windows live messenger not working.

[berencam]

My live messenger stoped working lol. i havent installed anything recently it just stoped workin, i uninstalled and reinstalled most all of the windows updates( sp2, hotfixes, .net framework .ect). my regular windows msn woks, just not the live version. Any ideas?

hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 3:48:33 AM, on 10/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\System32\drivers\crauto.exe
C:\WINDOWS\System32\drivers\IMountSRV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\wltray.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\AIM Pro\aimpro.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ePlus48U\ScanPanel\ScnPanel.exe
C:\PROGRA~1\SHORTK~1\shklite.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\SwiftSwitch\SwiftSwitch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\calc.exe
C:\Documents and Settings\user\Desktop\hijackthis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\System32\wltray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Encrypted Disk Auto Mount] rundll32.exe edshell.dll,MountAll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CommServ] C:\WINDOWS\system32\XPAud\csrss.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AIMPro] "C:\Program Files\AIM\AIM Pro\aimpro.exe"
O4 - HKLM\..\Run: [] C:\WINDOWS\system32\XPAud\
O4 - HKLM\..\RunServices: [MSN service] msnmgr16.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ScanPanel.lnk = C:\Program Files\ePlus48U\ScanPanel\ScnPanel.exe
O4 - Global Startup: ShortKeys Lite.lnk = ?
O8 - Extra context menu item: Convert for CLIE - C:\Program Files\Sony\Image Converter\menu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157094774263
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: crauto - Unknown owner - C:\WINDOWS\System32\drivers\crauto.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMountSRV - Unknown owner - C:\WINDOWS\System32\drivers\IMountSRV.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PMounter - Unknown owner - C:\Paragon HDM\Ext2\PMounter.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

[guestolo]

Can I have you scan a couple files for me please
I know one is bad, I'm sure the other is too, but can you scan them please
Go to either of these links
http://virusscan.jotti.org/
OR
http://www.virustotal.com/flash/index_en.html

Use the browse button and navigate to the file on your harddrive if you can find it

C:\WINDOWS\system32\XPAud\csrss.exe <-this file
Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please
Can you do the same with this file too please
C:\WINDOWS\system32\msnmgr16.exe

After you have done that, can you also do the following
Create a .bat file for me please
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
Change the Save as Type to All Files.
Name the file as find.bat

Save this file on the desktop

 

Code: [Select]

@echo off
cd C:\Windows\System32\XPAud
dir /s /a > C:\find.txt
notepad C:\find.txt
del /q C:\find.txt

Double click on find.bat
A text file should open, copy>>paste back here the contents please

After the above is done
Can you also
==Download this file - Combofix.exe and save it too desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post the log from combofix please

[berencam]

kk ill do all of that, im going to work now tho, so ill be back in 10 hours.

[guestolo]

I'll see ya later then, have fun at work  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\'\' />

[berencam]

1. csrss.exe virus scan results
File:      csrss.exe
Status:    INFECTED/MALWARE
MD5    a74f6db979bbd2084eedcc9d350c1cbb
Packers detected:    -
Scanner results
AntiVir    
Found SecurityPrivacyRisk/WinSpy.88.16 riskware
ArcaVir    Found nothing
Avast    Found Win32:WinSpy-Q
AVG Antivirus    Found nothing
BitDefender    Found nothing
ClamAV    Found nothing
Dr.Web    Found BackDoor.Generic.1198
F-Prot Antivirus    Found nothing
Fortinet    Found nothing
Kaspersky Anti-Virus    Found not-a-virus:Monitor.Win32.WinSpy.88
NOD32    Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control    Found nothing
VirusBuster    Found nothing
VBA32    Found nothing [/b][/quote]

2. msnmgr16.exe   i could not find that file, i  did a search for it and did not find it =[

3. results from the find.bat file
Volume in drive C has no label.
 Volume Serial Number is DC65-31F1

 Directory of C:\WINDOWS\system32\XPAud

10/21/2006  02:16 PM    <DIR>          .
10/21/2006  02:16 PM    <DIR>          ..
09/07/2006  02:03 PM         4,459,520 csrss.exe
               1 File(s)      4,459,520 bytes

     Total Files Listed:
               1 File(s)      4,459,520 bytes
               2 Dir(s)  21,542,416,384 bytes free


4. combofix log

user - 06-10-22  1:18:39.58    Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Program Files\Mozilla Firefox"

((((((((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
 

C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\Program Files\winupdates

 
(((((((((((((((((((((((((((((((   Files Created from 2006-09-22 to 2006-10-22  ))))))))))))))))))))))))))))))))))
 
 
2006-10-19   03:55   262,784   ---------   C:\WINDOWS\system32\drivers\http.sys
2006-10-19   03:55   23,040   --a------   C:\WINDOWS\system32\fltmc.exe
2006-10-19   03:55   16,896   --a------   C:\WINDOWS\system32\fltlib.dll
2006-10-19   03:55   128,896   ---------   C:\WINDOWS\system32\drivers\fltmgr.sys
2006-10-19   03:55   11,776   ---------   C:\WINDOWS\system32\spnpinst.exe
2006-09-29   11:44   8,552   --a------   C:\WINDOWS\system32\drivers\asctrm.sys
2006-09-29   11:42   102,400   --a------   C:\WINDOWS\system32\SimpleRegistry.dll
2006-09-29   11:42   10,752   --a------   C:\WINDOWS\system32\aamd532.dll
2006-09-29   11:40   33,588   -ra------   C:\WINDOWS\system32\drivers\wanatw4.sys


((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))   


