Possible Spyware

Computing.Net > Forums > Security and Virus > Possible Spyware

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Possible Spyware

Name: Chanto
Date: November 28, 2006 at 15:53:56 Pacific
OS: Windows Xp
CPU/Ram: Intel p4 1Ghz ram

Comment:

Not too long ago I was redirected from a forum ot a bad link and it automatically gave me something nasty and ofcourse it reproduced. I got rid of part of it but theres still something living in my system and i have no clue what it might be. I've ran Ad-Aware and Spybot many times in normal and safe mode but still no change. The only effect I can see is my system freezing up randomnly and any .gif on any website taking longer than usual to load. I did the Hijackthis analyzer and it pointed out the following as problems and im pretty sure one of them shut off my network and internet off before:
O2 - BHO: C:\WINDOWS\System32\xpRecovery.dll - {8A5849B5-93F3-429D-FF34-660A2068897C} - C:\WINDOWS\System32\xpRecovery.dll (file missing)
O4 - HKLM\..\Run: [qilkrd] c:\windows\system32\kxqunzd.exe r
O4 - HKLM\..\Run: [muscdj] c:\windows\system32\netqmm.exe r
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll

Sponsored Link

Ads by Google

Response Number 1

Name: jabuck
Date: November 28, 2006 at 16:33:09 Pacific

Reply:

Please post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified.
Please download HJTsetup.exe from this link http://www.thespykiller.co.uk/files/HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click "next" in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
Put a check by "Create a desktop icon" then click "Next" again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click "Finish" and it will launch Hijack This.
Click on the "Do a system scan and save a logfile" button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log and post it in this thread.
Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly.
Please download SmitRemFix from this link http://siri.urz.free.fr/Fix/Smitfra... Then extract the contents to your desktop.
!!!! Only run option #1 as runing the other options on an uninfected computer will damage the desktop.!!!!
Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd"
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Response Number 2

Name: Chanto
Date: November 28, 2006 at 18:46:16 Pacific

Reply:

Here is my Hijackthis report:
Logfile of HijackThis v1.99.1
Scan saved at 9:22:49 PM, on 11/28/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\program files\steam\steam.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.exe
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Maxthon\maxthon.exe
C:\WINDOWS\System32\drwtsn32.exe
C:\WINDOWS\System32\dumprep.exe
C:\WINDOWS\System32\dumprep.exe
C:\WINDOWS\System32\dwwin.exe
C:\WINDOWS\System32\dwwin.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\BNIK\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Documents and Settings\BNIK\Application Data\Mozilla\Profiles\default\g7pff1ru.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\BNIK\Application Data\Mozilla\Profiles\default\g7pff1ru.slt\prefs.js)
O2 - BHO: C:\WINDOWS\System32\xpRecovery.dll - {8A5849B5-93F3-429D-FF34-660A2068897C} - C:\WINDOWS\System32\xpRecovery.dll (file missing)
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" /tray
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [qilkrd] c:\windows\system32\kxqunzd.exe r
O4 - HKLM\..\Run: [muscdj] c:\windows\system32\netqmm.exe r
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.exe
O4 - Global Startup: Verizon Online.lnk = C:\Program Files\Verizon Online\VOLSW\Verizon Online.exe
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\ControlPad\Misc\a_menu.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/gam...
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/h...
O16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} (A18X Control) - http://www.albatross18.com/cabs/A18...
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnli...
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/c...
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/...
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/M...
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.co...
O17 - HKLM\System\CCS\Services\Tcpip\..\{944C29A7-D24C-4D1C-8D5F-40A4F783B67E}: NameServer = 85.255.113.117 85.255.112.90
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Unknown owner - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.exe
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)
Here is my Smitfraud report:
SmitFraudFix v2.125
Scan done at 21:45:28.58, Tue 11/28/2006
Run from C:\Documents and Settings\BNIK\Desktop\smit\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\BNIK

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\BNIK\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\BNIK\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8A5849B5-93F3-429D-FF34-660A2068897C}"="DirectX additional"
[HKEY_CLASSES_ROOT\CLSID\{8A5849B5-93F3-429D-FF34-660A2068897C}\InProcServer32]
@="C:\WINDOWS\System32\xpRecovery.dll"
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8A5849B5-93F3-429D-FF34-660A2068897C}\InProcServer32]
@="C:\WINDOWS\System32\xpRecovery.dll"
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Response Number 3

Name: jabuck
Date: November 28, 2006 at 18:59:46 Pacific

Reply:

Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode
Download and install AVG Anti-Spyware We will need this later in safe mode
Be sure to update AVG Anti- Spyware
Download Killbox to your desktop from this link Killbox by Option^Explicit. If you already have "Killbox" update to this newer version. We will need it later in safe mode
Please download Fixwareout from this link
http://swandog46.geekstogo.com/Fixwareout.exe
or
http://downloads.subratam.org/Fixwareout.exe
Save it to your desktop and run it. Click next, then Install, then make sure "Run fixit" is checked and click finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.Post a copy at the log located at C:\fixwareout\report.txt

Response Number 4

Name: Chanto
Date: November 28, 2006 at 19:12:51 Pacific

Reply:

I was given this and I wasnt asked to reboot my computer.
Check for missing files
.....
C:\WINDOWS\system32\AUTOEXEC.NT not there
.....
End check for missing files
.....
please post this at the forum

Response Number 5

Name: jabuck
Date: November 28, 2006 at 19:20:38 Pacific

Reply:

Download XP fix from this link and run it http://www.visualtour.com/downloads/ it should replace the missing C:\WINDOWS\system32\AUTOEXEC.NT file.
Then run the fixwareout.

motorola 62412-51 directx 90 motorola 62412-51	motorola 62802-51 motorola 62802-51 pentagram junior
See More

Response Number 6

Name: Chanto
Date: November 28, 2006 at 19:46:40 Pacific

Reply:

Here it is:

Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...
* csr.exe C:\WINDOWS\System32\CSAVA.exe

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSAVA.exe 51,203 2006-08-31
C:\WINDOWS\SYSTEM32\CSQIL.exe 51,803 2006-11-23

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

Response Number 7

Name: jabuck
Date: November 28, 2006 at 20:03:32 Pacific

Reply:

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Run Hijack This from safe mode, close all windows except Hijack This, place a check to the left of the following items and press "fix checked":
O2 - BHO: C:\WINDOWS\System32\xpRecovery.dll - {8A5849B5-93F3-429D-FF34-660A2068897C} - C:\WINDOWS\System32\xpRecovery.dll (file missing)
O4 - HKLM\..\Run: [qilkrd] c:\windows\system32\kxqunzd.exe r
O4 - HKLM\..\Run: [muscdj] c:\windows\system32\netqmm.exe r
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{944C29A7-D24C-4D1C-8D5F-40A4F783B67E}: NameServer = 85.255.113.117 85.255.112.90
Exit Hijack This but remain in safe mode.
Run Killbox from safe mode. Please double-click Killbox.exe to run it.
Select:
Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\SYSTEM32\CSAVA.exe
C:\WINDOWS\SYSTEM32\CSQIL.exe
C:\WINDOWS\System32\xpRecovery.dll
c:\windows\system32\kxqunzd.exe
c:\windows\system32\netqmm.exe
C:\WINDOWS\wupdt.exe
Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let us know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click Here to download and run missingfilesetup.exe. Then try Killbox again.
Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

In Safe Mode, run AVG Anti-spyware and click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Post the AVG-AntiSpyware log on your desktop and a new Hijack This log please.
Restart the computer
After restart, if you have any connection problems, do this:
Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.
Before you restart the computer.
Go to Start > Run and type in cmd
Click OK.
This will open a commad prompt.
Type or copy and paste the following line in the command window:

ipconfig /flushdns

Hit Enter
Exit the command window

Response Number 8

Name: Chanto
Date: November 28, 2006 at 22:13:05 Pacific

Reply:

Well I did everything that was told and had no problems with renaming any files or any DNS connection problems, now did you want me to post the new hijackthis and AVG logs here?

Response Number 9

Name: jabuck
Date: November 29, 2006 at 03:34:26 Pacific

Reply:

Please post the AVG-AntiSpyware log and a new Hijack This log.

Response Number 10

Name: Chanto
Date: November 29, 2006 at 04:39:40 Pacific

Reply:

New Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 12:59:27 AM, on 11/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Documents and Settings\BNIK\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Documents and Settings\BNIK\Application Data\Mozilla\Profiles\default\g7pff1ru.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\BNIK\Application Data\Mozilla\Profiles\default\g7pff1ru.slt\prefs.js)
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" /tray
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.exe
O4 - Global Startup: Verizon Online.lnk = C:\Program Files\Verizon Online\VOLSW\Verizon Online.exe
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\ControlPad\Misc\a_menu.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/gam...
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/h...
O16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} (A18X Control) - http://www.albatross18.com/cabs/A18...
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnli...
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/c...
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/...
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/M...
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.co...
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Unknown owner - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.exe
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)
AVG log:

AVG Anti-Spyware Scan Report
Created at: 12:58:30 AM 11/29/2006
+ Scan result:
C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1122\A0490498.exe -> Adware.Spysheriff : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1122\A0490502.exe -> Dropper.Delf.va : Cleaned with backup (quarantined).
::Report end

Response Number 11

Name: jabuck
Date: November 29, 2006 at 19:15:01 Pacific

Reply:

You still have a baddie that could be a rootkit.
Please download ComboFix to the desktop from this link:
http://download.bleepingcomputer.com/sUBs/combofix.exe
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the combofix.txt log.

Response Number 12

Name: Chanto
Date: November 29, 2006 at 20:11:55 Pacific

Reply:

BNIK - 06-11-29 23:09:07.68 Service Pack 1
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\BNIK\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2006-10-29 to 2006-11-29 ))))))))))))))))))))))))))))))))))

