Hi, recently I've been experiencing some problems with my computer that I think might point to at least one instance of spyware, if not more. A few days ago I started constantly getting an internet expolorer error message that would never actually crash internet explorer. It would appear whether you were on internet explorer or not and clicking the "do not send button" at the "do you want to send this error to microsoft"? prompt would just result in the same message popping up again. Around this time, other funky stuff started happening, such as my CD burning program launching at startup. I ran Spybot to no avail. Yesterday, while on the web, I got a whole bunch of popups that definitely resulted in some variation of the Bar888 adware program wriggling its way onto my computer. I ran Spybot and deleted a whole bunch of stuff, but "Bar888" continued to remain on my programs list, and there was still an icon linking to "banners.ringtonechannel.com" on my desktop. What's more, now on startup, the system immediately logs into safe mode and tries to install "new hardware" which doesn't exist. I've uninstalled bar888 from my programs list, but still these problems persist and so I was wondering if any of you guys would be willing to look at my hijackthis log? I'm hoping that this is just a spyware problem, and not something nastier.

Go to start > controlpanel > add/remove programs and uninstall next if present: Oin Yazzle by Oin YazzleActiveX By OIN Yazzle anything Purityscan by Oin Snowballwars by Oin Cowabanga by OIN or anything similar with Oin in it 888 toolbar anything with 888 in it If OIN not listed, download and run this uninstaller OiUninstaller.exe Reboot when done! Really important!Download "Rogue Remover" and run it by followong the directions at this link http://www.malwarebytes.org/rogueremover.php Please post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified. Please download HJTsetup.exe from this link http://www.thespykiller.co.uk/files/HJTsetup.exe to your desktop. Doubleclick on the HJTsetup.exe icon on your desktop. By default it will install to C:\Program Files\Hijack This. Continue to click "next" in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue. Put a check by "Create a desktop icon" then click "Next" again. Continue to follow the rest of the prompts from there. At the final dialogue box click "Finish" and it will launch Hijack This. Click on the "Do a system scan and save a logfile" button. It will scan and the log should open in notepad. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log and post it in this thread. Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly. Please download SmitFraudFix from this link http://siri.urz.free.fr/Fix/Smitfra... Then extract the contents to your desktop. !!!! Only run option #1 as runing the other options on an uninfected computer will damage the desktop.!!!! Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd" Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply. Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Okay, I ran OiUninstaller and Rogue Remover (which didn't find anything). My problems seem to still be persisting, however. I did notice, when looking at my task manager, that I have five different instances of "svchost.exe" running. Do you think that could that indicate malicious programs operating under the name of that file? Here's my hijackthis log, along with the smitfraudfix one: Logfile of HijackThis v1.99.1 Scan saved at 5:16:52 PM, on 1/14/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\ltmoh\Ltmoh.exe C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe C:\Program Files\TOSHIBA\Power Management\CePMTray.exe C:\Program Files\TOSHIBA\TouchPad\TPTray.exe C:\WINDOWS\System32\ezSP_Px.exe C:\toshiba\ivp\ism\pinger.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\EzButton\CPLDBL10.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe C:\WINDOWS\System32\DVDRAMSV.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Microsoft Office\Office\OSA.exe C:\WINDOWS\system32\RAMASST.exe C:\Program Files\Wacom\TabUserW.exe C:\WINDOWS\System32\Tablet.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\NOTEPAD.exe C:\Documents and Settings\BROOKE LEIGH BELL\Desktop\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.comcast.net/ O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {09F0F280-FB9A-481B-B69A-CB00DC44D027} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} - (no file) O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [CPLDBL10] C:\Program Files\EzButton\CPLDBL10.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.exe O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.exe O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe O23 - Service: DVD-RAM_Service - Matsus---a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe Smitfraudfix: SmitFraudFix v2.132 Scan done at 17:15:37.04, Sun 01/14/2007 Run from C:\Documents and Settings\BROOKE LEIGH BELL\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\BROOKE LEIGH BELL »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\BROOKE LEIGH BELL\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\BROOKE~1\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32 »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End

Please download ATF-Cleaner to your desktop from this link http://www.atribune.org/content/view/19/2/ We will need it later in safe mode Download and install AVG Anti-Spyware We will need this later in safe mode Be sure to update AVG Anti- Spyware Run Hijack This, close all windows and browsers except Hijack This, place a check to the left of the following items and press"fix checked": O2 - BHO: (no name) - {09F0F280-FB9A-481B-B69A-CB00DC44D027} - (no file) O2 - BHO: (no name) - {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} - (no file) O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - Exit Hijack This. Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok. Next, please reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. In Safe Mode, run AVG Anti-spyware and click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared. AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side. Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop). Post the AVG-AntiSpyware log> Please download ComboFix to the desktop from this link: http://download.bleepingcomputer.com/sUBs/combofix.exe Double-click combofix.exe Follow the prompts. (Don't click on the window while the program is running, it may cause your system to hang.) Please post the combofix.txt log.

