Free Malware Removal Forum

[Shekb]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:07:31 AM, on 5/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.20.6.5:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [anvshell] //~anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LyraHD2TrayApp] //~c:\program files\thomson\lyra jukebox\lyrahdtrayapp\lyrahd2trayapp.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) -
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_03) -
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/A ... tPkMSN.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 9278 bytes

[John B.]

Hi! and welcome to the Malware Removal forums.

Sorry for the delay, but it is very busy at all forums.

My name is John Brouwer - if it helps, you can call me John for short. I'll be glad to help you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happens.

These rules are good for you to know:

• I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• If you don't reply within five days after my last instructions this topic will be closed. If you will not be able to reply within five days please tell me so the topic will not be closed.

These rules are to make my voluntary work more comfortable:

• Please be patient. The work I do is voluntary and I also have a private life (school, work, friends and hobbies).
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• Please reply to this thread. Do not start a new topic.
• Also, don't post logs as attachments. Other helpers like to view the logs as well and opening a lot of attachments is irritating. It can also contain malware.

Finally, please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

• Start HijackThis
• Click on the Config button
• Click on the Misc Tools button
• Click on the Open Uninstall Manager button.
• Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop and post the contents in a reply to this topic. Also post a fresh HijackThis log and tell me why you are seeking help (just a check up or specific problems).

Greets, John.

[Shekb]

Here is the uninstall list

7-Zip 4.57
Ad-Aware 2007
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
AoA Audio Extractor 1.0
Apple Software Update
ATI Display Driver
Audacity 1.2.6
AusLogics Disk Defrag
AVG Free 8.0
Counter-Strike(TM)
Day of Defeat
Deathmatch Classic
DivX
DivX Player
EPSON Printer Software
EPSON Scan
EPSON Stylus CX9400Fax Series Scanner Driver Update
FlashGet 1.9.0.1012
GTK+ Runtime 2.12.8 rev a (remove only)
GTOneCare
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Internet Explorer 7 (KB947864)
ICatch (VI) PC Camera
Indeo® software
Indeo® XP Software
IsoBuster 2.3
Java(TM) 6 Update 3
LibUSB-Win32-0.1.10.1
LimeWire 4.16.3
Lyra Jukebox Applications
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Calculator Plus
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Movie Maker Background Music Files
Movie Maker Sound Effects
Movie Maker Title Images
Mozilla Firefox (2.0.0.14)
Mozilla Firefox (3.0)
Mozilla Firefox (3.0b5)
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
MULTI-DIRECTION OPTICAL MOUSE 1.3
nCleaner second 2.3.4.0
NVIDIA Drivers
QuickTime
Ricochet
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Shareaza
SoundMAX
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Steam(TM)
VIA Rhine-Family Fast-Ethernet Adapter
vixy converter uninstall
Winamp
Winamp Remote
Windows Imaging Component
Windows Live installer
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
Worms2

[Shekb]

I need a check-up because it seems as though, even though I delete malware, it comes right back in

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:47:37 PM, on 5/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.20.6.5:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [anvshell] //~anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LyraHD2TrayApp] //~c:\program files\thomson\lyra jukebox\lyrahdtrayapp\lyrahd2trayapp.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) -
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_03) -
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/A ... tPkMSN.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 9318 bytes

[John B.]

Hi,

I need a check-up because it seems as though, even though I delete malware, it comes right back in

What do you mean by that? Does AVG warn you about some type of malware? What is its name?

Your HijackThis and uninstall log are completely clean. There are a lot of left-overs of old programs and some other things to do. We will also run a few more scans to make sure you are completely clean.

P2P Warning!
Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation
Additional information on the safety of Peer-to-Peer programs themselves is here :
Clean/Infected P2P Programs
If you decide to stop using Peer-to-Peer programs you can remove them like this:

• Click Start
• Go to Control Panel
• Go to Add/Remove Programs
• Find and click Remove for the programs you want to remove

You aren't running Firewall Software. Please download and install one of them first!

Use a Firewall - Using a Firewall on your computer can be very important. Without a firewall your computer is susceptible to being hacked and taken over. There are some different situations you can be in where a third-party firewall may or may not be a good addition to your system:

• If you are not using Windows XP or Vista, but an older version I recommend you to use a firewall.
• If you are using Windows XP or Vista, but are on dial-up I recommend you to use a firewall.
• If you are using Windows XP or Vista and are using broadband, but are not experienced in using firewalls and getting the choice to allow or disallow things I recommend you to use Windows Firewall.
• If you are using Windows XP or Vista, are using broadband and experienced, I recommend you to disable Windows Firewall (as it is not perfect) and get a third-party firewall.