2006-11-28 23:37 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-28 23:37 <DIR> d-------- C:\Program Files\Grisoft
2006-11-28 23:19 <DIR> d-------- C:\!KillBox
2006-11-28 22:10 <DIR> d-------- C:\fixwareout
2006-11-28 21:20 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-11-28 21:20 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-11-28 21:20 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-11-28 21:20 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-11-27 11:53 4,308 --a------ C:\WINDOWS\system32\tmp.reg
2006-11-27 11:28 502,208 --a------ C:\WINDOWS\system32\drivers\amon.sys
2006-11-27 11:28 270,336 --a------ C:\WINDOWS\system32\imon.dll
2006-11-27 11:26 <DIR> d-------- C:\Program Files\ESET
2006-11-26 20:19 6,199 --a------ C:\WINDOWS\system32\TJ8N8o8.exe
2006-11-26 19:50 71,168 --a------ C:\WINDOWS\system32\sciekad.dll
2006-11-26 18:51 6,199 --a------ C:\WINDOWS\system32\se.exe.exe
2006-11-26 18:51 6,199 --a------ C:\WINDOWS\system32\it58W2E.exe
2006-11-26 18:51 54,327 --a------ C:\WINDOWS\system32\google.png.exe
2006-11-26 18:51 15,927 --a------ C:\WINDOWS\system32\w.exe.exe
2006-11-26 18:51 15,927 --a------ C:\WINDOWS\system32\w.exe
2006-11-26 18:51 128,567 --a------ C:\WINDOWS\system32\ss.exe.exe
2006-11-25 20:07 <DIR> d-------- C:\Documents and Settings\BNIK\.javaws
2006-11-25 20:06 <DIR> d-------- C:\Program Files\Common Files\mozilla.org
2006-11-17 14:02 <DIR> d-------- C:\Program Files\AOD
2006-11-16 22:53 <DIR> d-------- C:\WINDOWS\system32\bak
2006-11-16 18:56 61,440 --a------ C:\WINDOWS\system32\LFGIF14N.DLL
2006-11-16 18:56 57,344 --a------ C:\WINDOWS\system32\lfbmp14N.dll
2006-11-16 18:56 487,424 --a------ C:\WINDOWS\system32\LTKRN14n.DLL
2006-11-16 18:56 303,104 --a------ C:\WINDOWS\system32\LTDIS14n.DLL
2006-11-16 18:56 274,432 --a------ C:\WINDOWS\system32\LTEFX14n.DLL
2006-11-16 18:56 24,575 --a------ C:\WINDOWS\system32\msusengwinsyspio46.dll
2006-11-16 18:56 180,224 --a------ C:\WINDOWS\system32\LTFIL14n.DLL
2006-11-16 18:56 1,126,400 --a------ C:\WINDOWS\system32\LTIMG14n.DLL
2006-11-16 18:56 <DIR> d-------- C:\Program Files\IconCool Software
2006-11-08 13:52 <DIR> d-------- C:\Documents and Settings\BNIK\Contacts
2006-11-08 13:51 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2006-11-05 18:15 25,858 --a------ C:\WINDOWS\system32\jpg_viewer.exe
2006-10-31 16:25 <DIR> d-------- C:\Documents and Settings\BNIK\Application Data\Motive
2006-10-31 16:23 69,632 --a------ C:\WINDOWS\system32\MCCDevice.dll
2006-10-31 16:23 6,048 --a------ C:\WINDOWS\system32\MCC16.dll
2006-10-31 16:23 <DIR> d-------- C:\Program Files\Verizon
2006-10-31 16:23 <DIR> d-------- C:\Program Files\Common Files\Motive
2006-10-31 16:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2006-10-30 15:17 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2006-10-30 15:17 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-29 23:08 -------- d-------- C:\Documents and Settings\BNIK\Application Data\Skype
2006-11-29 23:07 -------- d-------- C:\Program Files\Steam
2006-11-29 23:06 -------- d-------- C:\Program Files\Sophos SWEEP for NT
2006-11-29 13:25 -------- d-------- C:\Program Files\HLSW
2006-11-26 22:19 54784 --a------ C:\WINDOWS\system32\instcat.dll
2006-11-26 18:31 -------- d-------- C:\Documents and Settings\BNIK\Application Data\Xfire
2006-11-25 20:06 105168 --a------ C:\WINDOWS\NSUninst.exe
2006-11-25 20:06 105168 --a------ C:\WINDOWS\GREUninstall.exe
2006-11-25 20:06 -------- d-------- C:\Program Files\Common Files
2006-11-25 20:00 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-20 23:11 -------- d-------- C:\Documents and Settings\BNIK\Application Data\Azureus
2006-11-17 15:06 -------- d-------- C:\Program Files\AIM
2006-11-17 14:35 -------- d-------- C:\Documents and Settings\BNIK\Application Data\Aim
2006-11-16 22:53 33792 --a------ C:\WINDOWS\system32\NeroCheck.exe
2006-11-16 22:53 -------- d-------- C:\Program Files\QuickTime
2006-11-16 22:53 -------- d-------- C:\Program Files\MSN Messenger
2006-11-01 17:51 -------- d-------- C:\Program Files\Windows Media Player
2006-10-30 16:07 -------- d-------- C:\Program Files\hix
2006-10-30 16:07 -------- d-------- C:\Program Files\Common Files\Java
2006-10-30 15:42 -------- d-------- C:\Program Files\Spyware Doctor
2006-10-30 15:13 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-28 10:03 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-10-21 15:34 -------- d-------- C:\Program Files\Maxthon
2006-10-21 15:30 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-10-20 13:11 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-09-08 23:28 967 --a------ C:\WINDOWS\ScUnin.pif
2006-09-08 23:28 94208 --a------ C:\WINDOWS\ScUnin.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Steam"="\"c:\\program files\\steam\\steam.exe\" -silent"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"WebCamRT.exe"=""
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4.exe\" /tray"
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"CloneCDTray"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"VirtualCloneDrive"="\"C:\\Program Files\\Elaborate Bytes\\VirtualCloneDrive\\VCDDaemon.exe\" /s"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_06\\bin\\jusched.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"LVCOMS"="C:\\Program Files\\Common Files\\Logitech\\QCDriver3\\LVCOMS.exe"
"LogitechGalleryRepair"="C:\\Program Files\\Logitech\\ImageStudio\\ISStart.exe"
"LogitechImageStudioTray"="C:\\Program Files\\Logitech\\ImageStudio\\LogiTray.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Logitech Utility"="Logi_MwX.Exe"
"Motive SmartBridge"="C:\\PROGRA~1\\Verizon\\SMARTB~1\\MotiveSB.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"DeadAIM"="rundll32.exe \"C:\\PROGRA~1\\AIM\\\\DeadAIM.ocm\",ExportedCheckODLs"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,00,04,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=""
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{8A5849B5-93F3-429D-FF34-660A2068897C}"="DirectX additional"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:000000ff
"NoSaveSettings"=dword:00000000
"_NoDriveTypeAutoRun"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"nwiz"="nwiz.exe /install"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\instcat
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\navdpu.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\navdqu.sys

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Microsoft Office Word 2003.job
C:\WINDOWS\tasks\{08994C60-A08D-478A-B424-597D0E5A6D90}_FISHTANK_Inna.job
Completion time: 06-11-29 23:11:27.19
C:\ComboFix.txt ... 06-11-29 23:11

Response Number 13

Name: jabuck
Date: November 30, 2006 at 04:02:56 Pacific

Reply:

We have not forgot you, will get back to you later today.

Response Number 14

Name: Chanto
Date: November 30, 2006 at 05:24:20 Pacific

Reply:

Thanks a lot.

Response Number 15

Name: jabuck
Date: November 30, 2006 at 16:16:17 Pacific

Reply:

Please download SDFix by AndyManchesta and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following:
Restart your computer.
After hearing your computer beep once during startup, but just before the Windows icon appears, tap the F8 key continually.
Instead of Windows loading as normal, a menu with options should appear.
Select the first option, to run Windows in "Safe Mode", then press "Enter".
Choose your usual account.

Once in Safe Mode, please do the following:
In Safe Mode, right-click the SDFix.zip folder and choose Extract All.
Open the extracted folder and double-click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt
Post a new combofix log also.

Response Number 16

Name: Chanto
Date: November 30, 2006 at 16:50:26 Pacific

Reply:

SDFix: Version 1.44
********************
Thu 11/30/2006 - 19:41:57.95
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Stage One - Safe Mode
Checking Services...
Service Name:

File Path:
Starting Registry Repairs...

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking For Malware:
--------------------

C:\WINDOWS\system32\w.exe

Backing Up and Removing any Files Found...

Final Check:

Services:
---------

Authorized Applications Export:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
C:\DOCUME~1\BNIK\LOCALS~1\Temp\bl4ck.com REG_SZ C:\DOCUME~1\BNIK\LOCALS~1\Temp\bl4ck.com:*:ENABLED:0
C:\WINDOWS\System32\a.exe REG_SZ C:\WINDOWS\System32\a.exe:*:ENABLED:0
Files:
------
Backups Folder: - C:\SDFix\backups\backups.zip
Checking for files with Hidden Attributes:
C:\WINDOWS\system32\NTICDMK7.dll
C:\WINDOWS\system32\NTIFCD3.dll
C:\WINDOWS\system32\NTIMP3.dll
C:\WINDOWS\system32\NTIMPEG2.dll
C:\WINDOWS\system32\phzn.dll
C:\WINDOWS\chmngv.exe.tmp
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\hiberfil.sys
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\WINDOWS\system32\8E012ADADA.sys
C:\Documents and Settings\BNIK\Application Data\Microsoft\Word\~WRL0003.tmp
C:\Documents and Settings\BNIK\Application Data\Microsoft\Word\~WRL2834.tmp
C:\Documents and Settings\BNIK\Application Data\Microsoft\Word\~WRL3295.tmp
C:\Documents and Settings\BNIK\Application Data\Microsoft\Word\~WRL3574.tmp
C:\WINDOWS\chmngv.exe.tmp
FINISHED!

Response Number 17

Name: jabuck
Date: November 30, 2006 at 16:55:18 Pacific

Reply:

Please post the new combofix log.

Response Number 18

Name: Chanto
Date: November 30, 2006 at 17:02:10 Pacific

Reply:

Sorry i forgot about it
BNIK - 06-11-30 20:00:33.04 Service Pack 1
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\BNIK\Desktop\anti spyware"
((((((((((((((((((((((((((((((( Files Created from 2006-10-30 to 2006-11-30 ))))))))))))))))))))))))))))))))))

2006-11-30 19:38 <DIR> d-------- C:\SDFix
2006-11-28 23:37 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-28 23:37 <DIR> d-------- C:\Program Files\Grisoft
2006-11-28 23:19 <DIR> d-------- C:\!KillBox
2006-11-28 22:10 <DIR> d-------- C:\fixwareout
2006-11-28 21:20 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-11-28 21:20 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-11-28 21:20 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-11-28 21:20 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-11-27 11:53 4,308 --a------ C:\WINDOWS\system32\tmp.reg
2006-11-27 11:28 502,208 --a------ C:\WINDOWS\system32\drivers\amon.sys
2006-11-27 11:28 270,336 --a------ C:\WINDOWS\system32\imon.dll
2006-11-27 11:26 <DIR> d-------- C:\Program Files\ESET
2006-11-26 20:19 6,199 --a------ C:\WINDOWS\system32\TJ8N8o8.exe
2006-11-26 19:50 71,168 --a------ C:\WINDOWS\system32\sciekad.dll
2006-11-26 18:51 6,199 --a------ C:\WINDOWS\system32\se.exe.exe
2006-11-26 18:51 6,199 --a------ C:\WINDOWS\system32\it58W2E.exe
2006-11-26 18:51 54,327 --a------ C:\WINDOWS\system32\google.png.exe
2006-11-26 18:51 15,927 --a------ C:\WINDOWS\system32\w.exe.exe
2006-11-26 18:51 128,567 --a------ C:\WINDOWS\system32\ss.exe.exe
2006-11-25 20:07 <DIR> d-------- C:\Documents and Settings\BNIK\.javaws
2006-11-25 20:06 <DIR> d-------- C:\Program Files\Common Files\mozilla.org
2006-11-17 14:02 <DIR> d-------- C:\Program Files\AOD
2006-11-16 22:53 <DIR> d-------- C:\WINDOWS\system32\bak
2006-11-16 18:56 61,440 --a------ C:\WINDOWS\system32\LFGIF14N.DLL
2006-11-16 18:56 57,344 --a------ C:\WINDOWS\system32\lfbmp14N.dll
2006-11-16 18:56 487,424 --a------ C:\WINDOWS\system32\LTKRN14n.DLL
2006-11-16 18:56 303,104 --a------ C:\WINDOWS\system32\LTDIS14n.DLL
2006-11-16 18:56 274,432 --a------ C:\WINDOWS\system32\LTEFX14n.DLL
2006-11-16 18:56 24,575 --a------ C:\WINDOWS\system32\msusengwinsyspio46.dll
2006-11-16 18:56 180,224 --a------ C:\WINDOWS\system32\LTFIL14n.DLL
2006-11-16 18:56 1,126,400 --a------ C:\WINDOWS\system32\LTIMG14n.DLL
2006-11-16 18:56 <DIR> d-------- C:\Program Files\IconCool Software
2006-11-08 13:52 <DIR> d-------- C:\Documents and Settings\BNIK\Contacts
2006-11-08 13:51 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2006-11-05 18:15 25,858 --a------ C:\WINDOWS\system32\jpg_viewer.exe
2006-10-31 16:25 <DIR> d-------- C:\Documents and Settings\BNIK\Application Data\Motive
2006-10-31 16:23 69,632 --a------ C:\WINDOWS\system32\MCCDevice.dll
2006-10-31 16:23 6,048 --a------ C:\WINDOWS\system32\MCC16.dll
2006-10-31 16:23 <DIR> d-------- C:\Program Files\Verizon
2006-10-31 16:23 <DIR> d-------- C:\Program Files\Common Files\Motive
2006-10-31 16:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2006-10-30 15:17 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2006-10-30 15:17 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-30 19:50 -------- d-------- C:\Documents and Settings\BNIK\Application Data\Skype
2006-11-30 19:49 -------- d-------- C:\Program Files\Steam
2006-11-30 19:45 -------- d-------- C:\Program Files\Sophos SWEEP for NT
2006-11-30 19:23 -------- d-------- C:\Program Files\HLSW
2006-11-26 22:19 54784 --a------ C:\WINDOWS\system32\instcat.dll
2006-11-26 18:31 -------- d-------- C:\Documents and Settings\BNIK\Application Data\Xfire
2006-11-25 20:06 105168 --a------ C:\WINDOWS\NSUninst.exe
2006-11-25 20:06 105168 --a------ C:\WINDOWS\GREUninstall.exe
2006-11-25 20:06 -------- d-------- C:\Program Files\Common Files
2006-11-25 20:00 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-20 23:11 -------- d-------- C:\Documents and Settings\BNIK\Application Data\Azureus
2006-11-17 15:06 -------- d-------- C:\Program Files\AIM
2006-11-17 14:35 -------- d-------- C:\Documents and Settings\BNIK\Application Data\Aim
2006-11-16 22:53 33792 --a------ C:\WINDOWS\system32\NeroCheck.exe
2006-11-16 22:53 -------- d-------- C:\Program Files\QuickTime
2006-11-16 22:53 -------- d-------- C:\Program Files\MSN Messenger
2006-11-01 17:51 -------- d-------- C:\Program Files\Windows Media Player
2006-10-30 16:07 -------- d-------- C:\Program Files\hix
2006-10-30 16:07 -------- d-------- C:\Program Files\Common Files\Java
2006-10-30 15:42 -------- d-------- C:\Program Files\Spyware Doctor
2006-10-30 15:13 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-28 10:03 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-10-21 15:34 -------- d-------- C:\Program Files\Maxthon
2006-10-21 15:30 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-10-20 13:11 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-09-08 23:28 967 --a------ C:\WINDOWS\ScUnin.pif
2006-09-08 23:28 94208 --a------ C:\WINDOWS\ScUnin.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Steam"="\"c:\\program files\\steam\\steam.exe\" -silent"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"WebCamRT.exe"=""
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4.exe\" /tray"
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"CloneCDTray"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"VirtualCloneDrive"="\"C:\\Program Files\\Elaborate Bytes\\VirtualCloneDrive\\VCDDaemon.exe\" /s"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_06\\bin\\jusched.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"LVCOMS"="C:\\Program Files\\Common Files\\Logitech\\QCDriver3\\LVCOMS.exe"
"LogitechGalleryRepair"="C:\\Program Files\\Logitech\\ImageStudio\\ISStart.exe"
"LogitechImageStudioTray"="C:\\Program Files\\Logitech\\ImageStudio\\LogiTray.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Logitech Utility"="Logi_MwX.Exe"
"Motive SmartBridge"="C:\\PROGRA~1\\Verizon\\SMARTB~1\\MotiveSB.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"DeadAIM"="rundll32.exe \"C:\\PROGRA~1\\AIM\\\\DeadAIM.ocm\",ExportedCheckODLs"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,00,04,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=""
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{8A5849B5-93F3-429D-FF34-660A2068897C}"="DirectX additional"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:000000ff
"NoSaveSettings"=dword:00000000
"_NoDriveTypeAutoRun"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"nwiz"="nwiz.exe /install"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\instcat
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\navdpu.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\navdqu.sys