Okay, here's the AVG Anti-Spyware log and the ComboFix log: AVG Anti-Spyware-Scan Report - - - - - - - - + Created at : 6:17:3 1 P M 1/17/2007 + S c a n r e s u l t : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware Generic : Cleaned with backup (quarantined). HKLM\SOFTWARE\Clickspring -> Adware PurityScan : Cleaned with backup (quarantined). : : Report end "USER" - 07-01-17 18:30:53 Service Pack 1 ComboFix 07-01-16.2 - Running from: "C:\Documents and Settings\USER\Desktop" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\unsvchosts.lzma C:\Program Files\Common Files\{3C94E~1 C:\Program Files\Common Files\{FC94E~2 C:\Program Files\Common Files\{FC94E~1 ((((((((((((((((((((((((((((((( Files Created from 2006-12-17 to 2007-01-17 )))))))))))))))))))))))))))))))))) 2007-01-17 17:28 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-01-17 17:28 <DIR> d-------- C:\Program Files\Grisoft 2007-01-14 17:15 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe 2007-01-14 17:15 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-01-14 17:15 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-01-14 17:15 40,960 --a------ C:\WINDOWS\system32\swsc.exe 2007-01-14 17:15 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-01-14 17:15 2,704 --a------ C:\WINDOWS\system32\tmp.reg 2007-01-14 17:15 135,168 --a------ C:\WINDOWS\system32\swreg.exe 2007-01-14 17:10 <DIR> d-------- C:\Program Files\RogueRemover 2007-01-14 11:45 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Symantec 2007-01-14 11:45 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\InterVideo 2007-01-14 11:45 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\InterTrust 2007-01-14 11:45 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Drag'n Drop CD+DVD 2007-01-14 11:45 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Adobe 2007-01-13 23:09 0 --a------ C:\WINDOWS\system32\iAlmcoin.dll 2007-01-13 20:33 2,114 --a------ C:\92258266.exe 2007-01-13 20:33 2,114 --a------ C:\19795177.exe 2006-12-25 11:37 <DIR> d-------- C:\DOCUME~1\USER~1\Application Data\MAGIX 2006-12-19 20:03 <DIR> d-------- C:\WINDOWS\pss 2006-12-19 19:35 <DIR> d--h----- C:\WINDOWS\PIF (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-01-17 18:23 -------- d-------- C:\Program Files\Common Files\symantec shared 2006-12-19 18:38 -------- d-------- C:\Program Files\soulseek 2006-12-09 14:39 -------- d-------- C:\Program Files\Common Files\magix shared (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe" "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\"" "IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe" "HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe" "Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe" "LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe" "CeEKEY"="C:\\Program Files\\TOSHIBA\\E-KEY\\CeEKey.exe" "CeEPOWER"="C:\\Program Files\\TOSHIBA\\Power Management\\CePMTray.exe" "TPNF"="C:\\Program Files\\TOSHIBA\\TouchPad\\TPTray.exe" "ezShieldProtector for Px"="C:\\WINDOWS\\System32\\ezSP_Px.exe" "Pinger"="c:\\toshiba\\ivp\\ism\\pinger.exe /run" "Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer" "SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" @="" "tgcmd"="\"C:\\Program Files\\support.com\\bin\\tgcmd.exe\" /server" "NDSTray.exe"="NDSTray.exe" "CPLDBL10"="C:\\Program Files\\EzButton\\CPLDBL10.exe" "ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe" "Drag'n Drop CD+DVD"="C:\\Program Files\\Drag'n Drop CD+DVD\\BinFiles\\DragDrop.exe /StartUp" "!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="" "hkey"="HKLM" "command"="" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drag'n Drop CD+DVD] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="DragDrop" "hkey"="HKLM" "command"="C:\\Program Files\\Drag'n Drop CD+DVD\\BinFiles\\DragDrop.exe /StartUp" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="tgcmd" "hkey"="HKLM" "command"="\"C:\\Program Files\\support.com\\bin\\tgcmd.exe\" /server" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "FirebirdServerMAGIXInstance"=dword:00000003 "ERSvc"=dword:00000002 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1074833599.job C:\WINDOWS\tasks\Symantec NetDetect.job Completion time: 07-01-17 18:34:37

Please download ATF-Cleaner to your desktop from this link http://www.atribune.org/content/view/19/2/ We will need it later in safe mode Download and install AVG Anti-Spyware We will need this later in safe mode Be sure to update AVG Anti- Spyware Go to this link, http://virusscan.jotti.org/ copy the following files one at the time into the "upload and scan box", click submit then post the results. Use the browse button to locate the files. C:\92258266.exe C:\19795177.exe

Here are the results of the http://virusscan.jotti.org/ scans: C:\92258266.exe Scan taken on 19 Jan 2007 05:49:37 (GMT) AntiVir Found TR/Agent.2116 ArcaVir Found nothing Avast Found nothing AVG Antivirus Found Generic2.PKN BitDefender Found DeepScan:Generic.Malware.dld!!.721A9780 ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found W32/Downloader.gen10 F-Secure Anti-Virus Found nothing Fortinet Found W32/Dloader.HYW!tr Kaspersky Anti-Virus Found nothing NOD32 Found a variant of Win32/TrojanDownloader.Tiny.NCA Norman Virus Control Found W32/DLoader.BOPI VirusBuster Found nothing VBA32 Found Win32.Trojan.Downloader (http://...) (probable variant) C:\19795177.exe Scan taken on 19 Jan 2007 05:47:14 (GMT) AntiVir Found TR/Agent.2116 ArcaVir Found nothing Avast Found nothing AVG Antivirus Found Generic2.PKN BitDefender Found DeepScan:Generic.Malware.dld!!.721A9780 ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found W32/Downloader.gen10 F-Secure Anti-Virus Found nothing Fortinet Found W32/Dloader.HYW!tr Kaspersky Anti-Virus Found nothing NOD32 Found a variant of Win32/TrojanDownloader.Tiny.NCA Norman Virus Control Found W32/DLoader.BOPI VirusBuster Found nothing VBA32 Found Win32.Trojan.Downloader (http://...) (probable variant)