Here are some firewalls which are free for personal use and most used:
Kerio Personal Firewall (Free version after 30 days)
Online Armor Free

Or you could buy their paid version online or in a shop nearby:
Kerio Personal Firewall (Continue paid version after 30 days)
Online Armor or Online Armor AV+ with Anti-Virus included

As you did this, we can begin with the fix.

Step 1: Disable Ad-Aware 2007 Service
Please disable the Ad-Aware 2007 Service as it may interfere with the fix.

• On your desktop, click Start.
• Choose Run.
• Type services.msc in the open box and click OK or press Enter.
• Scroll down the list of services and double-click Ad-Aware 2007 Service.
• In the service properties window that opens, click the STOP button.
• Under Startup Type, use the pull down menu and select Manual from the list of options.
• Click OK and exit the Services Control Manager.
• Reboot your machine for the changes to take effect.

Once your log is clean you can re-enable those settings.

Step 2: Disable Teatimer
Please disable Teatimer as it may interfere with the fix.
First:

• Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
• Choose Exit Spybot S&D Resident

Second:

• Open Spybot S&D
• Click Mode, check Advanced Mode
• Go To Left Panel, Click Tools, then also in left panel, click Resident
• If your firewall raises a question, say OK
• Uncheck the box labeled Resident Tea-Timer and OK any prompts.
• Use File, Exit to terminate Spybot
• Reboot your machine for the changes to take effect.

Once your log is clean you can re-enable those settings in TeaTimer.

Step 3: Remove HijackThis entries

• Run HijackThis
• Click on the Scan button
• Put a check beside all of the items listed below (if present):
  
  O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
  
  O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
  O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
  
  O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
  
  O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
  O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
  O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
  O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
  O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
  O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
  
• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

Step 4: Update Java
Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
• Scroll down to where it says Java Runtime Environment (JRE) 6 Update 6.
• Click the Download button to the right.
• Choose the correct Platform and Multi-language. Also, check the box that says I agree to the Java SE Runtime Environment 6 License Agreement.
• Then click Continue.
• Click on the filename under Windows Offline Installation and save it to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.
• Note: If you don't want the Google toolbar, make sure you uncheck the option included in the installer!

Step 5: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Step 6: Download and Run ComboFix
Before you download the newest version of ComboFix please make sure there's no older version of ComboFix on your desktop! If there is one, please delete it.

Download Combofix from any of the links below, and save it to your desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Note: It is important that it is saved directly to your desktop!

Now close any open browsers. Also close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. For information on how to do that for your programs see this webpage:
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on combofix.exe & follow the prompts. Do not mouseclick combofix's window while it's running. That may cause it to stall.

When finished, it will produce a report for you. This report will also be saved in C:\ComboFix.txt

Note: Remember to re-enable your anti virus program.

Step 7: Run Kaspersky Online Scan
Please do an online scan with Kaspersky Online Scanner. Please use Internet Explorer as it uses ActiveX.

Click on Kaspersky Online Scanner and click Accept

You will be promted to install an ActiveX component from Kaspersky, so click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  
  • Scan using the following Anti-Virus database:
    
    Extended (if available otherwise Standard)
    
  • Scan Options:
    
    • Scan Archives
    • Scan Mail Bases
• Click OK
• Now under select a target to scan select My Computer.
• The program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button and save the file to your desktop.

Step 8: Post logs
Please post the following logs in a reply to this topic (use multiple posts if needed):

• Answer the questions I asked you at the top of this post
• Fresh HijackThis log
• ComboFix log
• Kaspersky log

Greets, John.

[Shekb]

Kaspersky log
===========================
Failed to load Kaspersky Online Scanner ActiveX control!

You must have administrative rights on this computer;
you also must have the IE security settings to the Medium level.
===========================

Yeah, it sucks, even with everything in Active X enabled, it doesn't work
I put it on medium security after, like they said, doesn't work either

Tried with Firefox with the IE Tab add-on, doesn't work


About the question you asked, I scanned with AVG 8 and it told me my computer was infested with Spyware and Trojans, so I came here to see if it was just him panicking

He did this 2 times in a row, with the same problems

[Shekb]

New HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:16:51 PM, on 5/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.20.6.5:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [anvshell] //~anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LyraHD2TrayApp] //~c:\program files\thomson\lyra jukebox\lyrahdtrayapp\lyrahd2trayapp.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) -
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/A ... tPkMSN.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 8708 bytes

[Shekb]

Combofix log

ComboFix 08-05-29.1 - Sr 2008-05-29 18:41:31.7 - NTFSx86
Running from: C:\Documents and Settings\Sr\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\w32apiw.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.