2006-10-22 01:18   --------   d--------   C:\Program Files\Mozilla Firefox
2006-10-22 00:56   --------   d--------   C:\Program Files\SwiftSwitch
2006-10-21 02:16   --------   d--------   C:\Program Files\ShortKeys2
2006-10-21 01:59   --------   d--------   C:\Program Files\Internet Explorer
2006-10-21 01:47   --------   d--------   C:\Program Files\MSN Messenger
2006-10-21 01:29   --------   d--------   C:\Program Files\Messenger
2006-10-21 01:29   --------   d--------   C:\Program Files\Common Files\System
2006-10-21 01:22   --------   d--------   C:\Program Files\Windows Media Player
2006-10-21 01:16   --------   d--------   C:\Program Files\Outlook Express
2006-10-19 23:35   96256   --a------   C:\WINDOWS\system32\drivers\sptd8829.sys
2006-10-19 23:25   --------   d--------   C:\Program Files\Movie Maker
2006-10-19 23:20   --------   d--------   C:\Program Files\Windows NT
2006-10-19 23:20   --------   d--------   C:\Program Files\NetMeeting
2006-10-18 23:22   --------   d--------   C:\Documents and Settings\user\Application Data\acccore
2006-10-18 23:21   --------   d--------   C:\Program Files\AIM
2006-10-18 23:21   --------   d--------   C:\Documents and Settings\user\Application Data\AIMPro
2006-10-18 23:21   --------   d--------   C:\Documents and Settings\user\Application Data\AIM
2006-10-18 23:20   --------   dr-h-----   C:\Documents and Settings\user\Application Data\yahoo!
2006-10-18 23:18   --------   d--------   C:\Program Files\Common Files\Microsoft Shared
2006-10-18 23:05   3142   --a------   C:\WINDOWS\slog.dll
2006-10-18 23:04   --------   d--------   C:\Program Files\Common Files
2006-10-05 00:18   --------   d--------   C:\Documents and Settings\user\Application Data\Real
2006-10-05 00:16   --------   d--------   C:\Program Files\Common Files\xing shared
2006-10-05 00:15   --------   d--------   C:\Program Files\Common Files\Real
2006-10-05 00:09   774144   --a------   C:\Program Files\RngInterstitial.dll
2006-10-05 00:09   --------   d--------   C:\Program Files\Real
2006-10-01 16:18   --------   d--------   C:\Program Files\Common Files\aolshare
2006-10-01 16:18   --------   d--------   C:\Program Files\Common Files\AOL
2006-09-29 11:54   --------   d--------   C:\Documents and Settings\user\Application Data\AOL
2006-09-29 11:45   --------   d--------   C:\Program Files\Common Files\Nullsoft
2006-09-29 11:45   --------   d--------   C:\Documents and Settings\user\Application Data\You've Got Pictures Screensaver
2006-09-29 11:42   --------   d--------   C:\Program Files\Viewpoint
2006-09-29 11:39   --------   d--------   C:\Documents and Settings\user\Application Data\Mozilla
2006-09-26 16:46   --------   d--------   C:\Program Files\World of Warcraft
2006-09-26 01:34   --------   d--------   C:\Program Files\mIRC
2006-09-23 03:56   --------   d--------   C:\Program Files\Common Files\Symantec Shared
2006-09-22 01:43   --------   d--------   C:\Documents and Settings\user\Application Data\FrostWire
2006-09-16 03:13   --------   d--------   C:\Program Files\ADShareit
2006-09-16 03:08   --------   d--------   C:\Documents and Settings\user\Application Data\Eltima Software
2006-09-16 03:07   --------   d--------   C:\Program Files\Eltima Software
2006-09-16 03:03   --------   d--------   C:\Program Files\Flash SWF to GIF AVI Converter
2006-09-15 14:07   --------   d--------   C:\Program Files\DAEMON Tools
2006-09-14 23:10   --------   d--------   C:\Program Files\Norton AntiVirus
2006-09-14 23:09   --------   d--------   C:\Program Files\Symantec
2006-09-14 02:36   --------   d--------   C:\Program Files\Common Files\Services
2006-09-14 02:27   --------   d--------   C:\Documents and Settings\user\Application Data\Symantec
2006-09-14 02:12   10344   --a------   C:\WINDOWS\system32\drivers\symlcbrd.sys
2006-09-14 02:11   --------   d--------   C:\Program Files\Yahoo!
2006-09-14 02:09   --------   d---s----   C:\Documents and Settings\user\Application Data\Microsoft
2006-09-14 02:07   --------   d--------   C:\Documents and Settings\user\Application Data\Lavasoft
2006-09-13 00:01   1084416   --a------   C:\WINDOWS\system32\msxml3.dll
2006-09-12 17:51   1245184   --a------   C:\WINDOWS\system32\msxml4.dll
2006-09-09 12:09   --------   d--------   C:\Program Files\Common Files\WhenU
2006-09-09 12:09   --------   d--------   C:\Documents and Settings\user\Application Data\WhenU
2006-09-09 12:08   223128   --a------   C:\WINDOWS\system32\drivers\dtscsi.sys
2006-09-09 03:56   643072   --a------   C:\WINDOWS\system32\drivers\sptd.sys
2006-09-08 16:01   --------   d--------   C:\Program Files\LimeWire
2006-09-08 05:23   --------   d--------   C:\Program Files\Return to Castle Wolfenstein Multiplayer DEMO
2006-09-07 14:00   50176   --a------   C:\WINDOWS\rcdesk.exe
2006-09-07 04:05   419   --a------   C:\WINDOWS\winndm32.dll
2006-09-07 03:58   3   --a------   C:\WINDOWS\zclient.dll
2006-09-07 03:58   --------   d--------   C:\Program Files\Accessories
2006-09-07 03:42   82649   --a------   C:\WINDOWS\Generic Installer Uninstaller.exe
2006-09-01 02:05   --------   d--h-----   C:\Program Files\Uninstall Information
2006-08-31 21:15   --------   d--------   C:\Program Files\MSXML 4.0
2006-08-25 10:45   617472   --a------   C:\WINDOWS\system32\comctl32.dll
2006-08-19 15:56   102400   --a------   C:\WINDOWS\messanger.exe
2006-08-18 04:01   46080   --a------   C:\WINDOWS\msimn32.exe
2006-08-18 01:21   98304   --a------   C:\WINDOWS\system32\pspsvc.dll
2006-08-18 01:21   98304   --a------   C:\WINDOWS\pspsvc.dll
2006-08-16 06:58   100352   --a------   C:\WINDOWS\system32\6to4svc.dll
2006-08-07 16:02   534208   --a------   C:\WINDOWS\system32\SymNeti.dll
2006-08-07 16:02   161472   --a------   C:\WINDOWS\system32\SymRedir.dll
2006-08-03 03:04   337408   --a------   C:\WINDOWS\host32.exe
2006-07-29 19:32   48936   --a------   C:\WINDOWS\system32\sirenacm.dll
2006-07-27 08:24   679424   --a------   C:\WINDOWS\system32\inetcomm.dll
 
