip folder, then double click on the .reg file within. Click yes to allow it to merge into your registry.

Immediately reboot your system.

How is the system behaving now?
 
Save Share
Ried

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
#17 ·
Glad to hear that. :sayyes:

How is your system behaving? If there aren't any more problems, please continue with these final instructions and helpful links.


Reset hidden/system files and folders
Windows XP
===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Enable Windows Auto Update
*Go to Start>Run - type wuaucpl.cpl
*Tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from previous restore points.

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

Download Spyware Guard to catch and block spyware before it can execute.

Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)
  • Now navigate to C:\ie-spyad. Double click to open it.
  • From within the folder, double-click install.bat
  • Select Option #2 - Install the new IE-SPYAD list, by typing 2
  • Then return to the main menu.
  • Select option #4 - Add the old porn sites domain, by typing 4

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Follow this list and your potential for being infected again will reduce dramatically. :smile:
 
Save Share
1 - 17 of 17 Posts
Status
Not open for further replies.
About this Discussion
16 Replies
2 Participants
Last post:
Ried
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support
Recommended Communities
Community avatar for Toyota Nation Forum
Toyota Nation Forum
543K+ members
Community avatar for SkyscraperCity
SkyscraperCity
1M+ members
Community avatar for The Ducati Streetfighter V2
The Ducati Streetfighter V2
30+ members
Top