2008-05-29 17:35 . 2008-05-29 18:20 <DIR> d-------- C:\Documents and Settings\Sr\.SunDownloadManager
2008-05-07 18:05 . 2008-05-07 18:05 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-07 18:05 . 2008-05-07 18:05 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-07 18:05 . 2008-05-07 18:05 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-07 07:51 . 2008-04-13 20:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll
2008-05-07 07:50 . 2008-04-13 20:12 291,328 --------- C:\WINDOWS\system32\qagentrt.dll
2008-05-07 07:50 . 2008-04-13 20:12 150,528 --------- C:\WINDOWS\system32\qagent.dll
2008-05-07 07:50 . 2008-04-13 20:12 76,800 --------- C:\WINDOWS\system32\qutil.dll
2008-05-07 07:50 . 2008-04-13 20:12 62,464 --------- C:\WINDOWS\system32\qcliprov.dll
2008-05-07 07:50 . 2008-04-13 20:12 61,952 --------- C:\WINDOWS\system32\rasqec.dll
2008-05-07 07:50 . 2008-04-13 20:12 50,688 --------- C:\WINDOWS\system32\tspkg.dll
2008-05-07 07:50 . 2008-04-13 20:12 32,768 --------- C:\WINDOWS\system32\setupn.exe
2008-05-07 07:50 . 2008-04-13 14:40 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-05-07 07:49 . 2008-04-13 20:12 1,306,624 -----c--- C:\WINDOWS\system32\dllcache\msxml6.dll
2008-05-07 07:49 . 2008-04-13 20:12 193,024 --------- C:\WINDOWS\system32\napmontr.dll
2008-05-07 07:49 . 2008-04-13 20:12 176,640 --------- C:\WINDOWS\system32\napstat.exe
2008-05-07 07:49 . 2008-04-13 20:12 155,136 --------- C:\WINDOWS\system32\mssha.dll
2008-05-07 07:49 . 2008-04-13 20:12 144,384 --------- C:\WINDOWS\system32\onex.dll
2008-05-07 07:49 . 2008-04-13 13:27 79,872 --a------ C:\WINDOWS\system32\msxml6r.dll
2008-05-07 07:49 . 2008-04-13 13:27 79,872 -----c--- C:\WINDOWS\system32\dllcache\msxml6r.dll
2008-05-07 07:49 . 2008-04-13 14:14 76,800 --------- C:\WINDOWS\system32\msshavmsg.dll
2008-05-07 07:49 . 2008-04-13 20:12 30,208 --------- C:\WINDOWS\system32\napipsec.dll
2008-05-07 07:48 . 2008-04-13 20:11 397,312 --------- C:\WINDOWS\system32\mmcex.dll
2008-05-07 07:48 . 2008-04-13 20:11 184,320 --------- C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-05-07 07:48 . 2008-04-13 20:11 106,496 --------- C:\WINDOWS\system32\mmcfxcommon.dll
2008-05-07 07:48 . 2008-04-13 20:12 33,792 --------- C:\WINDOWS\system32\mmcperf.exe
2008-05-07 07:47 . 2008-04-13 20:11 61,440 --------- C:\WINDOWS\system32\kmsvc.dll
2008-05-07 07:47 . 2008-04-13 20:11 37,376 --------- C:\WINDOWS\system32\l2gpstore.dll
2008-05-07 07:47 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\system32\kbdpash.dll
2008-05-07 07:47 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\system32\kbdnepr.dll
2008-05-07 07:47 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\system32\kbdiultn.dll
2008-05-07 07:47 . 2008-04-13 20:09 6,144 --------- C:\WINDOWS\system32\kbdbhc.dll
2008-05-07 07:46 . 2008-04-13 20:10 102,912 -----c--- C:\WINDOWS\system32\dllcache\dpcdll.dll
2008-05-07 07:46 . 2008-04-13 14:53 36,608 --------- C:\WINDOWS\system32\drivers\ip6fw.sys
2008-05-07 07:46 . 2008-04-13 20:09 24,064 -----c--- C:\WINDOWS\system32\dllcache\pidgen.dll
2008-05-07 07:46 . 2008-04-13 20:12 10,752 --------- C:\WINDOWS\system32\smtpapi.dll
2008-05-07 07:46 . 2008-04-13 20:12 9,728 --------- C:\WINDOWS\system32\rwnh.dll
2008-05-07 07:46 . 2007-06-21 01:52 974 --------- C:\WINDOWS\system32\pid.inf
2008-05-07 07:45 . 2008-04-13 12:36 144,384 --------- C:\WINDOWS\system32\drivers\hdaudbus.sys
2008-05-07 07:45 . 2006-12-28 15:01 19,569 --a------ C:\WINDOWS\005975_.tmp
2008-05-07 07:43 . 2008-04-13 20:11 233,472 --------- C:\WINDOWS\system32\azroles.dll
2008-05-04 14:11 . 2008-05-04 15:01 <DIR> d--h-c--- C:\$AVG8.VAULT$
2008-05-04 10:26 . 2008-05-29 18:36 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-04 10:26 . 2008-05-04 10:26 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-04 10:26 . 2008-05-04 10:26 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-04 10:26 . 2008-05-04 10:26 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-04 10:24 . 2008-05-04 10:24 <DIR> d-------- C:\Program Files\AVG
2008-05-04 10:24 . 2008-05-04 12:28 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-03 13:18 . 2008-05-03 13:18 <DIR> d-------- C:\Program Files\VP Eye
2008-05-03 13:17 . 2008-05-03 13:17 <DIR> d-------- C:\Program Files\Vpeye
2008-05-03 13:16 . 2008-05-03 13:16 <DIR> d-------- C:\WINDOWS\Setup2K
2008-05-03 13:16 . 2002-10-01 14:43 119,798 --a------ C:\WINDOWS\system32\drivers\spca561.sys
2008-05-03 13:16 . 2002-08-13 18:01 14,385 --a------ C:\WINDOWS\Tw561a.ini
2008-05-03 13:16 . 2002-08-13 18:01 7,431 --a------ C:\WINDOWS\Tw561a.src