 
((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\"  -osboot"
"wltray.exe"="C:\\WINDOWS\\System32\\wltray.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
"SemanticInsight"="C:\\Program Files\\RXToolBar\\Semantic Insight\\SemanticInsight.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"MMTray"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mm_tray.exe"
"mmtask"="\"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Encrypted Disk Auto Mount"="rundll32.exe edshell.dll,MountAll"
"EM_EXEC"="C:\\PROGRA~1\\Logitech\\MOUSEW~1\\SYSTEM\\EM_EXEC.EXE"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"CommServ"="C:\\WINDOWS\\system32\\XPAud\\csrss.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"AIMPro"="\"C:\\Program Files\\AIM\\AIM Pro\\aimpro.exe\""
@="C:\\WINDOWS\\system32\\XPAud\\"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"MSN service"="msnmgr16.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
  00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
  ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
  00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{6af69c4d-420a-4c95-b34f-e4635f84f53b}"="forevouched"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"wininet.dll"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"=" mousepen"
"hkey"="HKCU"
"command"=" mousepen.exe"
"inimapping"="1"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]   
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - user.job

Completion time: 06-10-22  1:20:09.02
C:\ComboFix.txt ... 06-10-22 01:20

Thanks for the help, and good luck analizing that log O_o

[guestolo]

Did you knowingly install a Keylogger on your machine>>WINSPY
This runs in stealth mode and monitors everything on your computer
We must remove it if you don't know nothing about it

It can be used remotely from another machine to log everything you do on your computer

It won't show in add/remove programs

Also
Download the latest version of  [color=\"red\"]SmitfraudFix[/color][/url] (by S!Ri)
Extract the contents (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

[color=\"#3366FF\"]Note[/color] : [color=\"#FF0000\"]process.exe[/color] [color=\"#3366FF\"]is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.[/color]

[berencam]

i didnt  install winspy, im doing a search for it now, and heres the smitfraud report:
EDIT: i cannot find winspy on my computer....
SmitFraudFix v2.112

Scan done at 10:54:23.30, Sun 10/22/2006
Run from C:\Documents and Settings\user\My Documents\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\1024\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\user\FAVORI~1

C:\DOCUME~1\user\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{6af69c4d-420a-4c95-b34f-e4635f84f53b}"="forevouched"

[HKEY_CLASSES_ROOT\CLSID\{6af69c4d-420a-4c95-b34f-e4635f84f53b}\InProcServer32]
@="C:\WINDOWS\System32\viwpzla.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{6af69c4d-420a-4c95-b34f-e4635f84f53b}\InProcServer32]
@="C:\WINDOWS\System32\viwpzla.dll"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

[jordonc2006]

beren you thought of just rebootin your whole computer?



btw while im on this thread, guestolo can u like add me on msn or summin plz its urgent i dnt wnt my main gettin abnend http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'\' />

[guestolo]

AVG antispyware should remove most of the entries of Winspy
Can you do the following please
Download>>Install [color=\"#000099\"]AVG Anti-Spyware 7.5[/color] from Ewido networks

• Load AVG-antispyware and then click the Update tab at the top. Under Manual Update click Start update.
  
• After the update finishes (the status bar at the bottom will display "Update successful")
• Close AVG antispyware as we will need it later

Can you next create a .reg file for me please
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy Everything from REGEDIT4 and down in the code box

 

Code: [Select]

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"MSN service"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{25D8BACF-3DE2-4B48-AE22-D659B8D835B0}"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25D8BACF-3DE2-4B48-AE22-D659B8D835B0}]

[-HKEY_CLASSES_ROOT\clsid\{59879fa4-4790-461c-a1cc-4ec4de4ca483} ]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FB590D02-0A82-4F44-9FAD-517948DCF4F3}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{66B20295-DC57-42B6-ACDF-52D916E86464}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RXToolBar.TBInfo]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RXToolBar.TBInfo.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RXToolBar]

[-HKEY_CURRENT_USER\SOFTWARE\RX Toolbar]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"wltray.exe"="C:\\WINDOWS\\System32\\wltray.exe"
"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
"MMTray"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mm_tray.exe"
"mmtask"="\"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Encrypted Disk Auto Mount"="rundll32.exe edshell.dll,MountAll"
"EM_EXEC"="C:\\PROGRA~1\\Logitech\\MOUSEW~1\\SYSTEM\\EM_EXEC.EXE"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"AIMPro"="\"C:\\Program Files\\AIM\\AIM Pro\\aimpro.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
We'll need this later

Print the rest of these instructions or save them too a text file on desktop
Close all browser windows
Access your add/remove programs and remove
RXToolbar if found

Reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the top of the screen that appears.
Sign in with your normal user account

In safe mode, do the following

* Clean your Cache and Cookies in IE:

• Go to Control Panel > Internet Options > General tab
• Click the "Delete Cookies" button
• Next to it, Click the "Delete Files" button
• When prompted, place a check in: "Delete all offline content", click OK

* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

• Go to Tools > Options.
• Click Privacy in the menu on the left side of the Options window.
• Click the Clear button located to the right of each option (History, Cookies, Cache).
• Click OK to close the Options window

Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.
[/list]* Clean other Temporary files + Recycle bin

• Go to start > run and type:

cleanmgr and click ok.