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Microsoft Office Word 2003.job
C:\WINDOWS\tasks\{08994C60-A08D-478A-B424-597D0E5A6D90}_FISHTANK_Inna.job
Completion time: 06-11-30 20:01:22.34
C:\ComboFix.txt ... 06-11-30 20:01
C:\ComboFix2.txt ... 06-11-29 23:11

Response Number 19

Name: jabuck
Date: November 30, 2006 at 17:18:28 Pacific

Reply:

Reboot into safe mode. Run Killbox again and delete these files using tha same method you used in response #7.
C:\WINDOWS\system32\TJ8N8o8.exe
C:\WINDOWS\system32\se.exe.exe
C:\WINDOWS\system32\it58W2E.exe
C:\WINDOWS\system32\google.png.exe
C:\WINDOWS\system32\w.exe.exe
C:\WINDOWS\system32\ss.exe.exe
C:\WINDOWS\system32\jpg_viewer.exe
Please download Dr Web CureIt to your desktop from this link ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan.
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives.
A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable.
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log on your desktop.
and post a new combofix log please.

Response Number 20

Name: Chanto
Date: November 30, 2006 at 20:01:35 Pacific

Reply:

smax4.exe;c:\program files\analog devices\soundmax;Trojan.DownLoader.14979;Incurable.Moved.;
lvcoms.exe;c:\program files\common files\logitech\qcdriver3;Trojan.DownLoader.14979;Incurable.Moved.;
vcddaemon.exe;c:\program files\elaborate bytes\virtualclonedrive;Trojan.DownLoader.14979;Incurable.Moved.;
hpwuschd2.exe;c:\program files\hewlett-packard\hp software update;Trojan.DownLoader.14979;Incurable.Moved.;
hpcmpmgr.exe;c:\program files\hp\hpcoretech;Trojan.DownLoader.14979;Incurable.Moved.;
jusched.exe;c:\program files\java\j2re1.4.2_06\bin;Trojan.DownLoader.14979;Incurable.Moved.;
isstart.exe;c:\program files\logitech\imagestudio;Trojan.DownLoader.14979;Incurable.Moved.;
logitray.exe;c:\program files\logitech\imagestudio;Trojan.DownLoader.14979;Incurable.Moved.;
qttask.exe;c:\program files\quicktime;Trojan.DownLoader.14979;Incurable.Moved.;
clonecdtray.exe;c:\program files\slysoft\clonecd;Trojan.DownLoader.14979;Incurable.Moved.;
smc.exe;c:\program files\sygate\spf;Trojan.DownLoader.14979;;
motivesb.exe;c:\program files\verizon\smartbridge;Trojan.DownLoader.14979;;
yahoomessenger.exe;c:\program files\yahoo!\messenger;Trojan.DownLoader.14979;;
winlogon.exe;c:\windows\system32\dllcache\win32;Program.SrvAny;;
nerocheck.exe;c:\windows\system32;Trojan.DownLoader.14979;Incurable.Moved.;
hpztsb10.exe;c:\windows\system32\spool\drivers\w32x86\3;Trojan.DownLoader.14979;Incurable.Moved.;
csava.exe;C:\!KillBox;Trojan.DnsChange;Deleted.;
csqil.exe;C:\!KillBox;Trojan.DnsChange;Deleted.;
google.png.exe;C:\!KillBox;Trojan.Spambot;Deleted.;
it58W2E.exe;C:\!KillBox;Trojan.Spambot;Deleted.;
jpg_viewer.exe;C:\!KillBox;Win32.HLLM.Sacho;Deleted.;
se.exe.exe;C:\!KillBox;Trojan.Spambot;Deleted.;
ss.exe.exe;C:\!KillBox;Trojan.Spambot;Deleted.;
TJ8N8o8.exe;C:\!KillBox;Trojan.Spambot;Deleted.;
w.exe.exe;C:\!KillBox;Trojan.Spambot;Deleted.;
mirc32.exe;C:\Addict3\sys;Program.mIRC.601;;
backup-20061126-202903-651.dll;C:\Documents and Settings\BNIK\Desktop\backups;Trojan.DownLoader.15129;Deleted.;
backup-20061128-121414-259.dll;C:\Documents and Settings\BNIK\Desktop\backups;Trojan.DownLoader.15129;Deleted.;
Process.exe;C:\Documents and Settings\BNIK\Desktop\smit\SmitfraudFix;Tool.Prockill;;
restart.exe;C:\Documents and Settings\BNIK\Desktop\smit\SmitfraudFix;Tool.ShutDown.11;;
WxBug.EXE;C:\Program Files\AIM;Adware.Aws;;
WxBug.EXE;C:\Program Files\AIM\Sysfiles;Adware.Aws;;
FND0.NFI;C:\Program Files\ESET\cache;Trojan.DnsChange;Deleted.;
FND1.NFI;C:\Program Files\ESET\cache;Trojan.DnsChange;Deleted.;
FND2.NFI;C:\Program Files\ESET\cache;Trojan.DnsChange;Deleted.;
FND3.NFI;C:\Program Files\ESET\cache;Trojan.DnsChange;Deleted.;
C21APWBA.NQF;C:\Program Files\ESET\infected;Dialer.Maxd;Deleted.;
KR2BB4BA.NQF;C:\Program Files\ESET\infected;Trojan.MulDrop.4587;Deleted.;
SIVF2MAA.NQF;C:\Program Files\ESET\infected;Trojan.DnsChange;Deleted.;
mirc.exe;C:\Program Files\hix;Program.mIRC.603;;
moo.dll;C:\Program Files\hix;Program.MotherboardMonitor;;
moo.dll;C:\Program Files\hix\scripts\systeminfo;Program.MotherboardMonitor;;
fdsf;C:\Program Files\Maxthon;Trojan.MulDrop.4521;Deleted.;
sdfff;C:\Program Files\Maxthon;Trojan.DownLoader.14964;Deleted.;
zxczxc;C:\Program Files\Maxthon;Trojan.Spambot;Deleted.;
smc.exe;C:\Program Files\Sygate\SPF;Trojan.DownLoader.14979;Incurable.Moved.;
MotiveSB.exe;C:\Program Files\Verizon\SmartBridge;Trojan.DownLoader.14979;Incurable.Moved.;
YahooMessenger.exe;C:\Program Files\Yahoo!\Messenger;Trojan.DownLoader.14979;Incurable.Moved.;
Process.exe;C:\SDFix\apps;Tool.Prockill;;
hltv.exe;C:\Sierra\Counter-Strike;Tool.ProxyHLTV;;
A0470953.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1083;Trojan.DnsChange;Deleted.;
A0470999.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1083;Trojan.DnsChange;Deleted.;
A0471104.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1083;Trojan.DnsChange;Deleted.;
A0471258.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1083;Trojan.DnsChange;Deleted.;
A0471688.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1085;Trojan.DnsChange;Deleted.;
A0471714.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1086;Trojan.DnsChange;Deleted.;
A0472017.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1086;Trojan.DnsChange;Deleted.;
A0472041.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1087;Trojan.DnsChange;Deleted.;
A0472271.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1087;Trojan.DnsChange;Deleted.;
A0472877.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1094;Trojan.DnsChange;Deleted.;
A0472878.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1094;Trojan.DnsChange;Deleted.;
A0480793.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1099;Trojan.DnsChange;Deleted.;
A0481054.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1100;Trojan.DnsChange;Deleted.;
A0481100.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1100;Adware.FlashTrack;;
A0484150.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1100;Trojan.DnsChange;Deleted.;
A0484246.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1100;Trojan.DnsChange;Deleted.;
A0484262.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1101;Trojan.DnsChange;Deleted.;
A0485258.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1101;Trojan.DnsChange;Deleted.;
A0485291.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1101;Trojan.DnsChange;Deleted.;
A0485346.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1101;Trojan.DnsChange;Deleted.;
A0485372.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1101;Trojan.DnsChange;Deleted.;
A0485423.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1101;Trojan.DnsChange;Deleted.;
A0485644.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1101;Trojan.DnsChange;Deleted.;
A0485794.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1103;Win32.HLLM.Sacho;Deleted.;
A0485805.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1103;Win32.HLLM.Sacho;Deleted.;
A0485806.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1103;Win32.HLLM.Sacho;Deleted.;
A0485807.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1103;Win32.HLLM.Sacho;Deleted.;
A0485808.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1103;Win32.HLLM.Sacho;Deleted.;
A0485818.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1103;Trojan.DnsChange;Deleted.;
A0486824.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1105;Trojan.DownLoader.14979;Incurable.Moved.;
A0487021.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1113;Trojan.DownLoader.14979;Incurable.Moved.;
A0487025.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1113;Trojan.DownLoader.14979;Incurable.Moved.;
A0487027.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1113;Trojan.DownLoader.14979;Incurable.Moved.;
A0487472.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1117;Trojan.DownLoader.14979;Incurable.Moved.;
A0488218.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1121;Trojan.DnsChange;Deleted.;
A0488220.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1121;Trojan.DnsChange;Deleted.;
A0489217.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1121;Trojan.DnsChange;Deleted.;
A0490223.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1122;Trojan.Fakealert;Deleted.;
A0490232.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1122;Trojan.Spambot;Deleted.;
A0490233.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1122;Trojan.Spambot;Deleted.;
A0490234.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1122;Trojan.Spambot;Deleted.;
A0490235.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1122;Trojan.Spambot;Deleted.;
A0490300.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1122;Trojan.Fakealert;Deleted.;
A0490304.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1122;Trojan.Spambot;Deleted.;
A0490305.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1122;Trojan.Spambot;Deleted.;
A0490306.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1122;Trojan.Spambot;Deleted.;
A0490307.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1122;Trojan.Spambot;Deleted.;
A0490308.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1122;Trojan.Spambot;Deleted.;
A0490309.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1122;Trojan.Spambot;Deleted.;
A0490503.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1122;Trojan.DnsChange;Deleted.;
A0490531.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1122;Trojan.MulDrop.4521;Deleted.;
A0490533.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1122;Trojan.DownLoader.14964;Deleted.;
A0490536.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1122;Trojan.Spambot;Deleted.;
A0490537.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1122;Trojan.Spambot;Deleted.;
A0490542.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1122;Trojan.Spambot;Deleted.;
A0490553.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1122;Trojan.DownLoader.14760;Deleted.;
A0490556.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1122;Trojan.Fakealert;Deleted.;
A0493643.dll;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1123;Trojan.DownLoader.15129;Deleted.;
A0496601.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1123;Tool.Prockill;;
A0497614.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1123;Trojan.DnsChange;Deleted.;
A0497615.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1123;Trojan.DnsChange;Deleted.;
A0499710.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.Spambot;Deleted.;
A0499756.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.Spambot;Deleted.;
A0499757.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.Spambot;Deleted.;
A0499758.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.Spambot;Deleted.;
A0499759.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.Spambot;Deleted.;
A0499760.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.Spambot;Deleted.;
A0499761.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.Spambot;Deleted.;
A0499762.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Win32.HLLM.Sacho;Deleted.;
A0499764.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.DownLoader.14979;Incurable.Moved.;
A0499765.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.DownLoader.14979;Incurable.Moved.;
A0499766.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.DownLoader.14979;Incurable.Moved.;
A0499767.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.DownLoader.14979;Incurable.Moved.;
A0499768.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.DownLoader.14979;Incurable.Moved.;
A0499769.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.DownLoader.14979;Incurable.Moved.;
A0499770.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.DownLoader.14979;Incurable.Moved.;
A0499771.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.DownLoader.14979;Incurable.Moved.;
A0499772.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.DownLoader.14979;Incurable.Moved.;
A0499773.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.DownLoader.14979;Incurable.Moved.;
A0499774.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.DownLoader.14979;Incurable.Moved.;
A0499775.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.DownLoader.14979;Incurable.Moved.;
A0499776.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.DnsChange;Deleted.;
A0499777.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.DnsChange;Deleted.;
A0499778.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.Spambot;Deleted.;
A0499779.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.Spambot;Deleted.;
A0499780.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Win32.HLLM.Sacho;Deleted.;
A0499781.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.Spambot;Deleted.;
A0499782.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.Spambot;Deleted.;
A0499783.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.Spambot;Deleted.;
A0499784.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.Spambot;Deleted.;
A0499785.dll;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.DownLoader.15129;Deleted.;
A0499786.dll;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.DownLoader.15129;Deleted.;
A0499787.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.DownLoader.14979;Incurable.Moved.;
A0499788.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.DownLoader.14979;Incurable.Moved.;
A0499789.exe;C:\System Volume Information\_restore{56CEA5E5-E1F1-48A4-87D9-9556B9DEB361}\RP1125;Trojan.DownLoader.14979;Incurable.Moved.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;;
ulnhz.exe;C:\WINDOWS\system32;Trojan.DnsChange;Deleted.;
instsrv.exe;C:\WINDOWS\system32\dllcache\win32;Tool.InstSrv;;
winlogon.exe;C:\WINDOWS\system32\dllcache\win32;Program.SrvAny;;
mirc.exe;D:\Program Files\Hix\hix;Program.mIRC.603;;
moo.dll;D:\Program Files\Hix\hix;Program.MotherboardMonitor;;
moo.dll;D:\Program Files\Hix\hix\scripts\systeminfo;Program.MotherboardMonitor;;
and the combo fix
BNIK - 06-11-30 22:58:10.80 Service Pack 1
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\BNIK\Desktop\anti spyware"
((((((((((((((((((((((((((((((( Files Created from 2006-10-30 to 2006-11-30 ))))))))))))))))))))))))))))))))))