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 22:33 --------- d-----w C:\Program Files\Java
2008-05-29 20:56 --------- d-----w C:\Program Files\LimeWire
2008-05-27 03:05 --------- d-----w C:\Program Files\FlashGet
2008-05-20 20:55 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-20 20:48 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 5
2008-05-04 14:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-03 17:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-27 18:19 --------- d-----w C:\Program Files\DivX
2008-04-27 18:02 --------- d-----w C:\Program Files\Ligos
2008-04-27 16:43 --------- d-----w C:\Documents and Settings\Sr\Application Data\DivX
2008-04-27 16:40 --------- d-----w C:\Program Files\Intel
2008-04-21 01:56 --------- d-----w C:\Program Files\Mozilla Firefox 2
2008-04-20 23:54 47,104 -c--a-w C:\WINDOWS\system32\KMVIDC32.DLL
2008-04-20 20:21 --------- d-----w C:\Program Files\Team 17
2008-04-18 21:32 --------- d-----w C:\Program Files\DirectX 9c
2008-04-17 00:13 --------- d-----w C:\Program Files\AoA Audio Extractor
2008-04-17 00:12 --------- dc----w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-16 01:13 --------- d-----w C:\Program Files\Winamp
2008-04-14 09:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-14 09:42 11,264 ------w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 09:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 00:10 102,912 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 22:58 --------- d-----w C:\Program Files\Alcohol Soft
2008-04-13 22:52 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-04-13 22:26 --------- d-----w C:\Program Files\IsoBuster
2008-04-13 20:42 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:27 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,288 ------w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 18:53 264,832 ------w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 18:45 60,160 ----a-w C:\WINDOWS\system32\drivers\drmk.sys
2008-04-13 18:44 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:44 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-13 18:43 9,728 ------w C:\WINDOWS\system32\comsdupd.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2008-02-01 22:59 3739672]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-20 12:46 217544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"anvshell"="//~anvshell.exe" []
"LiveNote"="livenote.exe" [2002-07-11 05:31 40960 C:\WINDOWS\livenote.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-19 21:34 7110656]
"nwiz"="nwiz.exe" [2005-09-19 21:35 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-09-19 21:34 86016]
"LyraHD2TrayApp"="//~c:\program files\thomson\lyra jukebox\lyrahdtrayapp\lyrahd2trayapp.exe" [ ]
"SchedulingAgent"="mstinit.exe" [2008-04-13 20:12 12288 C:\WINDOWS\system32\mstinit.exe]
"AtiPTA"="atiptaxx.exe" [2001-09-27 02:39 245760 C:\WINDOWS\system32\atiptaxx.exe]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-04 11:59 1177368]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"SchedulingAgent"="mstask.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-13 20:12 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 20:12 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
--a------ 2008-01-24 09:22 2476408 C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Sr\\My Documents\\Jeux\\Age Of Empires II\\empires2.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\StubInstaller.exe"=
"C:\\Documents and Settings\\Sr\\My Documents\\Jeux\\Age Of Empires II\\age2_x1.exe"=
"C:\\Program Files\\Shareaza Applications\\Shareaza\\Shareaza.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Documents and Settings\\Sr\\My Documents\\Jeux\\Valve\\Steam\\SteamApps\\makkkalister\\ricochet\\hl.exe"=
"C:\\Documents and Settings\\Sr\\My Documents\\Jeux\\Valve\\Steam\\SteamApps\\makkkalister\\condition zero\\hl.exe"=
"C:\\Documents and Settings\\Sr\\My Documents\\Jeux\\Valve\\Steam\\SteamApps\\makkkalister\\counter-strike\\hl.exe"=
"C:\\Documents and Settings\\Sr\\My Documents\\Jeux\\Valve\\Steam\\SteamApps\\makkkalister\\day of defeat\\hl.exe"=
"C:\\Documents and Settings\\Sr\\My Documents\\Jeux\\Valve\\Steam\\SteamApps\\makkkalister\\deathmatch classic\\hl.exe"=
"C:\\Program Files\\FlashGet\\FlashGet.exe"=
"C:\\Program Files\\Team 17\\Frontend.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 ANVOSDNT;ASUS Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\anvosdnt.sys [2005-10-08 09:25]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-04 10:26]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-04 10:26]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-04 12:00]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-04 10:26]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2001-09-27 01:32]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-02-26 05:54]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;C:\WINDOWS\system32\drivers\libusb0.sys [2005-03-09 21:50]
S1 ANVIOCTL;ANVIOCTL;C:\WINDOWS\system32\DRIVERS\anvioctl.sys [2004-02-11 18:07]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 18:46:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-05-29 18:54:14
ComboFix-quarantined-files.txt 2008-05-29 22:53:07