• Let it scan your system for files to remove.
• Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
• Press OK to remove them.

==Open the SmitfraudFix folder you extracted to desktop earlier

• Double-click smitfraudfix.cmd
  
• Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
  
  
• You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
  
  
• The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
  

The tool may need to restart your computer to finish the cleaning process.  A text file will appear onscreen, with results from the cleaning process
I'll need to see these later, by default they are also saved at C:\rapport.txt
If a reboot was required, allow windows to load normally, than later reboot back to safe mode
If a reboot is not required, Remain in safe mode

==Double click on fix.reg and allow to add/merge to the registry at the prompt

AVG-Antispyware Scan

• Load AVG and select the "Scanner" tab
• Click the "Settings" tab and then change the recommended action to Quarantine and ensure that  Automatically generate report after every scan is selected
  
• Click back to the "Scan" tab and then click on Complete System Scan.
  
• Let this scan complete
• AVG will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  
  
• Click on "Save Report", then "Save Report As".  This will create a text file.  Make sure you know where to find this file again (like on the Desktop).

Reboot the computer to Normal windows

Can I see all the following please, even if it takes more than one reply to post everything

1. Post a fresh hijackthis log
2. Post the whole report from Avg Antispyware
3. Post the log from Smitfraudfix>>C:\Rapport.txt

Can you also do the following

From the bottom of this reply box
Download and save find.zip
 then unzip the contents to desktop so you now have find.bat extracted
Double click on find.bat, a text file will open, copy>>Paste back the whole contents please

[berencam]

1. Post a fresh hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 11:23:59 PM, on 10/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\drivers\crauto.exe
C:\WINDOWS\System32\drivers\IMountSRV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\wltray.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AIM\AIM Pro\aimpro.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ePlus48U\ScanPanel\ScnPanel.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\SHORTK~1\shklite.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Norton AntiVirus\NAVW32.EXE
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\user\Desktop\hijackthis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\System32\wltray.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Encrypted Disk Auto Mount] rundll32.exe edshell.dll,MountAll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AIMPro] "C:\Program Files\AIM\AIM Pro\aimpro.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ScanPanel.lnk = C:\Program Files\ePlus48U\ScanPanel\ScnPanel.exe
O4 - Global Startup: ShortKeys Lite.lnk = ?
O8 - Extra context menu item: Convert for CLIE - C:\Program Files\Sony\Image Converter\menu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157094774263
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: crauto - Unknown owner - C:\WINDOWS\System32\drivers\crauto.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMountSRV - Unknown owner - C:\WINDOWS\System32\drivers\IMountSRV.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PMounter - Unknown owner - C:\Paragon HDM\Ext2\PMounter.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe




2. Post the whole report from Avg Antispyware

--------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

 + Created at:   11:10:03 PM 10/22/2006

 + Scan result:   



HKLM\SOFTWARE\Classes\CLSID\{59879FA4-4790-461c-A1CC-4EC4DE4CA483} -> Adware.RXToolbar : Cleaned.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59879FA4-4790-461c-A1CC-4EC4DE4CA483} -> Adware.RXToolbar : Cleaned.
HKU\S-1-5-21-1123561945-706699826-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
{59879FA4-4790-461C-A1CC-4EC4DE4CA483} -> Adware.RXToolbar : Cleaned.
C:\WINDOWS\system32\atl32.dll -> Not-A-Virus.Monitor.Win32.EliteKeylogger.30 : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\acpi2k.sys -> Not-A-Virus.Monitor.Win32.EliteKeylogger.30 : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dmadmsvr.exe -> Not-A-Virus.Monitor.Win32.EliteKeylogger.3019 : Cleaned with backup (quarantined).
C:\Documents and Settings\user\Desktop\Unused Desktop Shortcuts\Win-Spy Eval Setup.exe/10.txt -> Not-A-Virus.Monitor.Win32.WinSpy.88 : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{BF343766-BF71-4C2D-90A7-CE2DD9119F7A}\RP237\A0070669.exe -> Not-A-Virus.Monitor.Win32.WinSpy.88 : Cleaned with backup (quarantined).
:mozilla.103:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.104:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.106:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.107:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.108:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.17:C:\Documents and Settings\user_2\Application Data\Mozilla\Firefox\Profiles\2idtd1yk.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Will\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\user_2\Cookies\user_2@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.84:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.85:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.86:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.87:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.88:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.11:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.12:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.6:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.7:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.8:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\user_2\Cookies\user_2@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.47:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\user_2\Cookies\user_2@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.50:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.51:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.52:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.53:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.25:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.26:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.27:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\user_2\Cookies\[email protected][2].txt -> TrackingCookie.Dbbsrv : Cleaned.
C:\Documents and Settings\user_2\Cookies\[email protected][2].txt -> TrackingCookie.Dbbsrv : Cleaned.
:mozilla.29:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\user_2\Cookies\user_2@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.28:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.30:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.33:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\user_2\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\user_2\Cookies\user_2@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.12:C:\Documents and Settings\user_2\Application Data\Mozilla\Firefox\Profiles\2idtd1yk.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.92:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Will\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned.
C:\MSWORKS\Local Disk (D)\WINDOWS\Cookies\[email protected] -> TrackingCookie.Paycounter : Cleaned.
:mozilla.73:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.74:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.75:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\user_2\Cookies\user_2@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.100:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.101:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.102:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.105:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.99:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\user_2\Cookies\[email protected][2].txt -> TrackingCookie.Sexcounter : Cleaned.
C:\Documents and Settings\user_2\Cookies\[email protected][1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\user_2\Cookies\user_2@sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\user_2\Cookies\user_2@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.64:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.65:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.66:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.67:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.68:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.69:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.70:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.119:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned.
:mozilla.76:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.77:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.78:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.79:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.80:C:\Documents and Settings\Will\Application Data\Mozilla\Firefox\Profiles\vhkybiws.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\user_2\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\user_2\Cookies\user_2@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\Program Files\thriXXX\3D SexVilla\Binaries\3DSexVilla-017-001-start.exe -> Trojan.QQPass.ly : Cleaned with backup (quarantined).
C:\Program Files\thriXXX\VirtuallyJenna\Binaries\VirtuallyJenna-017.002-start.exe -> Trojan.QQPass.ly : Cleaned with backup (quarantined).