2006-11-30 20:48 <DIR> d-------- C:\Documents and Settings\BNIK\DoctorWeb
2006-11-30 19:38 <DIR> d-------- C:\SDFix
2006-11-28 23:37 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-28 23:37 <DIR> d-------- C:\Program Files\Grisoft
2006-11-28 23:19 <DIR> d-------- C:\!KillBox
2006-11-28 22:10 <DIR> d-------- C:\fixwareout
2006-11-28 21:20 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-11-28 21:20 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-11-28 21:20 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-11-28 21:20 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-11-27 11:53 4,308 --a------ C:\WINDOWS\system32\tmp.reg
2006-11-27 11:28 502,208 --a------ C:\WINDOWS\system32\drivers\amon.sys
2006-11-27 11:28 270,336 --a------ C:\WINDOWS\system32\imon.dll
2006-11-27 11:26 <DIR> d-------- C:\Program Files\ESET
2006-11-26 19:50 71,168 --a------ C:\WINDOWS\system32\sciekad.dll
2006-11-25 20:07 <DIR> d-------- C:\Documents and Settings\BNIK\.javaws
2006-11-25 20:06 <DIR> d-------- C:\Program Files\Common Files\mozilla.org
2006-11-17 14:02 <DIR> d-------- C:\Program Files\AOD
2006-11-16 22:53 <DIR> d-------- C:\WINDOWS\system32\bak
2006-11-16 18:56 61,440 --a------ C:\WINDOWS\system32\LFGIF14N.DLL
2006-11-16 18:56 57,344 --a------ C:\WINDOWS\system32\lfbmp14N.dll
2006-11-16 18:56 487,424 --a------ C:\WINDOWS\system32\LTKRN14n.DLL
2006-11-16 18:56 303,104 --a------ C:\WINDOWS\system32\LTDIS14n.DLL
2006-11-16 18:56 274,432 --a------ C:\WINDOWS\system32\LTEFX14n.DLL
2006-11-16 18:56 24,575 --a------ C:\WINDOWS\system32\msusengwinsyspio46.dll
2006-11-16 18:56 180,224 --a------ C:\WINDOWS\system32\LTFIL14n.DLL
2006-11-16 18:56 1,126,400 --a------ C:\WINDOWS\system32\LTIMG14n.DLL
2006-11-16 18:56 <DIR> d-------- C:\Program Files\IconCool Software
2006-11-08 13:52 <DIR> d-------- C:\Documents and Settings\BNIK\Contacts
2006-11-08 13:51 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2006-10-31 16:25 <DIR> d-------- C:\Documents and Settings\BNIK\Application Data\Motive
2006-10-31 16:23 69,632 --a------ C:\WINDOWS\system32\MCCDevice.dll
2006-10-31 16:23 6,048 --a------ C:\WINDOWS\system32\MCC16.dll
2006-10-31 16:23 <DIR> d-------- C:\Program Files\Verizon
2006-10-31 16:23 <DIR> d-------- C:\Program Files\Common Files\Motive
2006-10-31 16:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2006-10-30 15:17 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2006-10-30 15:17 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-30 22:56 -------- d-------- C:\Documents and Settings\BNIK\Application Data\Skype
2006-11-30 22:55 -------- d-------- C:\Program Files\Steam
2006-11-30 22:54 -------- d-------- C:\Program Files\Sophos SWEEP for NT
2006-11-30 21:37 -------- d-------- C:\Program Files\Maxthon
2006-11-30 20:52 -------- d-------- C:\Program Files\QuickTime
2006-11-30 20:25 -------- d-------- C:\Program Files\HLSW
2006-11-26 22:19 54784 --a------ C:\WINDOWS\system32\instcat.dll
2006-11-26 18:31 -------- d-------- C:\Documents and Settings\BNIK\Application Data\Xfire
2006-11-25 20:06 105168 --a------ C:\WINDOWS\NSUninst.exe
2006-11-25 20:06 105168 --a------ C:\WINDOWS\GREUninstall.exe
2006-11-25 20:06 -------- d-------- C:\Program Files\Common Files
2006-11-25 20:00 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-20 23:11 -------- d-------- C:\Documents and Settings\BNIK\Application Data\Azureus
2006-11-17 15:06 -------- d-------- C:\Program Files\AIM
2006-11-17 14:35 -------- d-------- C:\Documents and Settings\BNIK\Application Data\Aim
2006-11-16 22:53 -------- d-------- C:\Program Files\MSN Messenger
2006-11-01 17:51 -------- d-------- C:\Program Files\Windows Media Player
2006-10-30 16:07 -------- d-------- C:\Program Files\hix
2006-10-30 16:07 -------- d-------- C:\Program Files\Common Files\Java
2006-10-30 15:42 -------- d-------- C:\Program Files\Spyware Doctor
2006-10-30 15:13 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-28 10:03 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-10-21 15:30 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-10-20 13:11 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-09-08 23:28 967 --a------ C:\WINDOWS\ScUnin.pif
2006-09-08 23:28 94208 --a------ C:\WINDOWS\ScUnin.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Steam"="\"c:\\program files\\steam\\steam.exe\" -silent"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"WebCamRT.exe"=""
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"Logitech Utility"="Logi_MwX.Exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"DeadAIM"="rundll32.exe \"C:\\PROGRA~1\\AIM\\\\DeadAIM.ocm\",ExportedCheckODLs"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,00,04,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=""
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{8A5849B5-93F3-429D-FF34-660A2068897C}"="DirectX additional"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:000000ff
"NoSaveSettings"=dword:00000000
"_NoDriveTypeAutoRun"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"nwiz"="nwiz.exe /install"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\instcat
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\navdpu.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\navdqu.sys

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Microsoft Office Word 2003.job
C:\WINDOWS\tasks\{08994C60-A08D-478A-B424-597D0E5A6D90}_FISHTANK_Inna.job
Completion time: 06-11-30 23:00:44.07
C:\ComboFix.txt ... 06-11-30 23:00
C:\ComboFix2.txt ... 06-11-30 20:01
C:\ComboFix3.txt ... 06-11-29 23:11

Response Number 21

Name: jabuck
Date: December 1, 2006 at 03:59:40 Pacific

Reply:

How Is your computer running now?

Response Number 22

Name: Chanto
Date: December 1, 2006 at 06:30:16 Pacific

Reply:

Well, for now it hasnt froze on me like before nor crashed. But im still experiencing internet lag spikes and the .gif's on websites still take longer than usual to load.

Response Number 23

Name: jabuck
Date: December 1, 2006 at 15:08:24 Pacific

Reply:

Well that sounds positive.
Download this latest version of GMER Gmer.zip
Unzip it.
Reboot to safe mode and and start the GMER.exe
Click the Scan button.
Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Response Number 24

Name: Chanto
Date: December 1, 2006 at 23:44:30 Pacific

Reply:

i have the results but everytime i paste them in here, it freezes due to its large size and then doesnt allow me to send it in, saying that there is no data.

Response Number 25

Name: jabuck
Date: December 2, 2006 at 06:31:53 Pacific

Reply:

Post half of it in one post and the second half in another post.

Response Number 26

Name: Chanto
Date: December 2, 2006 at 07:32:24 Pacific

Reply:

Tell me if I did something wrong, because this log is 1491 pages in microsoft word. Its extremly long...

Response Number 27

Name: Chanto
Date: December 4, 2006 at 12:40:31 Pacific

Reply:

Was I forgotten about?