Pre-Run: 53,745,303,552 bytes free
Post-Run: 53,750,501,376 bytes free

258 --- E O F --- 2008-05-20 20:56:35

[John B.]

Hi,

Excuse me for the delay in reply, but Friday means no free time for me at all. Today I will be able to check the logs you posted, but as Kaspersky would not load please run this scan in the meantime:

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to:
  
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply.
• If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Also tell me some things about the AVG messages:

• What is the name of the spyware/trojans? Or the names.
• Where does it say the file is located? Or the files.
• Did you tell AVG to move it to the vault/delete it?

Greets, John.

[Shekb]

Malwarebytes' Anti-Malware 1.14
Database version: 812

6:49:59 PM 6/1/2008
mbam-log-6-1-2008 (18-49-52).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 116464
Time elapsed: 1 hour(s), 36 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\HID_Layer (Malware.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Shekb]

Here's the AVG log, hopefully, it won't come out like a crappy wall of text

Scan "Scan whole computer" was finished.
Infections found:;"10"
Infected objects removed or healed;"10"
Not removed or healed.;"0"
Spyware found:;"2"
Spyware removed:;"2"
Not removed:;"0"
Warnings count:;"0"
Information count:;"0"
Scan started:;"Sunday, May 04, 2008, 12:50:51 PM"
Total object scanned:;"767521"
Time needed:;"2 hour(s) 9 minute(s) 11 second(s) "
Errors encountered:;"0"

Infections
File;"Infection";"Result"
C:\System Volume Information\_restore{EFA64F0E-B634-485E-8FD8-5E6178FA34F2}\RP143\A0022252.exe:\$JK\bann.exe:\$CF\gzmrt.dll;"Trojan horse Puper.G";"Moved to Virus Vault"
C:\System Volume Information\_restore{EFA64F0E-B634-485E-8FD8-5E6178FA34F2}\RP143\A0022252.exe:\$JK\bann.exe;"Trojan horse Puper.G";"Moved to Virus Vault"
C:\System Volume Information\_restore{EFA64F0E-B634-485E-8FD8-5E6178FA34F2}\RP143\A0022252.exe:\$JK\adw.exe:\$KG;"Trojan horse NaviPromo.N";"Moved to Virus Vault"
C:\System Volume Information\_restore{EFA64F0E-B634-485E-8FD8-5E6178FA34F2}\RP143\A0022252.exe:\$JK\adw.exe;"Trojan horse NaviPromo.N";"Moved to Virus Vault"
C:\System Volume Information\_restore{EFA64F0E-B634-485E-8FD8-5E6178FA34F2}\RP143\A0022252.exe;"Trojan horse Puper.G";"Moved to Virus Vault"
C:\System Volume Information\_restore{EFA64F0E-B634-485E-8FD8-5E6178FA34F2}\RP143\A0022253.exe:\$JK\bann.exe:\$CF\gzmrt.dll;"Trojan horse Puper.G";"Moved to Virus Vault"
C:\System Volume Information\_restore{EFA64F0E-B634-485E-8FD8-5E6178FA34F2}\RP143\A0022253.exe:\$JK\bann.exe;"Trojan horse Puper.G";"Moved to Virus Vault"
C:\System Volume Information\_restore{EFA64F0E-B634-485E-8FD8-5E6178FA34F2}\RP143\A0022253.exe:\$JK\adw.exe:\$KG;"Trojan horse NaviPromo.N";"Moved to Virus Vault"
C:\System Volume Information\_restore{EFA64F0E-B634-485E-8FD8-5E6178FA34F2}\RP143\A0022253.exe:\$JK\adw.exe;"Trojan horse NaviPromo.N";"Moved to Virus Vault"
C:\System Volume Information\_restore{EFA64F0E-B634-485E-8FD8-5E6178FA34F2}\RP143\A0022253.exe;"Trojan horse Puper.G";"Moved to Virus Vault"