::Report end


3. Post the log from Smitfraudfix>>C:\Rapport.txt

SmitFraudFix v2.112

Scan done at 13:14:42.24, Sun 10/22/2006
Run from C:\Documents and Settings\user\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{6af69c4d-420a-4c95-b34f-e4635f84f53b}"="forevouched"

[HKEY_CLASSES_ROOT\CLSID\{6af69c4d-420a-4c95-b34f-e4635f84f53b}\InProcServer32]
@="C:\WINDOWS\System32\viwpzla.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{6af69c4d-420a-4c95-b34f-e4635f84f53b}\InProcServer32]
@="C:\WINDOWS\System32\viwpzla.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\DOCUME~1\user\FAVORI~1\Antivirus Test Online.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
 
Registry Cleaning done.
 
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

4. find.bat results

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\OLE]
"MSN service"="msnmgr16.exe"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
  00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
  00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
  05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
  5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
  5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="Y"
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
  00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
  00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
  00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
  00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
  05,20,00,00,00,20,02,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST]
"System.EnterpriseServices.Thunk.dll"=""

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
  00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
  00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
  6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,00,\
  00
"LsaPid"=dword:000002fc
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):00,00,73,00,63,00,65,00,63,00,6c,00,69,00,00,00,\
  73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001
"enabledcom"="y"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
  54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
  00,69,00,64,00,65,00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:d3,4c,b4,c6,6e,df,77,e8,a5,7b,0b,dc,85,82,0b,66,65,66,66,64,30,\
  61,35,35,00,68,07,00,01,00,00,00,dc,00,00,00,e0,00,00,00,48,fa,06,00,97,55,\
  5a,74,04,00,00,00,a0,fd,06,00,b8,fd,06,00,83,74,32,6b

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:b3,60,71,97,28,b3,ec,75,f9

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:76,4c,b9,87,c8,de

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0]
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:07,f2,6c,ed,8a,b8,af,7d,93,c1,94,ae,87,b6,ba,6c

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:60,64,b6,a2,9b,cd,c6,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,d9,4a,94,f8,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,d9,4a,94,f8,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:80,6f,e3,94,f8,79,c4,01


i did get your message, and i used the new fix.reg.

[guestolo]

Good work
I removed your signatures ONLY in this thread
and removed some of the quote boxes and bolds
It all reduced the size of this thread a bit

Can you do one more log for me please
Run Combofix again and post the new log in a new reply please

Let's see what we have leftover
I may not see it till tomorrow, but we'll get the rest of this

[berencam]

user - 06-10-23  3:38:47.05    Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\user\Desktop"

(((((((((((((((((((((((((((((((   Files Created from 2006-09-23 to 2006-10-23  ))))))))))))))))))))))))))))))))))
 
 
2006-10-22   23:22   8,506   --a------   C:\cp.reg
2006-10-22   12:44   3,968   --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-22   10:54   53,248   --a------   C:\WINDOWS\system32\Process.exe
2006-10-22   10:54   40,960   --a------   C:\WINDOWS\system32\swsc.exe
2006-10-22   10:54   288,417   --a------   C:\WINDOWS\system32\SrchSTS.exe
2006-10-22   10:54   135,168   --a------   C:\WINDOWS\system32\swreg.exe
2006-10-19   03:55   262,784   ---------   C:\WINDOWS\system32\drivers\http.sys
2006-10-19   03:55   23,040   --a------   C:\WINDOWS\system32\fltmc.exe
2006-10-19   03:55   16,896   --a------   C:\WINDOWS\system32\fltlib.dll
2006-10-19   03:55   128,896   ---------   C:\WINDOWS\system32\drivers\fltmgr.sys
2006-10-19   03:55   11,776   ---------   C:\WINDOWS\system32\spnpinst.exe
2006-09-29   11:44   8,552   --a------   C:\WINDOWS\system32\drivers\asctrm.sys
2006-09-29   11:42   102,400   --a------   C:\WINDOWS\system32\SimpleRegistry.dll
2006-09-29   11:42   10,752   --a------   C:\WINDOWS\system32\aamd532.dll
2006-09-29   11:40   33,588   -ra------   C:\WINDOWS\system32\drivers\wanatw4.sys


((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))   