Response Number 28

Name: jabuck
Date: December 5, 2006 at 03:50:19 Pacific

Reply:

The log should not be that long.
Download rootkitrevealer from the bottom of this page and run it, then post its log. RootKitRevealer

Response Number 29

Name: Chanto
Date: December 8, 2006 at 07:08:24 Pacific

Reply:

I appologize for the delay, heres the rookill log:
HKU\S-1-5-21-2025429265-854245398-839522115-1003\Software\Valve\Steam\LastSteamExecutionTime 12/8/2006 3:12 AM 4 bytes Data mismatch between Windows API and raw hive data.
HKU\S-1-5-21-2025429265-854245398-839522115-1003\Software\Valve\Steam\Steam.exe\UpTimeMostRecent 12/8/2006 3:12 AM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SECURITY\Policy\Secrets\SAC* 9/7/2003 1:24 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 9/7/2003 1:24 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Control\Motorola\PST\USBDriverVersionNumber 10/30/2005 10:36 PM 3 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 4/16/2006 5:08 PM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet002\Control\Motorola\PST\USBDriverVersionNumber 10/30/2005 10:36 PM 3 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\BNIK\Application Data\Aim\Siltherlongberer\urlcache\aim26F.tmp 12/8/2006 3:02 AM 437 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\BNIK\Application Data\Aim\Siltherlongberer\urlcache\aim2C8.tmp 12/8/2006 3:32 AM 444 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Cookies\bnik@02.myspace.presence.userplane[2].txt 12/8/2006 3:16 AM 0 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Cookies\bnik@02.myspace.presence.userplane[3].txt 12/8/2006 3:51 AM 111 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Cookies\bnik@02.myspace.presence.userplane[4].txt 12/8/2006 3:17 AM 0 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Cookies\bnik@02.myspace.presence.userplane[5].txt 12/8/2006 3:22 AM 111 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\BNIK\Cookies\bnik@myspace[1].txt 12/8/2006 3:43 AM 1.85 KB Hidden from Windows API.
C:\Documents and Settings\BNIK\Cookies\bnik@myspace[3].txt 12/8/2006 3:11 AM 1.93 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\BNIK\Favorites\MyRealPics : Thousands of hot XXX pics and videos in every category.url 12/10/2003 8:13 PM 51 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Application Data\Microsoft\Messenger\borya69@hotmail.com\SharingMetadata\dontnoeme1@hotmail.com\DFSR\Staging\CS{01ACACB2-E2EC-BAF8-DF7F-D46D48ED39AD}\01\10-{01ACACB2-E2EC-BAF8-DF7F-D46D48ED39AD}-v1-{72B78F3E-1 11/8/2006 10:42 PM 8 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temp\IH2A6.tmp 12/8/2006 3:16 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temp\IH2A7.tmp 12/8/2006 3:16 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\qv0525b372bg34ui[10].txt 12/8/2006 3:37 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\qv0525b372bg34ui[11].txt 12/8/2006 3:38 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\qv0525b372bg34ui[12].txt 12/8/2006 3:40 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\qv0525b372bg34ui[13].txt 12/8/2006 3:43 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\qv0525b372bg34ui[14].txt 12/8/2006 3:44 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\qv0525b372bg34ui[15].txt 12/8/2006 3:47 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\qv0525b372bg34ui[16].txt 12/8/2006 3:52 AM 1 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\qv0525b372bg34ui[1].txt 12/8/2006 3:14 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\qv0525b372bg34ui[2].txt 12/8/2006 3:15 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\qv0525b372bg34ui[3].txt 12/8/2006 3:16 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\qv0525b372bg34ui[4].txt 12/8/2006 3:21 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\qv0525b372bg34ui[5].txt 12/8/2006 3:30 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\qv0525b372bg34ui[6].txt 12/8/2006 3:31 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\qv0525b372bg34ui[7].txt 12/8/2006 3:31 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\qv0525b372bg34ui[8].txt 12/8/2006 3:34 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\qv0525b372bg34ui[9].txt 12/8/2006 3:35 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\tB[10].txt 12/8/2006 3:28 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\tB[11].txt 12/8/2006 3:30 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\tB[12].txt 12/8/2006 3:32 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\tB[13].txt 12/8/2006 3:34 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\tB[14].txt 12/8/2006 3:40 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\tB[15].txt 12/8/2006 3:44 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\tB[16].txt 12/8/2006 3:47 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\tB[17].txt 12/8/2006 3:50 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\tB[1].txt 12/8/2006 3:21 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\tB[2].txt 12/8/2006 3:22 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\tB[3].txt 12/8/2006 3:23 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\tB[4].txt 12/8/2006 3:24 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\tB[5].txt 12/8/2006 3:24 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\tB[6].txt 12/8/2006 3:25 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\tB[7].txt 12/8/2006 3:26 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\tB[8].txt 12/8/2006 3:27 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\24EVN2WZ\tB[9].txt 12/8/2006 3:28 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\9XUM342U\qv0525b372bg34ui[1].txt 12/8/2006 3:34 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\9XUM342U\qv0525b372bg34ui[2].txt 12/8/2006 3:36 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\9XUM342U\qv0525b372bg34ui[3].txt 12/8/2006 3:39 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\9XUM342U\qv0525b372bg34ui[4].txt 12/8/2006 3:40 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\9XUM342U\qv0525b372bg34ui[5].txt 12/8/2006 3:46 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\9XUM342U\qv0525b372bg34ui[6].txt 12/8/2006 3:49 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\9XUM342U\qv0525b372bg34ui[7].txt 12/8/2006 3:50 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\9XUM342U\tB[1].txt 12/8/2006 3:34 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\9XUM342U\tB[2].txt 12/8/2006 3:37 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\9XUM342U\tB[3].txt 12/8/2006 3:40 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\9XUM342U\tB[4].txt 12/8/2006 3:43 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\9XUM342U\tB[5].txt 12/8/2006 3:45 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\9XUM342U\tB[6].txt 12/8/2006 3:48 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\MJO24TUX\qv0525b372bg34ui[1].txt 12/8/2006 3:42 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\MJO24TUX\qv0525b372bg34ui[2].txt 12/8/2006 3:46 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\MJO24TUX\qv0525b372bg34ui[3].txt 12/8/2006 3:49 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\MJO24TUX\tB[1].txt 12/8/2006 3:38 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\MJO24TUX\tB[2].txt 12/8/2006 3:39 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\MJO24TUX\tB[3].txt 12/8/2006 3:42 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\MJO24TUX\tB[4].txt 12/8/2006 3:43 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\MJO24TUX\tB[5].txt 12/8/2006 3:46 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\MJO24TUX\tB[6].txt 12/8/2006 3:49 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\MJO24TUX\tB[7].txt 12/8/2006 3:52 AM 1 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\qv0525b372bg34ui[10].txt 12/8/2006 3:26 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\qv0525b372bg34ui[11].txt 12/8/2006 3:27 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\qv0525b372bg34ui[12].txt 12/8/2006 3:28 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\qv0525b372bg34ui[13].txt 12/8/2006 3:28 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\qv0525b372bg34ui[14].txt 12/8/2006 3:29 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\qv0525b372bg34ui[15].txt 12/8/2006 3:32 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\qv0525b372bg34ui[16].txt 12/8/2006 3:33 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\qv0525b372bg34ui[17].txt 12/8/2006 3:37 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\qv0525b372bg34ui[18].txt 12/8/2006 3:41 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\qv0525b372bg34ui[19].txt 12/8/2006 3:43 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\qv0525b372bg34ui[20].txt 12/8/2006 3:45 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\qv0525b372bg34ui[21].txt 12/8/2006 3:48 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\qv0525b372bg34ui[22].txt 12/8/2006 3:51 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\qv0525b372bg34ui[4].txt 12/8/2006 3:17 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\qv0525b372bg34ui[5].txt 12/8/2006 3:22 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\qv0525b372bg34ui[6].txt 12/8/2006 3:23 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\qv0525b372bg34ui[7].txt 12/8/2006 3:24 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\qv0525b372bg34ui[8].txt 12/8/2006 3:24 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\qv0525b372bg34ui[9].txt 12/8/2006 3:25 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\tB[10].txt 12/8/2006 3:33 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\tB[11].txt 12/8/2006 3:35 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\tB[12].txt 12/8/2006 3:36 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\tB[13].txt 12/8/2006 3:37 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\tB[14].txt 12/8/2006 3:41 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\tB[15].txt 12/8/2006 3:46 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\tB[16].txt 12/8/2006 3:49 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\tB[17].txt 12/8/2006 3:51 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\tB[3].txt 12/8/2006 3:14 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\tB[4].txt 12/8/2006 3:15 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\tB[5].txt 12/8/2006 3:16 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\tB[6].txt 12/8/2006 3:17 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\tB[7].txt 12/8/2006 3:29 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\tB[8].txt 12/8/2006 3:31 AM 1 bytes Hidden from Windows API.
C:\Documents and Settings\BNIK\Local Settings\Temporary Internet Files\Content.IE5\XBGKVJVN\tB[9].txt 12/8/2006 3:31 AM 1 bytes Hidden from Windows API.

Response Number 30

Name: jabuck
Date: December 9, 2006 at 09:29:33 Pacific

Reply:

Run HiJackThis
Click "open the misc. tools section"
Click on "Open ADS Spy.."
In ADS Spy, uncheck the following options:
Quick Scan
Ignore safe system info streams
Click on "Scan"
Click on "Save Log..."
Copy and paste the List from the notepad into your next post please.

Response Number 31

Name: Chanto
Date: December 9, 2006 at 09:56:08 Pacific

Reply:

C:\Addict3\sys\docs\pics\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\cell phone\pics\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\cell phone\Razr\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\DL Albums\Alien Ant Farm - Up In The Attic (With Best Buy Bonus Track) [2006][Rock][www.newpct.com]\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\DL Albums\Fort_Minor-The_Rising_Tied-(Webrip)-2005-ESR\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\DL Albums\Ludacris - Release Therapy\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\DL Albums\Method_Man-Tical_0-The_Prequel-2004-RNS\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\DL Albums\Papa Roach (The Paramour Sessions) 2006 by ROCKSTARZ\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\DL Albums\Rammstein_-_Rosenrot-DE-2005{H33T.COM}\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\DL Albums\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\DL Albums\VA-DJ_Kayslay-The_Streetsweeper_Vol._2_(Retail)-2004-C4\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\G-Unit, Eminem, Cassidy\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Lev G. Nikelberg\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Naruto\artbook\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Naruto\extra\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Naruto\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Other Desktop s---\Random Desktop s---\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Other Desktop s---\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\pics\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Any given Friday or Saturday\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\BaseballDay\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Best Time Eva\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Boris Romeo and Nelson go to BestBuy\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\California '04\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Car Show 04'\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Car Show 05'\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Car Show 06'\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Cell Pics\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\CITY pics\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Fluffy B-day\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Francisco's Party\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Friday Night- Me Romeo Jolly Monica Fluffy\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Good day gone bad\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Graduation\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Grandmas\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Guys n Sherlys Night Out\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Guys night out-Me Romeo Mike Nelson\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Halloween Dance '04\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Halloween Party '06\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Its all about ME\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Last Day Of Junior Year\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Last Days of Senior Year\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Lexi's Bday\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\LiC PiCs- End of Sophmore Year\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Me and Tux\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Me come over Tahnee's for alchy\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Mets Game Sept 10th\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Michelles Party\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Monica and Vals Bdays\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Nelsons Party 11-11-05\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Nelsons Party 12-09-05\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\new pics\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\New Years\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Newspaper\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Party II\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Philly\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Prom\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Random Day At My House\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Random pics of people\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Random Vehicles\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Report Card Day\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Romanian Friday\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Saturday Night- Me Romeo Jolly Monica\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Senior Breakfast\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\SeniorBBQ\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Sophia\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\That one random day\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\The Ladies\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Tony\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Voronezh\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Pictures\Xmas Eve\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\Desktop\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\My Documents\AIM Logs\SiLtHeRlOnGbErEr\alittletooxlate\2006-09-22 [Friday]\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\My Documents\AIM Logs\SiLtHeRlOnGbErEr\Dontnoeme100\2006-02-14 [Tuesday]\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\My Documents\AIM Logs\SiLtHeRlOnGbErEr\HeartsSweetSins\2006-10-08 [Sunday]\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\My Documents\AIM Logs\SiLtHeRlOnGbErEr\Logicdms\2005-12-22 [Thursday]\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\My Documents\CS Strats\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\My Documents\Green Lantern\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\My Documents\ImageStudio\Album\Pictures and Videos\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\My Documents\Misc\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\My Documents\MOV00613.mpeg : SummaryInformation (88 bytes)
C:\Documents and Settings\BNIK\My Documents\MOV00613.mpeg : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes)
C:\Documents and Settings\BNIK\My Documents\MUD ss\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\My Documents\My Pictures\ImageStudio\Album\Animations\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\My Documents\My Pictures\ImageStudio\Album\Pictures and Videos\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\My Documents\My Pictures\QuickCam\Album\Videos\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\My Documents\My Pictures\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\My Documents\My Received Files\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\My Documents\My Skype Pictures\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\My Documents\My Videos\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\My Documents\Naruto\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\My Documents\Street Art\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\BNIK\My Documents\Thumbs.db : encryptable (0 bytes)
C:\NVIDIA Display Driver\Thumbs.db : encryptable (0 bytes)
C:\Program Files\AIM\Thumbs.db : encryptable (0 bytes)
C:\Program Files\GameHouse\Thumbs.db : encryptable (0 bytes)
C:\Program Files\Motorola\mobile PhoneTools\Thumbs.db : encryptable (0 bytes)
C:\Program Files\Steam\SteamApps\foovoo@yahoo.com\counter-strike\cstrike\logos\Thumbs.db : encryptable (0 bytes)
C:\Program Files\Steam\SteamApps\foovoo@yahoo.com\counter-strike\cstrike\models\player\Thumbs.db : encryptable (0 bytes)
C:\Program Files\Steam\SteamApps\foovoo@yahoo.com\half-life\firearms\Thumbs.db : encryptable (0 bytes)
C:\Program Files\Steam\SteamApps\foovoo@yahoo.com\half-life\gearbox\Thumbs.db : encryptable (0 bytes)
C:\WINDOWS\DtcInstall.log : xhyuj (91136 bytes)
C:\WINDOWS\jautoexp.dat : ysqvo (11591 bytes)
C:\WINDOWS\KB823980Uninst.log : rtbii (11388 bytes)
C:\WINDOWS\KB825119.log : butnd (11388 bytes)
C:\WINDOWS\system32\201.tmp : SummaryInformation (88 bytes)
C:\WINDOWS\system32\201.tmp : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes)
C:\WINDOWS\Thumbs.db : encryptable (0 bytes)
D:\DL FILES\Jay-Z-The.Blueprint-2002\Thumbs.db : encryptable (0 bytes)
D:\DL FILES\Linkin Park Discography (RioNET.ca_slash_twinfield)\Thumbs.db : encryptable (0 bytes)
D:\DL FILES\Lost Season 1 Episodes 1-25\Thumbs.db : encryptable (0 bytes)
D:\DL FILES\Mystic River\Thumbs.db : encryptable (0 bytes)
D:\DL FILES\slipknot\Thumbs.db : encryptable (0 bytes)
D:\DL FILES\T.I.-Urban_Legend-RETAIL-2004-h8me\Thumbs.db : encryptable (0 bytes)
D:\DL FILES\The Game - Documentary\Thumbs.db : encryptable (0 bytes)
D:\DL FILES\Thumbs.db : encryptable (0 bytes)
D:\DL FILES\Tony Yayo Thoughts Of A Predicate Felon\Thumbs.db : encryptable (0 bytes)
D:\Miscaleneous\My Documents\My Pictures\Thumbs.db : encryptable (0 bytes)
D:\Miscaleneous\My Documents\Send 2 Carolyn pic.s\Thumbs.db : encryptable (0 bytes)
D:\Miscaleneous\My Documents\Thumbs.db : encryptable (0 bytes)
D:\My Documents\My Pictures\Maine 2002\Thumbs.db : encryptable (0 bytes)
D:\My Documents\My Pictures\Thumbs.db : encryptable (0 bytes)
D:\My Documents\Thumbs.db : encryptable (0 bytes)
D:\My Music\Thumbs.db : encryptable (0 bytes)
D:\Program Files\Thumbs.db : encryptable (0 bytes)
D:\X-Men All Seasons\X-men TAS Season 1\Thumbs.db : encryptable (0 bytes)
D:\X-Men All Seasons\X-men TAS Season 2\Thumbs.db : encryptable (0 bytes)
D:\X-Men All Seasons\X-men TAS Season 3\Thumbs.db : encryptable (0 bytes)