Spyware
File;"Infection";"Result"
C:\System Volume Information\_restore{EFA64F0E-B634-485E-8FD8-5E6178FA34F2}\RP143\A0022252.exe:\$JK\adw.exe:\$CF\WhoisCL.exe;"Potentially harmful program HackTool.DHO";"Moved to Virus Vault"
C:\System Volume Information\_restore{EFA64F0E-B634-485E-8FD8-5E6178FA34F2}\RP143\A0022253.exe:\$JK\adw.exe:\$CF\WhoisCL.exe;"Potentially harmful program HackTool.DHO";"Moved to Virus Vault"

Warnings
File;"Infection";"Result"
HKLM\SOFTWARE\Classes\CLSID\{C7310572-AC80-11D1-8DF3-00C04FB6EF4F}\InprocServer32\\;"Found Adware.RogueSuspect";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00110011-4B0B-44D5-9718-90C88817369B};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{01E69986-A054-4C52-ABE8-EF63DF1C5211};"Found Adware.CramToolbar";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{086AE192-23A6-48D6-96EC-715F53797E85};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0EDC6C20-A31C-11DB-8AB9-0800200C9A66};"Found Adware.RogueSuspect";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{11904CE8-632A-4856-A7CC-00B33FE71BD8};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{150FA160-130D-451F-B863-B655061432BA};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{17DA0C9E-4A27-4ac5-BB75-5D24B8CDB972};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1C4DA27D-4D52-4465-A089-98E01BB725CA};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1C78AB3F-A857-482e-80C0-3A1E5238A565};"Found Adware.Isearch";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB2};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{20929603-21DB-477C-BA6F-0B8E70B3C8A0};"Found Adware.CramToolbar";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2D38A51A-23C9-48a1-A33C-48675AA2B494};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2E9CAFF6-30C7-4208-8807-E79D4EC6F806};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{364B6276-C6C1-40B6-A6D7-6C48871FD707};"Found Adware.Accoona";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{3AAC4C68-AFC8-11DB-80EF-8AF955D89593};"Found Adware.RogueSuspect";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{3CEFF6CD-6F08-4E4D-BCCD-FF7415288C3B};"Found Adware.TitanShieldAntispyware";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{3D782BB3-F2A5-11D3-BF4C-000000000000};"Found Adware.ActivShopper";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E};"Found Adware.NewDotNet";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4E7BD74F-2B8D-469E-C0FF-FD67B79CAF2C};"Found Adware.NewDotNet";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4E7BD74F-2B8D-469E-DEFF-ED65A486AA28};"Found Adware.UpSpiralBar";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{5345A7A9-805A-4923-B505-86B2FEBA3FE0};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{6B035665-6C0D-4388-AD11-B28314DCA59B};"Found Adware.EZ-Tracks";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{736b5468-bdad-41be-92d0-22ae2ddf7bcb};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{74CC49F7-EB32-4A08-B204-948962A6E3DB};"Found Adware.RogueSuspect";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{77B2F8DE-CB3F-4b6b-839B-807DD1ADBA1C};"Found Adware.SearchMaid";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7FD44536-9DF0-4034-939F-5BD4D98E3187};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{804DB5C7-31E6-4885-850A-F1941B58A4C7};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8333C319-0669-4893-A418-F56D9249FCA6};"Found Adware.TitanShieldAntispyware";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{88D758A3-D33B-45FD-91E3-67749B4057FA};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8DFD5077-FB25-4397-8D9F-ACFB8CC7E34B};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{98A7C97A-4FFF-4F6E-A313-D21BC759DD99};"Found Adware.SearchIT";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9C691A33-7DDA-4C2F-BE4C-C176083F35CF};"Found Adware.TitanShieldAntispyware";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{a19ef336-01d4-48e6-926a-fe7e1c747aed};"Found Adware.MWSearch";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A20CC53E-61FE-4788-85FF-A0F9C9B4C2A9};"Found Adware.CommanderNET";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A6F42CAD-2559-48DF-AF30-89E480AF5DFA};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A8FB8EB3-183B-4598-924D-86F0E5E37085};"Found Adware.WhyPPC";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{AC3AEF75-0A6B-4AB8-82B5-2C9BA8396644};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C95FE080-8F5D-11D2-A20B-00AA003C157A};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CE7C3CF0-4B15-11D1-ABED-709549C10000};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CF021F40-3E14-23A5-CBA2-717765721306};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E2B2B5A1-B48C-4886-A318-723916A01024};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E2DDF680-9905-4dee-8C64-0A5DE7FE133C};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E3EEBBE8-9CAB-4C76-B26A-747E25EBB4C6};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E6D5237D-A6C7-4C83-A67F-F9F15586FA62};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E7AFFF2A-1B57-49C7-BF6B-E5123394C970};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E8EDB60C-951E-4130-93DC-FAF1AD25F8E7};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{EA0D26BD-9029-431A-86E0-83152D67828A};"Found Adware.180Solutions";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F1FABE79-25FC-46de-8C5A-2C6DB9D64333};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F43BD772-ABDD-43B7-A96A-3E9E61946EC0};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FD9BC004-8331-4457-B830-4759FF704C22};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FFD2825E-0785-40C5-9A41-518F53A8261F};"Found Adware.TitanShieldAntispyware";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Application Data\Mozilla\Firefox\Profiles\glokrcx9.default\cookies.txt:\estat.com.efda7a5a;"Found Tracking cookie.Estat";"Healed"
C:\Documents and Settings\Sr\Application Data\Mozilla\Firefox\Profiles\glokrcx9.default\cookies.txt;"Found Tracking cookie.Estat";"Healed"
C:\Documents and Settings\Sr\Cookies\sr@2o7[1].txt:\2o7.net.2ce4dba7;"Found Tracking cookie.2o7";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@2o7[1].txt:\2o7.net.1913101d;"Found Tracking cookie.2o7";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@2o7[1].txt:\2o7.net.484dbb69;"Found Tracking cookie.2o7";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@2o7[1].txt;"Found Tracking cookie.2o7";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@2o7[2].txt:\2o7.net.1913101d;"Found Tracking cookie.2o7";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@2o7[2].txt:\2o7.net.484dbb69;"Found Tracking cookie.2o7";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@2o7[2].txt;"Found Tracking cookie.2o7";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@adbrite[2].txt:\adbrite.com.d5e309c2;"Found Tracking cookie.Adbrite";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@adbrite[2].txt:\adbrite.com.71beeff9;"Found Tracking cookie.Adbrite";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@adbrite[2].txt;"Found Tracking cookie.Adbrite";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@atdmt[2].txt:\atdmt.com.b3e33b5f;"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@atdmt[2].txt;"Found Tracking cookie.Atdmt";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@bs.serving-sys[1].txt:\bs.serving-sys.com.5bf1f00f;"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@bs.serving-sys[1].txt;"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@m.webtrends[1].txt:\m.webtrends.com.b4ca7df0;"Found Tracking cookie.Webtrends";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@m.webtrends[1].txt;"Found Tracking cookie.Webtrends";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@m.webtrends[2].txt:\m.webtrends.com.b4ca7df0;"Found Tracking cookie.Webtrends";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@m.webtrends[2].txt;"Found Tracking cookie.Webtrends";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@m.webtrends[4].txt:\m.webtrends.com.b4ca7df0;"Found Tracking cookie.Webtrends";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@m.webtrends[4].txt;"Found Tracking cookie.Webtrends";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@msnportal.112.2o7[1].txt:\msnportal.112.2o7.net.7225be6f;"Found Tracking cookie.2o7";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@msnportal.112.2o7[1].txt;"Found Tracking cookie.2o7";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@msnportal.112.2o7[2].txt:\msnportal.112.2o7.net.7225be6f;"Found Tracking cookie.2o7";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@msnportal.112.2o7[2].txt;"Found Tracking cookie.2o7";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@realmedia[1].txt:\realmedia.com.68087763;"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@realmedia[1].txt:\realmedia.com.e14be39e;"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@realmedia[1].txt:\realmedia.com.125a868c;"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@realmedia[1].txt;"Found Tracking cookie.Realmedia";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@revsci[2].txt:\revsci.net.44927ec;"Found Tracking cookie.Revsci";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@revsci[2].txt:\revsci.net.55564293;"Found Tracking cookie.Revsci";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@revsci[2].txt:\revsci.net.2df99d79;"Found Tracking cookie.Revsci";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@revsci[2].txt;"Found Tracking cookie.Revsci";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@revsci[3].txt:\revsci.net.44927ec;"Found Tracking cookie.Revsci";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@revsci[3].txt:\revsci.net.55564293;"Found Tracking cookie.Revsci";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@revsci[3].txt;"Found Tracking cookie.Revsci";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@serving-sys[2].txt:\serving-sys.com.c9034af6;"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@serving-sys[2].txt:\serving-sys.com.606c3d3b;"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@serving-sys[2].txt:\serving-sys.com.4b416ef8;"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@serving-sys[2].txt:\serving-sys.com.255d6f2f;"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@serving-sys[2].txt:\serving-sys.com.6a1cf9e8;"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@serving-sys[2].txt:\serving-sys.com.400f83f;"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@serving-sys[2].txt;"Found Tracking cookie.Serving-sys";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@tribalfusion[1].txt:\tribalfusion.com.dcc03271;"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@tribalfusion[1].txt;"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@tribalfusion[3].txt:\tribalfusion.com.dcc03271;"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@tribalfusion[3].txt;"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@tribalfusion[4].txt:\tribalfusion.com.dcc03271;"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"
C:\Documents and Settings\Sr\Cookies\sr@tribalfusion[4].txt;"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"

[John B.]

Hi,

Is this the last line of the AVG log when you open it on your computer:

C:\Documents and Settings\Sr\Cookies\sr@tribalfusion[4].txt;"Found Tracking cookie.Tribalfusion";"Moved to Virus Vault"

If not, post the rest of the log from there.
If so, please tell me and I will tell you what to do next

Greets, John.

[Shekb]

This is the actual last line of my the AVG log

[John B.]

Hi,

With MalwareBytes' Anti-Malware, you did not remove the infections found, I guess, as the log says 'No Action Taken'. If you are not sure, please do another scan with it and remove the infections found. Save the log and post it.

Also rescan with AVG. I see some infections in your old System Restore points which will turn up everytime until we clean the restore points, but I also see a lot of other files and registry keys. By doing another scan and posting the log I can see if they turn up every time.

Greets, John.

[Shekb]

AVG log
It seems like some got cleaned a bit, I think

Scan "Scan whole computer" was finished.
Infections found:;"0"
Infected objects removed or healed;"0"
Not removed or healed.;"0"
Spyware found:;"0"
Spyware removed:;"0"
Not removed:;"0"
Warnings count:;"1"
Information count:;"0"
Scan started:;"Wednesday, June 04, 2008, 5:19:36 PM"
Total object scanned:;"771393"
Time needed:;"2 hour(s) 56 minute(s) 55 second(s) "
Errors encountered:;"0"

Warnings
File;"Infection";"Result"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00110011-4B0B-44D5-9718-90C88817369B};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{086AE192-23A6-48D6-96EC-715F53797E85};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0EDC6C20-A31C-11DB-8AB9-0800200C9A66};"Found Adware.RogueSuspect";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{11904CE8-632A-4856-A7CC-00B33FE71BD8};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{150FA160-130D-451F-B863-B655061432BA};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{17DA0C9E-4A27-4ac5-BB75-5D24B8CDB972};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1C4DA27D-4D52-4465-A089-98E01BB725CA};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1C78AB3F-A857-482e-80C0-3A1E5238A565};"Found Adware.Isearch";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB2};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2D38A51A-23C9-48a1-A33C-48675AA2B494};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2E9CAFF6-30C7-4208-8807-E79D4EC6F806};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{3AAC4C68-AFC8-11DB-80EF-8AF955D89593};"Found Adware.RogueSuspect";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{3CEFF6CD-6F08-4E4D-BCCD-FF7415288C3B};"Found Adware.TitanShieldAntispyware";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E};"Found Adware.NewDotNet";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8333C319-0669-4893-A418-F56D9249FCA6};"Found Adware.TitanShieldAntispyware";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{88D758A3-D33B-45FD-91E3-67749B4057FA};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9C691A33-7DDA-4C2F-BE4C-C176083F35CF};"Found Adware.TitanShieldAntispyware";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A6F42CAD-2559-48DF-AF30-89E480AF5DFA};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CE7C3CF0-4B15-11D1-ABED-709549C10000};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CF021F40-3E14-23A5-CBA2-717765721306};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E2B2B5A1-B48C-4886-A318-723916A01024};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E2DDF680-9905-4dee-8C64-0A5DE7FE133C};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E3EEBBE8-9CAB-4C76-B26A-747E25EBB4C6};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E6D5237D-A6C7-4C83-A67F-F9F15586FA62};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E7AFFF2A-1B57-49C7-BF6B-E5123394C970};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E8EDB60C-951E-4130-93DC-FAF1AD25F8E7};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F1FABE79-25FC-46de-8C5A-2C6DB9D64333};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FD9BC004-8331-4457-B830-4759FF704C22};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880};"Found Adware.Generic";"Moved to Virus Vault"
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FFD2825E-0785-40C5-9A41-518F53A8261F};"Found Adware.TitanShieldAntispyware";"Moved to Virus Vault"
HKLM\SYSTEM\ControlSet005\Control\MediaProperties\PrivateProperties\Joystick\OEM\VID_045E&PID_0015\OEMForceFeedback\\Mapping;"Found Adware.RapidBlaster";"Potentially dangerous object"