2006-10-23 03:39   --------   d--------   C:\Program Files\Incomplete
2006-10-23 03:39   --------   d--------   C:\Program Files\FrostWire
2006-10-23 03:38   --------   d--------   C:\Program Files\SwiftSwitch
2006-10-23 03:29   --------   d--------   C:\Program Files\Mozilla Firefox
2006-10-23 00:37   --------   d--------   C:\Program Files\ShortKeys2
2006-10-22 12:51   208907534   --a------   C:\WINDOWS\system32\WINcache.DLL
2006-10-22 12:44   --------   d--------   C:\Program Files\Grisoft
2006-10-21 01:59   --------   d--------   C:\Program Files\Internet Explorer
2006-10-21 01:47   --------   d--------   C:\Program Files\MSN Messenger
2006-10-21 01:29   --------   d--------   C:\Program Files\Messenger
2006-10-21 01:29   --------   d--------   C:\Program Files\Common Files\System
2006-10-21 01:22   --------   d--------   C:\Program Files\Windows Media Player
2006-10-21 01:16   --------   d--------   C:\Program Files\Outlook Express
2006-10-19 23:35   96256   --a------   C:\WINDOWS\system32\drivers\sptd8829.sys
2006-10-19 23:25   --------   d--------   C:\Program Files\Movie Maker
2006-10-19 23:20   --------   d--------   C:\Program Files\Windows NT
2006-10-19 23:20   --------   d--------   C:\Program Files\NetMeeting
2006-10-18 23:22   --------   d--------   C:\Documents and Settings\user\Application Data\acccore
2006-10-18 23:21   --------   d--------   C:\Program Files\AIM
2006-10-18 23:21   --------   d--------   C:\Documents and Settings\user\Application Data\AIMPro
2006-10-18 23:21   --------   d--------   C:\Documents and Settings\user\Application Data\AIM
2006-10-18 23:20   --------   dr-h-----   C:\Documents and Settings\user\Application Data\yahoo!
2006-10-18 23:18   --------   d--------   C:\Program Files\Common Files\Microsoft Shared
2006-10-18 23:05   3142   --a------   C:\WINDOWS\slog.dll
2006-10-18 23:04   --------   d--------   C:\Program Files\Common Files
2006-10-05 00:18   --------   d--------   C:\Documents and Settings\user\Application Data\Real
2006-10-05 00:16   --------   d--------   C:\Program Files\Common Files\xing shared
2006-10-05 00:15   --------   d--------   C:\Program Files\Common Files\Real
2006-10-05 00:09   774144   --a------   C:\Program Files\RngInterstitial.dll
2006-10-05 00:09   --------   d--------   C:\Program Files\Real
2006-10-01 16:18   --------   d--------   C:\Program Files\Common Files\aolshare
2006-10-01 16:18   --------   d--------   C:\Program Files\Common Files\AOL
2006-09-29 11:54   --------   d--------   C:\Documents and Settings\user\Application Data\AOL
2006-09-29 11:45   --------   d--------   C:\Program Files\Common Files\Nullsoft
2006-09-29 11:45   --------   d--------   C:\Documents and Settings\user\Application Data\You've Got Pictures Screensaver
2006-09-29 11:42   --------   d--------   C:\Program Files\Viewpoint
2006-09-29 11:39   --------   d--------   C:\Documents and Settings\user\Application Data\Mozilla
2006-09-26 16:46   --------   d--------   C:\Program Files\World of Warcraft
2006-09-26 01:34   --------   d--------   C:\Program Files\mIRC
2006-09-23 03:56   --------   d--------   C:\Program Files\Common Files\Symantec Shared
2006-09-22 01:43   --------   d--------   C:\Documents and Settings\user\Application Data\FrostWire
2006-09-16 03:13   --------   d--------   C:\Program Files\ADShareit
2006-09-16 03:08   --------   d--------   C:\Documents and Settings\user\Application Data\Eltima Software
2006-09-16 03:07   --------   d--------   C:\Program Files\Eltima Software
2006-09-16 03:03   --------   d--------   C:\Program Files\Flash SWF to GIF AVI Converter
2006-09-15 14:07   --------   d--------   C:\Program Files\DAEMON Tools
2006-09-14 23:10   --------   d--------   C:\Program Files\Norton AntiVirus
2006-09-14 23:09   --------   d--------   C:\Program Files\Symantec
2006-09-14 02:36   --------   d--------   C:\Program Files\Common Files\Services
2006-09-14 02:27   --------   d--------   C:\Documents and Settings\user\Application Data\Symantec
2006-09-14 02:12   10344   --a------   C:\WINDOWS\system32\drivers\symlcbrd.sys
2006-09-14 02:11   --------   d--------   C:\Program Files\Yahoo!
2006-09-14 02:09   --------   d---s----   C:\Documents and Settings\user\Application Data\Microsoft
2006-09-14 02:07   --------   d--------   C:\Documents and Settings\user\Application Data\Lavasoft
2006-09-13 00:01   1084416   --a------   C:\WINDOWS\system32\msxml3.dll
2006-09-12 17:51   1245184   --a------   C:\WINDOWS\system32\msxml4.dll
2006-09-09 12:09   --------   d--------   C:\Program Files\Common Files\WhenU
2006-09-09 12:09   --------   d--------   C:\Documents and Settings\user\Application Data\WhenU
2006-09-09 12:08   223128   --a------   C:\WINDOWS\system32\drivers\dtscsi.sys
2006-09-09 03:56   643072   --a------   C:\WINDOWS\system32\drivers\sptd.sys
2006-09-08 16:01   --------   d--------   C:\Program Files\LimeWire
2006-09-08 05:23   --------   d--------   C:\Program Files\Return to Castle Wolfenstein Multiplayer DEMO
2006-09-07 14:00   50176   --a------   C:\WINDOWS\rcdesk.exe
2006-09-07 04:05   419   --a------   C:\WINDOWS\winndm32.dll
2006-09-07 03:58   3   --a------   C:\WINDOWS\zclient.dll
2006-09-07 03:58   --------   d--------   C:\Program Files\Accessories
2006-09-07 03:42   82649   --a------   C:\WINDOWS\Generic Installer Uninstaller.exe
2006-09-01 02:05   --------   d--h-----   C:\Program Files\Uninstall Information
2006-08-31 21:15   --------   d--------   C:\Program Files\MSXML 4.0
2006-08-25 10:45   617472   --a------   C:\WINDOWS\system32\comctl32.dll
2006-08-19 15:56   102400   --a------   C:\WINDOWS\messanger.exe
2006-08-18 04:01   46080   --a------   C:\WINDOWS\msimn32.exe
2006-08-18 01:21   98304   --a------   C:\WINDOWS\system32\pspsvc.dll
2006-08-18 01:21   98304   --a------   C:\WINDOWS\pspsvc.dll
2006-08-16 06:58   100352   --a------   C:\WINDOWS\system32\6to4svc.dll
2006-08-07 16:02   534208   --a------   C:\WINDOWS\system32\SymNeti.dll
2006-08-07 16:02   161472   --a------   C:\WINDOWS\system32\SymRedir.dll
2006-08-03 03:04   337408   --a------   C:\WINDOWS\host32.exe
2006-07-29 19:32   48936   --a------   C:\WINDOWS\system32\sirenacm.dll
2006-07-27 08:24   679424   --a------   C:\WINDOWS\system32\inetcomm.dll
 
 
((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"wltray.exe"="C:\\WINDOWS\\System32\\wltray.exe"
"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
"MMTray"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mm_tray.exe"
"mmtask"="\"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Encrypted Disk Auto Mount"="rundll32.exe edshell.dll,MountAll"
"EM_EXEC"="C:\\PROGRA~1\\Logitech\\MOUSEW~1\\SYSTEM\\EM_EXEC.EXE"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"AIMPro"="\"C:\\Program Files\\AIM\\AIM Pro\\aimpro.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\XPAud\\"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CommServ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="csrss"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\XPAud\\csrss.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"=" mousepen"
"hkey"="HKCU"
"command"=" mousepen.exe"
"inimapping"="1"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]   
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - user.job

Completion time: 06-10-23  3:41:31.71
C:\ComboFix.txt ... 06-10-23 03:41
C:\ComboFix2.txt ... 06-10-22 01:20

[guestolo]

Sorry for the delay
Can you do the following please

Unfortunately, before you ran fix.reg, you disabled some items on startup with msconfig
I need everything enabled on startup
Can you ensure that you still have fix.reg saved to desktop, we'll need it later

Go to START>>RUN>>Type in
msconfig
Hit OK
Under the STARTUP tab>>Enable ALL>>Apply it
Under the General tab>>select NORMAL startup
APPLY it and CLOSE
DO NOT Restart the computer yet
Instead
Download The Avenger.zip by Swandog46 to your Desktop.

    * Click on Avenger.zip to open the file
    * Extract avenger.exe to your desktop

Copy ALL the text contained in [color=\"#3333FF\"]blue[/color] below to your Clipboard by highlighting it and pressing the (Ctrl+C) on your keyboard,
=============================================================

[color=\"#3333FF\"]files to delete:
C:\WINDOWS\host32.exe
C:\WINDOWS\pspsvc.dll
C:\WINDOWS\system32\pspsvc.dll
C:\WINDOWS\msimn32.exe
C:\WINDOWS\messanger.exe
C:\WINDOWS\Generic Installer Uninstaller.exe
C:\WINDOWS\zclient.dll
C:\WINDOWS\winndm32.dll
C:\WINDOWS\rcdesk.exe
C:\WINDOWS\system32\XPAud\csrss.exe
C:\WINDOWS\system32\msnmgr16.exe

Folders to delete:
C:\WINDOWS\system32\XPAud[/color]

==========================================================================
Now, start The Avenger program by clicking on its icon on your desktop

    * Under "Script file to execute" choose "Input Script Manually".
    * Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    * Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    * Click Done
    * Now click on the [color=\"#00FF00\"]Green Light[/color] to begin execution of the script
    * Answer "Yes" twice when prompted.

Avenger should now Reboot your computer

Back in Windows
Double click on fix.reg and allow to add/merge to the registry

Reboot the computer again

Back in Windows
Can you run these files thru either Jotti's online scanner OR Virustotal please and post the results
C:\WINDOWS\slog.dll
C:\WINDOWS\system32\WINcache.DLL
C:\WINDOWS\system32\drivers\sptd8829.sys
C:\WINDOWS\system32\aamd532.dll
Here's the link's again
http://virusscan.jotti.org/
OR
http://www.virustotal.com/flash/index_en.html

Also, can you search for this file on your drive
mousepen.exe
If you find it can you scan it too please

Can you post the above scans please
Also, Post a fresh hijackthis log along with the log from Avenger, found here>>C:\Avenger.txt
Let me know how things are running

[berencam]

C:\WINDOWS\slog.dll-------found nothing
C:\WINDOWS\system32\WINcache.DLL-----is 200mbs so i couldnt upload it and scan it
C:\WINDOWS\system32\drivers\sptd8829.sys-----is in use cant be scanned
C:\WINDOWS\system32\aamd532.dll-----found nothing
mousepen---found nothing

=============================================================================
Logfile of HijackThis v1.99.1
Scan saved at 11:00:13 PM, on 10/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\drivers\crauto.exe
C:\WINDOWS\System32\drivers\IMountSRV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\wltray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AIM\AIM Pro\aimpro.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ePlus48U\ScanPanel\ScnPanel.exe
C:\PROGRA~1\SHORTK~1\shklite.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
c:\progra~1\mozill~1\firefox.exe
C:\Program Files\SwiftSwitch\SwiftSwitch.exe
C:\Documents and Settings\user\Desktop\hijackthis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\System32\wltray.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Encrypted Disk Auto Mount] rundll32.exe edshell.dll,MountAll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AIMPro] "C:\Program Files\AIM\AIM Pro\aimpro.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ScanPanel.lnk = C:\Program Files\ePlus48U\ScanPanel\ScnPanel.exe
O4 - Global Startup: ShortKeys Lite.lnk = ?
O8 - Extra context menu item: Convert for CLIE - C:\Program Files\Sony\Image Converter\menu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157094774263
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: crauto - Unknown owner - C:\WINDOWS\System32\drivers\crauto.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMountSRV - Unknown owner - C:\WINDOWS\System32\drivers\IMountSRV.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PMounter - Unknown owner - C:\Paragon HDM\Ext2\PMounter.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