Response Number 32

Name: jabuck
Date: December 9, 2006 at 18:09:16 Pacific

Reply:

Still see nothing.
Go to this link, http://virusscan.jotti.org/ click the "browse button then navigate to the files below> double click them one at the time then click submit, then post the results.
C:\WINDOWS\system32\sciekad.dll
C:\WINDOWS\system32\instcat.dll

Response Number 33

Name: Chanto
Date: December 9, 2006 at 19:38:32 Pacific

Reply:

File: sciekad.dll
Status: INFECTED/MALWARE
MD5 42d0d7e9d79639612307de7be273ad32
Packers detected: -
Scanner results
AntiVir Found Trojan/Vundo.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Downloader.Generic2.XVV
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found Possibly a new variant of W32/Bongler-based
F-Secure Anti-Virus Found Trojan-Downloader.Win32.Busky.gen
Fortinet Found W32/OBFUSCAT.DO!tr
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Busky.gen
NOD32 Found a variant of Win32/TrojanDownloader.Busky.AZ
Norman Virus Control Found nothing
VirusBuster Found nothing
VBA32 Found nothing
File: instcat.dll
Status: INFECTED/MALWARE
MD5 c20a44fc34f6a11577fee7dc9f63cadd
Packers detected: -
Scanner results
AntiVir Found Heuristic/Malware (probable variant)
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Trojan.Proxy.1270
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Response Number 34

Name: jabuck
Date: December 9, 2006 at 20:42:37 Pacific

Reply:

Run Killbox from safe mode and delete both of them.
Reboot the computer to normal mode.
Open notepad (Start Menu > Run > Type notepad and press "ok".
Copy and paste everything into notepad between the x's making regedit4 the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\instcat]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fix.reg then save it to your desktop.
Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes.
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Update AVG-AntiSpyware
Again boot into safe mode.
Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

In Safe Mode, run AVG Anti-spyware and click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Post the AVG-AntiSpyware log, a combofix log and a Hijack This log.
Let us know if your computer is running any better.

Response Number 35

Name: Chanto
Date: December 13, 2006 at 14:11:58 Pacific

Reply:

AVG Anti-Spyware - Scan Report
+ Created at: 4:43:14 PM 12/13/2006
+ Scan result:
_C_:_\_!_K_i_l_l_B_o_x_\_s_c_i_e_k_a_d_._d_l_l_ _-_>_ _D_o_w_n_l_o_a_d_e_r_._B_u_s_k_y_ _:_ _C_l_e_a_n_e_d_ _w_i_t_h_ _b_a_c_k_u_p_ _(_q_u_a_r_a_n_t_i_n_e_d_)_._
_
_:_m_o_z_i_l_l_a_._4_6_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_B_N_I_K_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_P_r_o_f_i_l_e_s_\_d_e_f_a_u_l_t_\_g_7_p_f_f_1_r_u_._s_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._A_d_v_e_r_t_i_s_i_n_g_ _:_ _C_l_e_a_n_e_d_._
_
_:_m_o_z_i_l_l_a_._4_7_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_B_N_I_K_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_P_r_o_f_i_l_e_s_\_d_e_f_a_u_l_t_\_g_7_p_f_f_1_r_u_._s_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._A_d_v_e_r_t_i_s_i_n_g_ _:_ _C_l_e_a_n_e_d_._
_
_:_m_o_z_i_l_l_a_._4_8_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_B_N_I_K_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_P_r_o_f_i_l_e_s_\_d_e_f_a_u_l_t_\_g_7_p_f_f_1_r_u_._s_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._A_d_v_e_r_t_i_s_i_n_g_ _:_ _C_l_e_a_n_e_d_._
_
_:_m_o_z_i_l_l_a_._4_9_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_B_N_I_K_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_P_r_o_f_i_l_e_s_\_d_e_f_a_u_l_t_\_g_7_p_f_f_1_r_u_._s_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._A_d_v_e_r_t_i_s_i_n_g_ _:_ _C_l_e_a_n_e_d_._
_
_:_m_o_z_i_l_l_a_._5_0_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_B_N_I_K_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_P_r_o_f_i_l_e_s_\_d_e_f_a_u_l_t_\_g_7_p_f_f_1_r_u_._s_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._A_d_v_e_r_t_i_s_i_n_g_ _:_ _C_l_e_a_n_e_d_._
_
_:_m_o_z_i_l_l_a_._6_9_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_B_N_I_K_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_P_r_o_f_i_l_e_s_\_d_e_f_a_u_l_t_\_g_7_p_f_f_1_r_u_._s_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._A_t_d_m_t_ _:_ _C_l_e_a_n_e_d_._
_
_:_m_o_z_i_l_l_a_._1_0_2_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_B_N_I_K_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_P_r_o_f_i_l_e_s_\_d_e_f_a_u_l_t_\_g_7_p_f_f_1_r_u_._s_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._C_a_s_a_l_e_m_e_d_i_a_ _:_ _C_l_e_a_n_e_d_._
_
_:_m_o_z_i_l_l_a_._2_0_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_B_N_I_K_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_P_r_o_f_i_l_e_s_\_d_e_f_a_u_l_t_\_g_7_p_f_f_1_r_u_._s_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._D_o_u_b_l_e_c_l_i_c_k_ _:_ _C_l_e_a_n_e_d_._
_
_:_m_o_z_i_l_l_a_._9_4_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_B_N_I_K_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_P_r_o_f_i_l_e_s_\_d_e_f_a_u_l_t_\_g_7_p_f_f_1_r_u_._s_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._F_a_s_t_c_l_i_c_k_ _:_ _C_l_e_a_n_e_d_._
_
_:_m_o_z_i_l_l_a_._9_5_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_B_N_I_K_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_P_r_o_f_i_l_e_s_\_d_e_f_a_u_l_t_\_g_7_p_f_f_1_r_u_._s_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._F_a_s_t_c_l_i_c_k_ _:_ _C_l_e_a_n_e_d_._
_
_:_m_o_z_i_l_l_a_._9_6_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_B_N_I_K_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_P_r_o_f_i_l_e_s_\_d_e_f_a_u_l_t_\_g_7_p_f_f_1_r_u_._s_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._F_a_s_t_c_l_i_c_k_ _:_ _C_l_e_a_n_e_d_._
_
_:_m_o_z_i_l_l_a_._9_7_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_B_N_I_K_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_P_r_o_f_i_l_e_s_\_d_e_f_a_u_l_t_\_g_7_p_f_f_1_r_u_._s_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._F_a_s_t_c_l_i_c_k_ _:_ _C_l_e_a_n_e_d_._
_
_:_m_o_z_i_l_l_a_._5_2_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_B_N_I_K_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_P_r_o_f_i_l_e_s_\_d_e_f_a_u_l_t_\_g_7_p_f_f_1_r_u_._s_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._M_e_d_i_a_p_l_e_x_ _:_ _C_l_e_a_n_e_d_._
_
_:_m_o_z_i_l_l_a_._1_2_7_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_B_N_I_K_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_P_r_o_f_i_l_e_s_\_d_e_f_a_u_l_t_\_g_7_p_f_f_1_r_u_._s_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._P_o_i_n_t_r_o_l_l_ _:_ _C_l_e_a_n_e_d_._
_
_:_m_o_z_i_l_l_a_._1_2_8_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_B_N_I_K_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_P_r_o_f_i_l_e_s_\_d_e_f_a_u_l_t_\_g_7_p_f_f_1_r_u_._s_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._P_o_i_n_t_r_o_l_l_ _:_ _C_l_e_a_n_e_d_._
_
_:_m_o_z_i_l_l_a_._1_2_9_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_B_N_I_K_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_P_r_o_f_i_l_e_s_\_d_e_f_a_u_l_t_\_g_7_p_f_f_1_r_u_._s_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._P_o_i_n_t_r_o_l_l_ _:_ _C_l_e_a_n_e_d_._
_
_:_m_o_z_i_l_l_a_._1_3_0_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_B_N_I_K_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_P_r_o_f_i_l_e_s_\_d_e_f_a_u_l_t_\_g_7_p_f_f_1_r_u_._s_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._P_o_i_n_t_r_o_l_l_ _:_ _C_l_e_a_n_e_d_._
_
_:_m_o_z_i_l_l_a_._1_8_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_B_N_I_K_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_P_r_o_f_i_l_e_s_\_d_e_f_a_u_l_t_\_g_7_p_f_f_1_r_u_._s_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._Q_u_e_s_t_i_o_n_m_a_r_k_e_t_ _:_ _C_l_e_a_n_e_d_._
:mozilla.19:C:\Documents and Settings\BNIK\Application Data\Mozilla\Profiles\default\g7pff1ru.slt\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
_
_:_m_o_z_i_l_l_a_._1_3_1_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_B_N_I_K_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_P_r_o_f_i_l_e_s_\_d_e_f_a_u_l_t_\_g_7_p_f_f_1_r_u_._s_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._S_e_r_v_i_n_g_-_s_y_s_ _:_ _C_l_e_a_n_e_d_._
_
_:_m_o_z_i_l_l_a_._1_3_2_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_B_N_I_K_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_P_r_o_f_i_l_e_s_\_d_e_f_a_u_l_t_\_g_7_p_f_f_1_r_u_._s_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._S_e_r_v_i_n_g_-_s_y_s_ _:_ _C_l_e_a_n_e_d_._
_
_:_m_o_z_i_l_l_a_._1_3_3_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_B_N_I_K_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_P_r_o_f_i_l_e_s_\_d_e_f_a_u_l_t_\_g_7_p_f_f_1_r_u_._s_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._S_e_r_v_i_n_g_-_s_y_s_ _:_ _C_l_e_a_n_e_d_._
_
_:_m_o_z_i_l_l_a_._1_3_4_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_B_N_I_K_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_P_r_o_f_i_l_e_s_\_d_e_f_a_u_l_t_\_g_7_p_f_f_1_r_u_._s_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._S_e_r_v_i_n_g_-_s_y_s_ _:_ _C_l_e_a_n_e_d_._
_
_:_m_o_z_i_l_l_a_._1_3_5_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_B_N_I_K_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_P_r_o_f_i_l_e_s_\_d_e_f_a_u_l_t_\_g_7_p_f_f_1_r_u_._s_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._S_e_r_v_i_n_g_-_s_y_s_ _:_ _C_l_e_a_n_e_d_._
_
_:_m_o_z_i_l_l_a_._1_3_6_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_B_N_I_K_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_P_r_o_f_i_l_e_s_\_d_e_f_a_u_l_t_\_g_7_p_f_f_1_r_u_._s_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._S_e_r_v_i_n_g_-_s_y_s_ _:_ _C_l_e_a_n_e_d_._
_
_:_m_o_z_i_l_l_a_._1_1_1_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_B_N_I_K_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_P_r_o_f_i_l_e_s_\_d_e_f_a_u_l_t_\_g_7_p_f_f_1_r_u_._s_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._T_r_i_b_a_l_f_u_s_i_o_n_ _:_ _C_l_e_a_n_e_d_._
_
_:_m_o_z_i_l_l_a_._1_0_0_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_B_N_I_K_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_P_r_o_f_i_l_e_s_\_d_e_f_a_u_l_t_\_g_7_p_f_f_1_r_u_._s_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._Y_i_e_l_d_m_a_n_a_g_e_r_ _:_ _C_l_e_a_n_e_d_._
_
_:_m_o_z_i_l_l_a_._9_8_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_B_N_I_K_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_P_r_o_f_i_l_e_s_\_d_e_f_a_u_l_t_\_g_7_p_f_f_1_r_u_._s_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._Y_i_e_l_d_m_a_n_a_g_e_r_ _:_ _C_l_e_a_n_e_d_._
_
_:_m_o_z_i_l_l_a_._9_9_:_C_:_\_D_o_c_u_m_e_n_t_s_ _a_n_d_ _S_e_t_t_i_n_g_s_\_B_N_I_K_\_A_p_p_l_i_c_a_t_i_o_n_ _D_a_t_a_\_M_o_z_i_l_l_a_\_P_r_o_f_i_l_e_s_\_d_e_f_a_u_l_t_\_g_7_p_f_f_1_r_u_._s_l_t_\_c_o_o_k_i_e_s_._t_x_t_ _-_>_ _T_r_a_c_k_i_n_g_C_o_o_k_i_e_._Y_i_e_l_d_m_a_n_a_g_e_r_ _:_ _C_l_e_a_n_e_d_._
_
_C_:_\_W_I_N_D_O_W_S_\_s_y_s_t_e_m_3_2_\_w_n_s_a_p_i_s_u_._e_x_e_ _-_>_ _T_r_o_j_a_n_._S_m_a_l_l_ _:_ _C_l_e_a_n_e_d_ _w_i_t_h_ _b_a_c_k_u_p_ _(_q_u_a_r_a_n_t_i_n_e_d_)_._
_
_C_:_\_W_I_N_D_O_W_S_\_s_y_s_t_e_m_3_2_\_2_0_1_._t_m_p_ _-_>_ _T_r_o_j_a_n_._S_p_a_m_b_o_t_._m_ _:_ _C_l_e_a_n_e_d_ _w_i_t_h_ _b_a_c_k_u_p_ _(_q_u_a_r_a_n_t_i_n_e_d_)_._
_
_C_:_\_!_K_i_l_l_B_o_x_\_i_n_s_t_c_a_t_._d_l_l_ _-_>_ _W_o_r_m_._L_o_c_k_s_k_y_._a_u_ _:_ _C_l_e_a_n_e_d_ _w_i_t_h_ _b_a_c_k_u_p_ _(_q_u_a_r_a_n_t_i_n_e_d_)_._
_
_C_:_\_W_I_N_D_O_W_S_\_s_y_s_t_e_m_3_2_\_1_A_5_._t_m_p_ _-_>_ _W_o_r_m_._L_o_c_k_s_k_y_._a_u_ _:_ _C_l_e_a_n_e_d_ _w_i_t_h_ _b_a_c_k_u_p_ _(_q_u_a_r_a_n_t_i_n_e_d_)_._
_
_C_:_\_W_I_N_D_O_W_S_\_s_y_s_t_e_m_3_2_\_2_9_0_6_._t_m_p_ _-_>_ _W_o_r_m_._L_o_c_k_s_k_y_._a_u_ _:_ _C_l_e_a_n_e_d_ _w_i_t_h_ _b_a_c_k_u_p_ _(_q_u_a_r_a_n_t_i_n_e_d_)_._
_
_C_:_\_W_I_N_D_O_W_S_\_s_y_s_t_e_m_3_2_\_i_n_s_t_c_a_t_._d_l_l_ _-_>_ _W_o_r_m_._L_o_c_k_s_k_y_._a_u_ _:_ _C_l_e_a_n_e_d_ _w_i_t_h_ _b_a_c_k_u_p_ _(_q_u_a_r_a_n_t_i_n_e_d_)_._
_
[332] VM_3BF21000 -> Worm.Locksky.au : Cleaned with backup (quarantined).
[732] VM_3BF21000 -> Worm.Locksky.au : Cleaned with backup (quarantined).
::Report end

Combofix
BNIK - 06-12-13 17:07:41.77 Service Pack 1
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\BNIK\Desktop\anti spyware"
((((((((((((((((((((((((((((((( Files Created from 2006-11-13 to 2006-12-13 ))))))))))))))))))))))))))))))))))

2006-12-13 00:56 <DIR> d-------- C:\Program Files\Ventrilo
2006-12-13 00:56 <DIR> d-------- C:\Documents and Settings\BNIK\Application Data\Ventrilo
2006-12-04 15:36 <DIR> d-------- C:\HERE
2006-12-03 02:34 <DIR> d-------- C:\Program Files\Viewpoint
2006-12-03 02:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2006-12-02 01:40 80 --a------ C:\WINDOWS\gmer_uninstall.cmd
2006-11-30 20:48 <DIR> d-------- C:\Documents and Settings\BNIK\DoctorWeb
2006-11-30 19:38 <DIR> d-------- C:\SDFix
2006-11-28 23:37 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-28 23:37 <DIR> d-------- C:\Program Files\Grisoft
2006-11-28 23:19 <DIR> d-------- C:\!KillBox
2006-11-28 22:10 <DIR> d-------- C:\fixwareout
2006-11-28 21:20 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-11-28 21:20 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-11-28 21:20 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-11-28 21:20 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-11-27 11:53 4,308 --a------ C:\WINDOWS\system32\tmp.reg
2006-11-27 11:28 502,208 --a------ C:\WINDOWS\system32\drivers\amon.sys
2006-11-27 11:28 270,336 --a------ C:\WINDOWS\system32\imon.dll
2006-11-27 11:26 <DIR> d-------- C:\Program Files\ESET
2006-11-25 20:07 <DIR> d-------- C:\Documents and Settings\BNIK\.javaws
2006-11-25 20:06 <DIR> d-------- C:\Program Files\Common Files\mozilla.org
2006-11-17 14:02 <DIR> d-------- C:\Program Files\AOD
2006-11-16 22:53 <DIR> d-------- C:\WINDOWS\system32\bak
2006-11-16 18:56 61,440 --a------ C:\WINDOWS\system32\LFGIF14N.DLL
2006-11-16 18:56 57,344 --a------ C:\WINDOWS\system32\lfbmp14N.dll
2006-11-16 18:56 487,424 --a------ C:\WINDOWS\system32\LTKRN14n.DLL
2006-11-16 18:56 303,104 --a------ C:\WINDOWS\system32\LTDIS14n.DLL
2006-11-16 18:56 274,432 --a------ C:\WINDOWS\system32\LTEFX14n.DLL
2006-11-16 18:56 24,575 --a------ C:\WINDOWS\system32\msusengwinsyspio46.dll
2006-11-16 18:56 180,224 --a------ C:\WINDOWS\system32\LTFIL14n.DLL
2006-11-16 18:56 1,126,400 --a------ C:\WINDOWS\system32\LTIMG14n.DLL
2006-11-16 18:56 <DIR> d-------- C:\Program Files\IconCool Software

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-12-13 17:08 -------- d-------- C:\Documents and Settings\BNIK\Application Data\Skype
2006-12-13 16:51 -------- d-------- C:\Program Files\Steam
2006-12-13 14:31 -------- d-------- C:\Program Files\Sophos SWEEP for NT
2006-12-13 14:05 -------- d-------- C:\Program Files\HLSW
2006-12-13 14:05 -------- d-------- C:\Documents and Settings\BNIK\Application Data\Azureus
2006-12-13 00:56 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-12-10 12:51 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-30 21:37 -------- d-------- C:\Program Files\Maxthon
2006-11-30 20:52 -------- d-------- C:\Program Files\QuickTime
2006-11-26 18:31 -------- d-------- C:\Documents and Settings\BNIK\Application Data\Xfire
2006-11-25 20:06 105168 --a------ C:\WINDOWS\NSUninst.exe
2006-11-25 20:06 105168 --a------ C:\WINDOWS\GREUninstall.exe
2006-11-25 20:06 -------- d-------- C:\Program Files\Common Files
2006-11-25 20:00 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-17 15:06 -------- d-------- C:\Program Files\AIM
2006-11-17 14:35 -------- d-------- C:\Documents and Settings\BNIK\Application Data\Aim
2006-11-16 22:53 -------- d-------- C:\Program Files\MSN Messenger
2006-11-01 17:51 -------- d-------- C:\Program Files\Windows Media Player
2006-10-31 16:25 -------- d-------- C:\Documents and Settings\BNIK\Application Data\Motive
2006-10-31 16:24 -------- d-------- C:\Program Files\Verizon
2006-10-31 16:23 -------- d-------- C:\Program Files\Common Files\Motive
2006-10-30 16:07 -------- d-------- C:\Program Files\hix
2006-10-30 16:07 -------- d-------- C:\Program Files\Common Files\Java
2006-10-30 15:42 -------- d-------- C:\Program Files\Spyware Doctor
2006-10-28 10:03 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-10-21 15:30 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-10-20 13:11 -------- d-------- C:\Program Files\Spybot - Search & Destroy

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Steam"="\"c:\\program files\\steam\\steam.exe\" -silent"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"WebCamRT.exe"=""
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\bak\\YAHOOM~1.EXE\" -quiet"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"Logitech Utility"="Logi_MwX.Exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"DeadAIM"="rundll32.exe \"C:\\PROGRA~1\\AIM\\\\DeadAIM.ocm\",ExportedCheckODLs"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,00,04,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=""
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{8A5849B5-93F3-429D-FF34-660A2068897C}"="DirectX additional"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:000000ff
"NoSaveSettings"=dword:00000000
"_NoDriveTypeAutoRun"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"nwiz"="nwiz.exe /install"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\instcat
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\navdpu.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\navdqu.sys

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Microsoft Office Word 2003.job
C:\WINDOWS\tasks\{08994C60-A08D-478A-B424-597D0E5A6D90}_FISHTANK_Inna.job
Completion time: 06-12-13 17:09:51.90
C:\ComboFix.txt ... 06-12-13 17:09
C:\ComboFix2.txt ... 06-11-30 23:00
C:\ComboFix3.txt ... 06-11-30 20:01