=============================================================================

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\mhdwopxi

*******************

Script file located at: \??\C:\WINDOWS\jbqtxrpj.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\host32.exe deleted successfully.
File C:\WINDOWS\pspsvc.dll deleted successfully.
File C:\WINDOWS\system32\pspsvc.dll deleted successfully.
File C:\WINDOWS\msimn32.exe deleted successfully.
File C:\WINDOWS\messanger.exe deleted successfully.
File C:\WINDOWS\Generic Installer Uninstaller.exe deleted successfully.
File C:\WINDOWS\zclient.dll deleted successfully.
File C:\WINDOWS\winndm32.dll deleted successfully.
File C:\WINDOWS\rcdesk.exe deleted successfully.
File C:\WINDOWS\system32\XPAud\csrss.exe deleted successfully.


File C:\WINDOWS\system32\msnmgr16.exe not found!
Deletion of file C:\WINDOWS\system32\msnmgr16.exe failed!

Could not process line:
C:\WINDOWS\system32\msnmgr16.exe
Status: 0xc0000034

Folder C:\WINDOWS\system32\XPAud deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

[berencam]

and i cant get on live messenger still, but my old versoin of messenger is still operational, altho my computer seems to be running faster =]

[berencam]

bumpos...it was gettin down there

[guestolo]

Sorry for the delay, can you do the following please
Delete fix.reg on desktop

Make a new fix.reg
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box

 

Code: [Select]

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\OLE]
"MSN service"=-

Double click on fix.reg and allow to add/merge to the registry at the prompt

I'm don't think Wincache.dll is a good guy, but to be safe
Can you navigate to C:\WINDOWS\system32\WINcache.DLL
Right click on Wincache.dll and rename it to
WINcache.dl_

We MUST update your version of Sun Java to plug up security holes that malware can exploit
==Download the latest version of  Java Runtime Environment (JRE) 5.0 Update 9

• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  
• Click the "Download" button to the right.
  
• Check the box that says: "Accept License Agreement[/i]".
  
• The page will refresh.
• Click on the link to download Windows Offline Installation Multi-language
  

Save the file to your Desktop.
Don't install it yet

Access your Add/remove programs via Control Panel
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
eg..J2SE Runtime Environment 5.0 Update 7
They should have the following icon next to it: <img src="http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif" border="0" class="linked-image" />
Select it and click Remove them


Do a "System scan only" with Hijackthis and put a check next to these entries:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll


After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

REboot your computer

Find and delete this folder if found
C:\Program Files\RXToolBar <-this folder

Go ahead and install the latest version of Sun java from the installer on your desktop
After installation you can delete the installer

You had a keylogger on your computer
I recommend you change the passwords on your computer
This includes email>>banking>>Gaming>>IM>>etc...

Post a fresh Hijackthis log
Can I also see the following from Hijackthis
Close Hijackthis>>Reopen it
Click on Misc tools section
Open Hosts file manager
Click on "Open in Notepad"
Copy>>Paste back here the whole contents please

Could you also navigate to C:\cp.reg
RIGHT CLICK on cp.reg and choose EDIT
Can you copy and paste the contents back here
just close it out after

[berencam]

hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 11:23:01 PM, on 10/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\drivers\crauto.exe
C:\WINDOWS\System32\drivers\IMountSRV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\wltray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AIM\AIM Pro\aimpro.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ePlus48U\ScanPanel\ScnPanel.exe
C:\PROGRA~1\SHORTK~1\shklite.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\user\Desktop\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\System32\wltray.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~1\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Encrypted Disk Auto Mount] rundll32.exe edshell.dll,MountAll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AIMPro] "C:\Program Files\AIM\AIM Pro\aimpro.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ScanPanel.lnk = C:\Program Files\ePlus48U\ScanPanel\ScnPanel.exe
O4 - Global Startup: ShortKeys Lite.lnk = ?
O8 - Extra context menu item: Convert for CLIE - C:\Program Files\Sony\Image Converter\menu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157094774263
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: crauto - Unknown owner - C:\WINDOWS\System32\drivers\crauto.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMountSRV - Unknown owner - C:\WINDOWS\System32\drivers\IMountSRV.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PMounter - Unknown owner - C:\Paragon HDM\Ext2\PMounter.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

=============================================================================

hosts file manager

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

=============================================================================

cp.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
  00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
  00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
  6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,00,\
  00
"LsaPid"=dword:000002fc
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):00,00,73,00,63,00,65,00,63,00,6c,00,69,00,00,00,\
  73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001
"enabledcom"="y"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
  54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
  00,69,00,64,00,65,00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:d3,4c,b4,c6,6e,df,77,e8,a5,7b,0b,dc,85,82,0b,66,65,66,66,64,30,\
  61,35,35,00,68,07,00,01,00,00,00,dc,00,00,00,e0,00,00,00,48,fa,06,00,97,55,\
  5a,74,04,00,00,00,a0,fd,06,00,b8,fd,06,00,83,74,32,6b

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:b3,60,71,97,28,b3,ec,75,f9

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:76,4c,b9,87,c8,de

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0]
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:07,f2,6c,ed,8a,b8,af,7d,93,c1,94,ae,87,b6,ba,6c

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:60,64,b6,a2,9b,cd,c6,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,d9,4a,94,f8,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,d9,4a,94,f8,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:80,6f,e3,94,f8,79,c4,01
"Type"=dword:00000031

=============================================================================

could not rename WINcache.dll it was in use by another program.....

[guestolo]

Never mind about c:/cp.reg, that was created by me with the batch file  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />
You can delete it

Can you restart into safe mode and rename WinCache.dll

How's everything