Hijackthis
Logfile of HijackThis v1.99.1
Scan saved at 5:10:43 PM, on 12/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.exe
C:\Program Files\Maxthon\maxthon.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.exe
C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.exe
C:\Documents and Settings\BNIK\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.porn-info.info/? to verify your age, REQUIRED! WARNING! Adult pictures are featured in this site. Only adults permitted beyond this point! Are you at least 18 years old
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Documents and Settings\BNIK\Application Data\Mozilla\Profiles\default\g7pff1ru.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\BNIK\Application Data\Mozilla\Profiles\default\g7pff1ru.slt\prefs.js)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.exe" -quiet
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.exe
O4 - Global Startup: Verizon Online.lnk = C:\Program Files\Verizon Online\VOLSW\Verizon Online.exe
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\ControlPad\Misc\a_menu.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/gam...
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://instantgreetings.aol.com/prod/install.html
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/h...
O16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} (A18X Control) - http://www.albatross18.com/cabs/A18...
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnli...
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/c...
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/...
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/M...
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.co...
O17 - HKLM\System\CCS\Services\Tcpip\..\{944C29A7-D24C-4D1C-8D5F-40A4F783B67E}: NameServer = 85.255.113.117 85.255.112.90
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: instcat - instcat.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
O23 - Service: S - Unknown owner - C:\DOCUME~1\BNIK\LOCALS~1\Temp\S.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Unknown owner - C:\Program Files\Sygate\SPF\smc.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.exe
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)
O23 - Service: XODNZ - Unknown owner - C:\DOCUME~1\BNIK\LOCALS~1\Temp\XODNZ.exe (file missing)

Response Number 36

Name: jabuck
Date: December 13, 2006 at 17:23:13 Pacific

Reply:

First go to add/remove programs and uninstall Trend Micro if you have it installed.
Run Hijack This from safe mode and remove these items:
(Don't remove the first R1, start with the second ones as listed)
HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.porn-info.info/? to verify your age, REQUIRED! WARNING! Adult pictures are featured in this site. Only adults permitted beyond this point! Are you at least 18 years old
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://instantgreetings.aol.com/prod/install.html
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/h...
O16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} (A18X Control) - http://www.albatross18.com/cabs/A18...
O17 - HKLM\System\CCS\Services\Tcpip\..\{944C29A7-D24C-4D1C-8D5F-40A4F783B67E}: NameServer = 85.255.113.117 85.255.112.90
O20 - Winlogon Notify: instcat - instcat.dll (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
O23 - Service: S - Unknown owner - C:\DOCUME~1\BNIK\LOCALS~1\Temp\S.exe (file missing)
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)
O23 - Service: XODNZ - Unknown owner - C:\DOCUME~1\BNIK\LOCALS~1\Temp\XODNZ.exe (file missing)
Exit Hijack This but remain in safe mode.
Run Killbox as you did in response #7 and delete this file:
C:\DOCUME~1\BNIK\LOCALS~1\Temp\XODNZ.exe
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Go to start> control panel>administrative tools services> scroll down to these two items (one at the time):
S - Unknown owner
XODNZ - Unknown owner
Starting with the first one, double click it> to the far right of "startup type" click the blue drop down arrow> select "disable">apply>ok. Then proceed to the second one and do the same the exit.
Go to start> run> type the following commands one at the time then press enter:
sc stop S
sc delete S
sc stop XODNZ
sc delete XODNZ
Open notepad (Start Menu > Run > Type notepad and press "ok".
Copy and paste everything into notepad between the x's making regedit4 the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\instcat]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fix.reg then save it to your desktop.
Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes.
Run ATF-Cleaner.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Post a new Hijack This log and a new combofix log please.

Response Number 37

Name: Chanto
Date: December 13, 2006 at 20:51:39 Pacific

Reply:

Logfile of HijackThis v1.99.1
Scan saved at 11:48:15 PM, on 12/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\program files\steam\steam.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\MSN Messenger\MsnMsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Maxthon\maxthon.exe
C:\Documents and Settings\BNIK\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Documents and Settings\BNIK\Application Data\Mozilla\Profiles\default\g7pff1ru.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\BNIK\Application Data\Mozilla\Profiles\default\g7pff1ru.slt\prefs.js)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.exe" -quiet
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.exe
O4 - Global Startup: Verizon Online.lnk = C:\Program Files\Verizon Online\VOLSW\Verizon Online.exe
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\ControlPad\Misc\a_menu.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/gam...
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/gam...
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnli...
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/c...
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/...
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/M...
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.co...
O17 - HKLM\System\CCS\Services\Tcpip\..\{944C29A7-D24C-4D1C-8D5F-40A4F783B67E}: NameServer = 85.255.113.117 85.255.112.90
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Unknown owner - C:\Program Files\Sygate\SPF\smc.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.exe
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)
Combofix
BNIK - 06-12-13 23:48:37.18 Service Pack 1
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\BNIK\Desktop\anti spyware"
((((((((((((((((((((((((((((((( Files Created from 2006-11-13 to 2006-12-13 ))))))))))))))))))))))))))))))))))

2006-12-13 00:56 <DIR> d-------- C:\Program Files\Ventrilo
2006-12-13 00:56 <DIR> d-------- C:\Documents and Settings\BNIK\Application Data\Ventrilo
2006-12-04 15:36 <DIR> d-------- C:\HERE
2006-12-03 02:34 <DIR> d-------- C:\Program Files\Viewpoint
2006-12-03 02:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2006-12-02 01:40 80 --a------ C:\WINDOWS\gmer_uninstall.cmd
2006-11-30 20:48 <DIR> d-------- C:\Documents and Settings\BNIK\DoctorWeb
2006-11-30 19:38 <DIR> d-------- C:\SDFix
2006-11-28 23:37 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-28 23:37 <DIR> d-------- C:\Program Files\Grisoft
2006-11-28 23:19 <DIR> d-------- C:\!KillBox
2006-11-28 22:10 <DIR> d-------- C:\fixwareout
2006-11-28 21:20 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-11-28 21:20 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-11-28 21:20 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-11-28 21:20 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-11-27 11:53 4,308 --a------ C:\WINDOWS\system32\tmp.reg
2006-11-27 11:28 502,208 --a------ C:\WINDOWS\system32\drivers\amon.sys
2006-11-27 11:28 270,336 --a------ C:\WINDOWS\system32\imon.dll
2006-11-27 11:26 <DIR> d-------- C:\Program Files\ESET
2006-11-25 20:07 <DIR> d-------- C:\Documents and Settings\BNIK\.javaws
2006-11-25 20:06 <DIR> d-------- C:\Program Files\Common Files\mozilla.org
2006-11-17 14:02 <DIR> d-------- C:\Program Files\AOD
2006-11-16 22:53 <DIR> d-------- C:\WINDOWS\system32\bak
2006-11-16 18:56 61,440 --a------ C:\WINDOWS\system32\LFGIF14N.DLL
2006-11-16 18:56 57,344 --a------ C:\WINDOWS\system32\lfbmp14N.dll
2006-11-16 18:56 487,424 --a------ C:\WINDOWS\system32\LTKRN14n.DLL
2006-11-16 18:56 303,104 --a------ C:\WINDOWS\system32\LTDIS14n.DLL
2006-11-16 18:56 274,432 --a------ C:\WINDOWS\system32\LTEFX14n.DLL
2006-11-16 18:56 24,575 --a------ C:\WINDOWS\system32\msusengwinsyspio46.dll
2006-11-16 18:56 180,224 --a------ C:\WINDOWS\system32\LTFIL14n.DLL
2006-11-16 18:56 1,126,400 --a------ C:\WINDOWS\system32\LTIMG14n.DLL
2006-11-16 18:56 <DIR> d-------- C:\Program Files\IconCool Software

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-12-13 23:48 -------- d-------- C:\Documents and Settings\BNIK\Application Data\Skype
2006-12-13 23:47 -------- d-------- C:\Program Files\Steam
2006-12-13 23:32 -------- d-------- C:\Program Files\HLSW
2006-12-13 14:31 -------- d-------- C:\Program Files\Sophos SWEEP for NT
2006-12-13 14:05 -------- d-------- C:\Documents and Settings\BNIK\Application Data\Azureus
2006-12-13 00:56 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-12-10 12:51 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-30 21:37 -------- d-------- C:\Program Files\Maxthon
2006-11-30 20:52 -------- d-------- C:\Program Files\QuickTime
2006-11-26 18:31 -------- d-------- C:\Documents and Settings\BNIK\Application Data\Xfire
2006-11-25 20:06 105168 --a------ C:\WINDOWS\NSUninst.exe
2006-11-25 20:06 105168 --a------ C:\WINDOWS\GREUninstall.exe
2006-11-25 20:06 -------- d-------- C:\Program Files\Common Files
2006-11-25 20:00 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-17 15:06 -------- d-------- C:\Program Files\AIM
2006-11-17 14:35 -------- d-------- C:\Documents and Settings\BNIK\Application Data\Aim
2006-11-16 22:53 -------- d-------- C:\Program Files\MSN Messenger
2006-11-01 17:51 -------- d-------- C:\Program Files\Windows Media Player
2006-10-31 16:25 -------- d-------- C:\Documents and Settings\BNIK\Application Data\Motive
2006-10-31 16:24 -------- d-------- C:\Program Files\Verizon
2006-10-31 16:23 -------- d-------- C:\Program Files\Common Files\Motive
2006-10-30 16:07 -------- d-------- C:\Program Files\hix
2006-10-30 16:07 -------- d-------- C:\Program Files\Common Files\Java
2006-10-30 15:42 -------- d-------- C:\Program Files\Spyware Doctor
2006-10-28 10:03 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-10-21 15:30 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-10-20 13:11 -------- d-------- C:\Program Files\Spybot - Search & Destroy

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Steam"="\"c:\\program files\\steam\\steam.exe\" -silent"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"WebCamRT.exe"=""
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\bak\\YAHOOM~1.EXE\" -quiet"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"Logitech Utility"="Logi_MwX.Exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"DeadAIM"="rundll32.exe \"C:\\PROGRA~1\\AIM\\\\DeadAIM.ocm\",ExportedCheckODLs"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,00,04,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=""
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{8A5849B5-93F3-429D-FF34-660A2068897C}"="DirectX additional"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:000000ff
"NoSaveSettings"=dword:00000000
"_NoDriveTypeAutoRun"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"nwiz"="nwiz.exe /install"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\navdpu.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\navdqu.sys

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Microsoft Office Word 2003.job
C:\WINDOWS\tasks\{08994C60-A08D-478A-B424-597D0E5A6D90}_FISHTANK_Inna.job
Completion time: 06-12-13 23:50:51.86
C:\ComboFix.txt ... 06-12-13 23:50
C:\ComboFix2.txt ... 06-12-13 17:09
C:\ComboFix3.txt ... 06-11-30 23:00

Response Number 38

Name: jabuck
Date: December 14, 2006 at 03:49:46 Pacific

Reply:

You are infected with wareout again.
Please download Fixwareout from this link
http://swandog46.geekstogo.com/Fixwareout.exe
or
http://downloads.subratam.org/Fixwareout.exe
Save it to your desktop and run it. Click next, then Install, then make sure "Run fixit" is checked and click finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.Post a copy at the log located at C:\fixwareout\report.txt

Sponsored Link

Ads by Google

b.exe Removal?!

Pop Up Nightmare!

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Possible Spyware

War on Spyware

Summary

www.computing.net/answers/security/war-on-spyware/15082.html

Pop-Up Problem, Possible Spyware?

Summary

www.computing.net/answers/security/popup-problem-possible-spyware/17414.html

Random Garbage txt on toolbar/menus

Summary

www.computing.net/answers/security/random-garbage-txt-on-toolbarmenus/16102.html

From the Geek Dictionary
FPSZ - Used to describe a type of game. First Person Shooter with advanced cha...

Ask a Question!

Weekly Poll
Did you go shopping on Black Friday?

Poll Finishes In 4 Days.
Discuss in The Lounge
Poll History

Recent Posts
Call Of duty 4

Upgrade pc?

want to upgrade my memory

Error on booting

installing Weblogic

All Awaiting Reply

Tom's News
Next Generation iPhone Spotted by Developers

Black Friday Brawls: Plenty Fought, No One Died

Couple Gets Married at Best Buy on Black Friday

Office 2010 Ships in 2010, Beta Now

Duke Nukem: D-Day Teased Not DNF

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE