jbhook.dll/svch0st.exe

hi,
I have read alot of guides on how to remove this very tricky trojan/worm and have still been rendered unsuccessful in my attempts to rid my pc of it. The infected computer can no longer connect to the internet. I have tried getting hijackthis! to delete the infected files on startup, to no avail. Also both jbhok.dll and svch0st do not show up in windows explorer when I search for them in the listed location of windows\system32

Avast! gives me the following message:

A TROJAN HORSE WAS FOUND!

filename: d:\windows\system32\jbhook.dll[NsPack][AsPack]

I have included a hijackthis! log below:

Logfile of HijackThis v1.99.1
Scan saved at 10:50:51 AM, on 17/03/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\savedump.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\SOUNDMAN.EXE
C:\programs\Avast4\ashDisp.exe
D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\programs\DAEMON Tools\daemon.exe
C:\Programs\TASKBA~1\TaskBar.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
c:\programs\Avast4\aswUpdSv.exe
D:\WINDOWS\ATKKBService.exe
c:\programs\Avast4\ashServ.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
c:\programs\Avast4\ashWebSv.exe
D:\WINDOWS\System32\SVCH0ST.EXE <-----------
D:\WINDOWS\System32\SVCH0ST.EXE <-----------
C:\HijackThis.exe
C:\HijackThis.exe
D:\WINDOWS\System32\wuauclt.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM..\Run: [avast!] c:\programs\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [SunJavaUpdateSched] “D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe”
O4 - HKLM..\Run: [CloneCDTray] “C:\programs\CloneCD\CloneCDTray.exe” /s
O4 - HKLM..\Run: [Zone Labs Client] “D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\programs\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [DAEMON Tools] “C:\programs\DAEMON Tools\daemon.exe” -lang 1033
O4 - HKCU..\Run: [Taskbar Hide] C:\Programs\TASKBA~1\TaskBar.exe -Start
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - c:\programs\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - D:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - Unknown owner - c:\programs\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - c:\programs\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - c:\programs\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

I can’t find any traces of it in the startup log…

Please help me save my computer!

Cheers
-Tim

C:\Programs\TASKBA~1\TaskBar.exe might also be part of the problem unless you have Redline RegTweak (even still, it might not be on the normal location).

Click Start>Control Panel>Folder Options>View. Make sure Show Hidden Files and Folders is checked and Hide Extensions for Known File Type and Hide Protected Operating Systems Files are both not checked.

Prior to that, however, it appears you had two instances of hijackthis running simultaneously. Please rename hijackthis.exe to hijackthat.exe, run it a single time, and post a new log.

You should also install XP Service Pack 2, Adobe Reader 8, and update your Java

EDIT: When you run hjt again make sure its in its own folder rather than the root (eg c:\hijackthis\ )

Hi tjw730,

Have you tried a boot time scan with avast!? Right click the scanner screen, select ‘schedule a boot time scan’ and reboot when requested.

Have you tried the usual free anti-Trojan scanners?-

AVG Anti-spyware (requires Win2k/XP):

http://www.ewido.net/en/product/

a-Squared Free:

http://www.emsisoft.com/en/software/free/

Ad-Aware:

http://www.download.com/3000-2144-10045910.html

Spybot Search & Destroy:

http://www.safer-networking.org/en/download/index.html

Hi twj730,

From your log I see you have to update your Sun Java version as well, we are long at the 11 version, and don’t forget to remove the 10 version because that is not done automattically.

polonus

Java Runtime Environment Version 1.5.0.11
or
Java Runtime Environment Version 1.6.0-b105 (maybe ‘b’ is beta here)

Some are recommending to stick with the 1.5 branch for the time being, some issues reported (don’t know what though) with 1.6

Thanks for all the help thus far, I will update all that stuff, in the mean time here’s the log again as requested…I have run boot scans, I have manually looked for the files, with view hidden files/folders on, and I still can’t find any trace of it in the startup log.

“[Taskbar Hide] C:\Programs\TASKBA~1\TaskBar.exe -Start” I s a valid program that I use, not virus related…

Logfile of HijackThis v1.99.1
Scan saved at 9:51:05 PM, on 18/03/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\SOUNDMAN.EXE
C:\programs\Avast4\ashDisp.exe
D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\programs\DAEMON Tools\daemon.exe
C:\Programs\TASKBA~1\TaskBar.exe
D:\Program Files\AIM95\aim.exe
c:\programs\Avast4\aswUpdSv.exe
D:\WINDOWS\ATKKBService.exe
c:\programs\Avast4\ashServ.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
c:\programs\Avast4\ashWebSv.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\System32\msiexec.exe
C:\HijackThat.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM..\Run: [avast!] c:\programs\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [SunJavaUpdateSched] “D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe”
O4 - HKLM..\Run: [CloneCDTray] “C:\programs\CloneCD\CloneCDTray.exe” /s
O4 - HKLM..\Run: [Zone Labs Client] “D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\programs\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [DAEMON Tools] “C:\programs\DAEMON Tools\daemon.exe” -lang 1033
O4 - HKCU..\Run: [Taskbar Hide] C:\Programs\TASKBA~1\TaskBar.exe -Start
O4 - HKCU..\Run: [AIM] D:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - c:\programs\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - D:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - Unknown owner - c:\programs\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - c:\programs\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - c:\programs\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

Nothing apparent in your log apart from this O4 - HKCU..\Run: [Taskbar Hide] C:\Programs\TASKBA~1\TaskBar.exe -Start which you installed yourself
so a deeper search is required

Download ComboScan to your Desktop.
[*]Close all applications and windows.
[*]Double-click on comboscan.exe to run it, and follow the prompts.
[*]The scan may take a minute. When the scan is complete, a text file will open - ComboScan.txt
Extra Note: When running Comboscan, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags Comboscan as suspicious. Please allow the Comboscan to run and don’t let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

Post the Comboscan.txt from the Comboscan into your next reply.

It is a long log so multiple posts may be required to get it all in

Wow, great program thanks essexboy, OK heres the log: I’ll post everything after the hijack this log:
– File Associations -----------------------------------------------------------

.bat - batfile - “%1” %*
.chm - chm.file - “D:\WINDOWS\hh.exe” %1
.cmd - cmdfile - “%1” %*
.com - comfile - “%1” %*
.exe - exefile - “%1” %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe “%1” %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - “%1” %*
.reg - regfile - “regedit.exe” “%1”
.scr - scrfile - “%1” /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe “%1” %*

– Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

1R Aavmker4 (avast! Asynchronous Virus Monitor) - D:\WINDOWS\system32\drivers\aavmker4.sys
2R ACEDRV08 - D:\WINDOWS\system32\drivers\ACEDRV08.sys
3S ALCXSENS (Service for WDM 3D Audio Driver) - D:\WINDOWS\system32\drivers\ALCXSENS.SYS
3S ALCXWDM (Service for Realtek AC97 Audio (WDM)) - D:\WINDOWS\system32\drivers\alcxwdm.sys
3S Arp1394 (1394 ARP Client Protocol) - D:\WINDOWS\system32\drivers\arp1394.sys
2R Aspi32 - D:\WINDOWS\system32\drivers\ASPI32.SYS
1R asuskbnt (Enhanced Display Driver Helper Service) - D:\WINDOWS\system32\drivers\atkkbnt.sys
2R aswMon2 (avast! Standard Shield Support) - D:\WINDOWS\system32\drivers\aswmon2.sys
3S aswRdr - D:\WINDOWS\system32\drivers\aswRdr.sys
1R aswTdi (avast! Network Shield Support) - D:\WINDOWS\system32\drivers\aswTdi.sys
3S BRIDGE (MAC Bridge) - D:\WINDOWS\system32\drivers\bridge.sys
3S BridgeMP (MAC Bridge Miniport) - D:\WINDOWS\system32\drivers\bridge.sys
1R cdrbsdrv - D:\WINDOWS\system32\drivers\CDRBSDRV.SYS
3R cmpci (C-Media PCI Audio Driver (WDM)) - D:\WINDOWS\system32\drivers\cmaudio.sys
0R drvmcdb - D:\WINDOWS\system32\drivers\drvmcdb.sys
2R drvnddm - D:\WINDOWS\system32\drivers\drvnddm.sys
2R EIO - D:\WINDOWS\system32\drivers\EIO.sys
3R ElbyCDFL - D:\WINDOWS\system32\drivers\ElbyCDFL.sys
2R ElbyCDIO (ElbyCDIO Driver) - D:\WINDOWS\system32\drivers\ElbyCDIO.sys
3S Epiusb (USB Flash) - D:\WINDOWS\system32\drivers\Epiusb.sys
3R GEARAspiWDM - D:\WINDOWS\system32\drivers\GEARAspiWDM.sys
3R HidUsb (Microsoft HID Class Driver) - D:\WINDOWS\system32\drivers\hidusb.sys
0R iteraid (ITERAID_Service_Install) - D:\WINDOWS\system32\drivers\iteraid.sys
3S k750bus (Sony Ericsson 750 driver (WDM)) - D:\WINDOWS\system32\drivers\k750bus.sys
3S k750mdfl (Sony Ericsson 750 USB WMC Modem Filter) - D:\WINDOWS\system32\drivers\k750mdfl.sys
3S k750mdm (Sony Ericsson 750 USB WMC Modem Drivers) - D:\WINDOWS\system32\drivers\k750mdm.sys
3S k750mgmt (Sony Ericsson 750 USB WMC Device Management Drivers) - D:\WINDOWS\system32\drivers\k750mgmt.sys
3S k750obex (Sony Ericsson 750 USB WMC OBEX Interface Drivers) - D:\WINDOWS\system32\drivers\k750obex.sys
2R MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - D:\WINDOWS\system32\drivers\mdc8021x.sys
3R MODEMCSA (Unimodem Streaming Filter Device) - D:\WINDOWS\system32\drivers\MODEMCSA.sys
3R mouhid (Mouse HID Driver) - D:\WINDOWS\system32\drivers\mouhid.sys
3S NIC1394 (1394 Net Driver) - D:\WINDOWS\system32\drivers\nic1394.sys
3R nv - D:\WINDOWS\system32\drivers\nv4_mini.sys
0R ohci1394 (Texas Instruments OHCI Compliant IEEE 1394 Host Controller) - D:\WINDOWS\system32\drivers\ohci1394.sys
3R pfc (Padus ASPI Shell) - D:\WINDOWS\system32\drivers\pfc.sys
3S pnicml - D:\DOCUME~1\Family\LOCALS~1\Temp\pnicml.sys (not found)
0R PxHelp20 - D:\WINDOWS\system32\drivers\PxHelp20.sys
3R ROOTMODEM (Microsoft Legacy Modem Driver) - D:\WINDOWS\system32\drivers\rootmdm.sys
3S RTL8023 (Realtek RTL8139/810x/8169/8110 all in one NDIS NT Driver) - D:\WINDOWS\system32\drivers\Rtlnic51.sys
3R rtl8139 (CNet FAST200 PCI Fast Ethernet Adapter NT Driver) - D:\WINDOWS\system32\drivers\R8139n51.sys
0R sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - D:\WINDOWS\system32\drivers\sfdrv01.sys
0R sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - D:\WINDOWS\system32\drivers\sfhlp02.sys
0R sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - D:\WINDOWS\system32\drivers\sfvfs02.sys
3R smserial - D:\WINDOWS\system32\drivers\smserial.sys
0R sptd - D:\WINDOWS\system32\drivers\sptd.sys
0R srescan - D:\WINDOWS\system32\ZoneLabs\srescan.sys
1R sscdbhk5 - D:\WINDOWS\system32\drivers\sscdbhk5.sys
1R ssrtln - D:\WINDOWS\system32\drivers\ssrtln.sys
2R tfsnboio - D:\WINDOWS\system32\dla\tfsnboio.sys
2R tfsncofs - D:\WINDOWS\system32\dla\tfsncofs.sys
2R tfsndrct - D:\WINDOWS\system32\dla\tfsndrct.sys
2R tfsndres - D:\WINDOWS\system32\dla\tfsndres.sys
2R tfsnifs - D:\WINDOWS\system32\dla\tfsnifs.sys
2R tfsnopio - D:\WINDOWS\system32\dla\tfsnopio.sys
2R tfsnpool - D:\WINDOWS\system32\dla\tfsnpool.sys
2R tfsnudf - D:\WINDOWS\system32\dla\tfsnudf.sys
2R tfsnudfa - D:\WINDOWS\system32\dla\tfsnudfa.sys
0R TPkd - D:\WINDOWS\system32\drivers\TPkd.sys
3R usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - D:\WINDOWS\system32\drivers\usbehci.sys
3S usbprint (Microsoft USB PRINTER Class) - D:\WINDOWS\system32\drivers\usbprint.sys
3S usbscan (USB Scanner Driver) - D:\WINDOWS\system32\drivers\usbscan.sys
3S USBSTOR (USB Mass Storage Driver) - D:\WINDOWS\system32\drivers\USBSTOR.SYS
3S USB_RNDIS (Thomson ST Remote NDIS Device Driver) - D:\WINDOWS\system32\drivers\usb8023.sys
0R viaagp1 (VIA AGP Filter) - D:\WINDOWS\system32\drivers\VIAAGP1.SYS
0R viasraid - D:\WINDOWS\system32\drivers\viasraid.sys
1R vsdatant - D:\WINDOWS\system32\vsdatant.sys

– Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

4S Adobe LM Service - “D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe”
3S aspnet_state (ASP.NET State Service) - D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
2R aswUpdSv (avast! iAVS4 Control Service) - “c:\programs\Avast4\aswUpdSv.exe”
2R ATKKeyboardService (ATK Keyboard Service) - D:\WINDOWS\ATKKBService.exe
2R avast! Antivirus - “c:\programs\Avast4\ashServ.exe”
3S avast! Mail Scanner - “c:\programs\Avast4\ashMaiSv.exe” /service
3R avast! Web Scanner - “c:\programs\Avast4\ashWebSv.exe” /service
3S clr_optimization_v2.0.50727_32 (.NET Runtime Optimization Service v2.0.50727_X86) - D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
4S CSRSS (Client/Server Runtime Server Subsystem) - D:\WINDOWS\csrss.exe
4S IDriverT (InstallDriver Table Manager) - “D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe”
4S iPodService - D:\Program Files\iPod\bin\iPodService.exe
2R NVSvc (NVIDIA Display Driver Service) - D:\WINDOWS\System32\nvsvc32.exe
3S SCardDrv (Smart Card Helper) - D:\WINDOWS\System32\SCardSvr.exe
2R UMWdf (Windows User Mode Driver Framework) - D:\WINDOWS\System32\wdfmgr.exe
2R uploadmgr (Upload Manager) - D:\WINDOWS\System32\svchost.exe -k netsvcs
4S usnjsvc (Messenger Sharing Folders USN Journal Reader service) - “D:\Program Files\MSN Messenger\usnsvc.exe”
2R vsmon (TrueVector Internet Monitor) - D:\WINDOWS\system32\ZoneLabs\vsmon.exe -service

– Files created between 2007-02-19 and 2007-03-19 -----------------------------

2007-03-18 21:54:35 15480 -r-hs---- D:\WINDOWS\System32\jbhook.dll
2007-03-16 13:49:35 4096 --a------ D:\WINDOWS\d3dx.dat
2007-03-13 16:58:25 0 d-------- D:\Documents and Settings\Family\Application Data\Aim
2007-03-13 16:58:22 0 d-------- D:\Program Files\Viewpoint<VIEWPO~1>
2007-03-13 16:58:20 0 d-------- D:\Program Files\AIM95
2007-03-11 12:28:30 2560 -r-hs---- D:\WINDOWS\System32\jbloader.dll
2007-03-11 12:28:28 57856 —hs---- D:\WINDOWS\System32\SVCH0ST.EXE
2007-03-11 12:28:14 11844 --a------ D:\WINDOWS\System32\bdscheca001.dll<BDSCHE~1.DLL>
2007-03-10 11:02:28 0 d-------- D:\Temp
2007-03-08 16:18:41 62744 --a------ D:\WINDOWS\System32\xinput1_2.dll<XINPUT~3.DLL>
2007-03-08 16:18:41 236824 --a------ D:\WINDOWS\System32\xactengine2_3.dll<XACTEN~4.DLL>
2007-03-08 16:12:52 0 d-------- D:\Program Files\LucasArts<LUCASA~1>
2007-03-08 16:08:51 98304 --a------ D:\WINDOWS\System32\CmdLineExt.dll<CMDLIN~2.DLL>
2007-03-05 13:41:17 0 d-------- D:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage<WINDOW~1>
2007-02-24 12:59:46 0 d-------- D:\Program Files\filesubmit<FILESU~1>
2007-02-24 12:46:37 115880 -----n— D:\WINDOWS\System32\pxinsi64.exe
2007-02-24 12:46:37 129784 -----n— D:\WINDOWS\System32\pxafs.dll
2007-02-24 12:46:37 2560 -----n— D:\WINDOWS\System32\drivers\cdralw2k.sys
2007-02-24 12:46:37 2432 -----n— D:\WINDOWS\System32\drivers\cdr4_xp.sys
2007-02-23 19:10:48 0 d-------- D:\WINDOWS\LogFiles
2007-02-22 12:10:25 129024 -r-hs---- D:\WINDOWS\csrss.exe
2007-02-22 12:09:50 0 --a------ D:\WINDOWS\evwaa.exe
2007-02-21 15:13:54 65536 --a------ D:\WINDOWS\System32\BitSys.dll
2007-02-21 12:11:04 0 d-------- D:\Documents and Settings\All Users\Application Data\InstallShield<INSTAL~1>

– Find3M Report ---------------------------------------------------------------

2007-03-18 21:55:49 0 d–h----- D:\Program Files\Java
2007-03-16 20:00:30 0 d-------- D:\Documents and Settings\Family\Application Data\Azureus
2007-03-14 19:45:56 0 d-------- D:\Program Files\Google
2007-03-08 18:09:02 0 d–h----- D:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-02-21 15:13:57 73216 --a------ D:\WINDOWS\ST6UNST.EXE
2007-02-21 12:25:14 0 d-------- D:\Program Files\Midi sMs<MIDISM~1>
2007-02-19 23:46:49 0 d-------- D:\Program Files\Media Player Classic<MEDIAP~1>
2007-02-18 23:29:02 0 d-------- D:\Program Files\3Planesoft Screensaver Manager<3PLANE~1>
2007-02-18 23:28:15 0 d-------- D:\Program Files\UselessCreations<USELES~1>
2007-02-17 08:57:00 356352 --a------ D:\WINDOWS\FreshwaterTank3DUninstaller.exe<FRESHW~1.EXE>
2007-02-17 08:56:59 10432512 --a------ D:\WINDOWS\FreshwaterTank3D.scr<FRESHW~1.SCR>
2007-02-17 00:21:07 0 d-------- D:\Program Files\Datahjaelp<DATAHJ~1>
2007-02-17 00:04:45 0 --a------ D:\WINDOWS\System32\mswinup.exe
2007-02-16 23:49:00 1175700 --a------ D:\WINDOWS\System32\RainySs.scr
2007-02-16 11:18:18 0 d-------- D:\Program Files\SMS-it
2007-02-16 11:11:05 278528 -----n— D:\WINDOWS\Setup1.exe
2007-02-16 09:02:44 0 d-------- D:\Documents and Settings\Family\Application Data\Smith Micro<SMITHM~1>
2007-02-15 10:45:10 0 d-------- D:\Documents and Settings\Family\Application Data\Skype
2007-02-14 10:54:24 0 d-------- D:\Program Files\VideoLAN
2007-02-13 08:03:17 0 d-------- D:\Documents and Settings\Family\Application Data\MySpace
2007-02-13 08:03:15 0 d-------- D:\Program Files\MySpace
2007-02-12 21:10:36 0 d-------- D:\Program Files\MSN Messenger<MSNMES~1>
2007-02-11 10:08:10 51712 --a------ D:\WINDOWS\wc98pp.dll
2007-02-10 16:37:29 880 --a------ D:\Documents and Settings\Family\Application Data\AutoGK.ini
2007-02-10 16:00:13 43602 --a------ D:\WINDOWS\System32\xvid-uninstall.exe<XVID-U~1.EXE>
2007-02-03 12:30:36 0 d-------- D:\Documents and Settings\Family\Application Data\AdobeUM
2007-01-30 21:38:47 51733 --a------ D:\WINDOWS\System32\plugin1.dat
2007-01-29 23:25:20 0 d–h----- D:\Program Files\Messenger<MESSEN~1>
2007-01-23 21:51:59 0 d-------- D:\Program Files\Trymedia
2007-01-19 12:53:04 51056 --a------ D:\WINDOWS\System32\sirenacm.dll
2007-01-16 04:32:07 689280 --a------ D:\WINDOWS\System32\aswBoot.exe
2007-01-16 04:23:20 90112 --a------ D:\WINDOWS\System32\AVASTSS.scr
2007-01-13 16:48:16 2106368 --a------ D:\WINDOWS\System32\radarss.scr
2006-12-27 14:16:27 360448 --a------ D:\Program Files\Uninstall My Web Search.dll<UNINST~1.DLL>
2006-12-19 20:27:50 871706 --a------ D:\WINDOWS\Bier Tycoon Uninstaller.exe<BIERTY~1.EXE>

– Registry Dump ---------------------------------------------------------------

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
“Taskbar Hide”=“C:\Programs\TASKBA~1\TaskBar.exe -Start”
“AIM”=“D:\Program Files\AIM95\aim.exe -cnetwait.odl”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
“SoundMan”=“SOUNDMAN.EXE”
“SMSERIAL”=“sm56hlpr.exe”
“avast!”=“c:\programs\Avast4\ashDisp.exe”
“NeroFilterCheck”=“D:\WINDOWS\system32\NeroCheck.exe”
“NvCplDaemon”=“RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup”
“SunJavaUpdateSched”=“"D:\Program Files\Java\jre1.6.0\bin\jusched.exe"”
“CloneCDTray”=“"C:\programs\CloneCD\CloneCDTray.exe" /s”
“Zone Labs Client”=“"D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"”
“QuickTime Task”=“"C:\programs\QuickTime\qttask.exe" -atboottime”
“DAEMON Tools”=“"C:\programs\DAEMON Tools\daemon.exe" -lang 1033”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
“Installed”=“1”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
“NoChange”=“1”
“Installed”=“1”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
“Installed”=“1”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^palstart.exe]
“path”=“D:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe”
“backup”=“D:\WINDOWS\pss\palstart.exeCommon Startup”
“location”=“Common Startup”
“command”=“D:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe”
“item”=“palstart”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
“path”=“D:\Documents and Settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk”
“backup”=“D:\WINDOWS\pss\VIA RAID TOOL.lnkCommon Startup”
“location”=“Common Startup”
“command”="D:\PROGRA~1\VIA\RAID\RAID_T~1.EXE "
“item”=“VIA RAID TOOL”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“CTFMON”
“hkey”=“HKCU”
“command”=“D:\WINDOWS\System32\CTFMON.EXE”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“tfswctrl”
“hkey”=“HKLM”
“command”=“D:\WINDOWS\system32\dla\tfswctrl.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EbatesMoeMoneyMaker]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“EbatesMoeMoneyMaker"”
“hkey”=“HKLM”
“command”=“wjview /cp:p "D:\Program Files\EbatesMoeMoneyMaker\System\Code" Main lp: "D:\Program Files\EbatesMoeMoneyMaker"”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“iTunesHelper”
“hkey”=“HKLM”
“command”=“"C:\programs\iTunes\iTunesHelper.exe"”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“dumprep 0 -k”
“hkey”=“HKLM”
“command”=“%systemroot%\system32\dumprep 0 -k”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“keyboard2”
“hkey”=“HKLM”
“command”=“c:\\keyboard2.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Application Viewer]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“msappview32”
“hkey”=“HKLM”
“command”=“msappview32.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“NvCpl”
“hkey”=“HKLM”
“command”=“RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“NvMcTray”
“hkey”=“HKLM”
“command”=“RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“nwiz”
“hkey”=“HKLM”
“command”=“nwiz.exe /install”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“FirstStart”
“hkey”=“HKLM”
“command”=“C:\programs\OLYMPUS Master\FirstStart.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“PowerBar”
“hkey”=“HKCU”
“command”=“"\PowerBar.exe" /AtBootTime”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“qttask”
“hkey”=“HKLM”
“command”=“"C:\programs\QuickTime\qttask.exe" -atboottime”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\seekmo]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“seekmo”
“hkey”=“HKLM”
“command”=“"d:\program files\seekmo\seekmo.exe"”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“sgtray”
“hkey”=“HKLM”
“command”=“"D:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“jusched”
“hkey”=“HKLM”
“command”=“D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“GoogleToolbarNotifier”
“hkey”=“HKCU”
“command”=“D:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToolbarInstall]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“MirarSetup”
“hkey”=“HKLM”
“command”=“D:\DOCUME~1\Family\LOCALS~1\Temp\MirarSetup.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\was_check]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“”
“hkey”=“HKLM”
“command”=“”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win32 Kernel Update]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“win32update”
“hkey”=“HKLM”
“command”=“D:\WINDOWS\System32\win32update.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“windows”
“hkey”=“HKCU”
“command”=“D:\WINDOWS\System32\windows.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows ASN2 Services]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“xnmw”
“hkey”=“HKLM”
“command”=“xnmw.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows auto update]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“msblast”
“hkey”=“HKLM”
“command”=“msblast.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“YAHOOM~1”
“hkey”=“HKCU”
“command”=“"D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
“IDriverT”=dword:00000003
“Win32Kernel”=dword:00000002
“Adobe LM Service”=dword:00000003
“iPodService”=dword:00000003
“CSRSS”=dword:00000002
“usnjsvc”=dword:00000003

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{9C0CFA58-3A6F-51ba-9EFE-5320F4F621BA}”=“”
“{55667788-ABCD-1234-5678-00C04FD8DBD8}”=“”

[HKEY_USERS.default\software\microsoft\windows\currentversion\run]
“CTFMON.EXE”=“D:\WINDOWS\System32\CTFMON.EXE”
“msnmsgr”=“"D:\Program Files\MSN Messenger\msnmsgr.exe" /background”
“MySpaceIM”=“D:\Program Files\MySpace\IM\MySpaceIM.exe”

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
“CTFMON.EXE”=“D:\WINDOWS\System32\CTFMON.EXE”
“msnmsgr”=“"D:\Program Files\MSN Messenger\msnmsgr.exe" /background”
“MySpaceIM”=“D:\Program Files\MySpace\IM\MySpaceIM.exe”

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
“DisableTaskMgr”=dword:00000000
“DisableChangePassword”=dword:00000000
“DisableLockWorkstation”=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“NoClose”=dword:00000000
“NoLogoff”=dword:00000000
@=“0”
“NoActiveDesktop”=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
“{90E0A538-07DA-1033-0803-04041905003d}”=“"D:\Program Files\Common Files\{90E0A538-07DA-1033-0803-04041905003d}\Update.exe" te-110-12-0000180”

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ file:///D:/DOCUME~1/Family/LOCALS~1/Temp/msoclip1/01/clip_image002.jpg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
“SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

– End of ComboScan: finished at 2007-03-19 at 11:22:11 ------------------------

Thats all of it…Hope it helps you help me!

I got the internet back up and going, but still haven’t managed to rid my pc of the pesky bug…

Did you follow Frank’s advices?

Also, if a virus is replicant (coming and coming again), you should:

  1. Enable/Disable System restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k.

  2. Clean your temporary files. You can use the Windows Advanced Care features for that.

  3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

OK you have had a passsword stealer so if you do online banking get your passwords changed (from a clean machine) and inform your bank

Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

D:\WINDOWS\System32\jbhook.dll
D:\WINDOWS\System32\jbloader.dll
D:\WINDOWS\System32\bdscheca001.dll
D:\WINDOWS\csrss.exe
D:\WINDOWS\evwaa.exe
D:\WINDOWS\System32\mswinup.exe
D:\WINDOWS\Setup1.exe
D:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe
D:\DOCUME~1\Family\LOCALS~1\Temp\MirarSetup.exe
d:\program files\seekmo\seekmo.exe
D:\WINDOWS\System32\win32update.exe
D:\WINDOWS\System32\windows.exe

Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Download ComboFix from Here or Here to your Desktop.

[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall

Thanks for all the hrlp so far, I really appreciate it…
Heres the report

“Family” - 07-03-20 22:14:16 Service Pack 1
ComboFix 07-03-20.2 - Running from: “D:\Documents and Settings\Family\Desktop”

/wow section not completed - STAGE #4 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

D:\Program Files\Common Files\vcclient\ClientUpdater.bat
D:\Program Files\Common Files\vcclient\temp.txt
D:\Program Files\Common Files\vcclient\VCClient.exe.config
D:\Program Files\Common Files\vcclient\VCUPDATE.EXE
D:\Program Files\Common Files\vcclient\VCUpdate.exe.config
D:\Program Files\Common Files\vcclient\Version.txt
D:\WINDOWS\system32\svch0st.exe
D:\Program Files\Common Files{90E0A~1
D:\Program Files\Common Files\vcclient

((((((((((((((((((((((((((((((( Files Created from 2007-02-20 to 2007-03-20 ))))))))))))))))))))))))))))))))))

2007-03-20 20:55 7,168 --a------ D:\WINDOWS\ktfsec32.exe
2007-03-19 16:47 d-------- D:\DOCUME~1\Family\APPLIC~1\Snapfish
2007-03-16 13:49 4,096 --a------ D:\WINDOWS\d3dx.dat
2007-03-13 16:58 d-------- D:\Program Files\Viewpoint
2007-03-13 16:58 d-------- D:\Program Files\AIM95
2007-03-13 16:58 d-------- D:\DOCUME~1\Family\APPLIC~1\Aim
2007-03-10 11:02 d-------- D:\Temp
2007-03-08 16:18 62,744 --a------ D:\WINDOWS\system32\xinput1_2.dll
2007-03-08 16:18 236,824 --a------ D:\WINDOWS\system32\xactengine2_3.dll
2007-03-08 16:12 d-------- D:\Program Files\LucasArts
2007-03-08 16:08 98,304 --a------ D:\WINDOWS\system32\CmdLineExt.dll
2007-03-05 13:41 d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-02-24 12:59 d-------- D:\Program Files\filesubmit
2007-02-24 12:46 2,560 --------- D:\WINDOWS\system32\drivers\cdralw2k.sys
2007-02-24 12:46 2,432 --------- D:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-02-24 12:46 129,784 --------- D:\WINDOWS\system32\pxafs.dll
2007-02-24 12:46 115,880 --------- D:\WINDOWS\system32\pxinsi64.exe
2007-02-23 19:10 d-------- D:\WINDOWS\LogFiles
2007-02-21 15:13 65,536 --a------ D:\WINDOWS\system32\BitSys.dll
2007-02-21 12:11 d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-03-20 20:55 7168 --a------ D:\WINDOWS\ktfsec32.exe
2007-03-19 17:08 -------- d-------- D:\DOCUME~1\Family\APPLIC~1\azureus
2007-03-19 16:48 -------- d-------- D:\DOCUME~1\Family\APPLIC~1\snapfish
2007-03-18 21:55 -------- d–h----- D:\Program Files\java
2007-03-16 13:49 4096 --a------ D:\WINDOWS\d3dx.dat
2007-03-14 19:45 -------- d-------- D:\Program Files\google
2007-03-13 16:58 -------- d-------- D:\Program Files\viewpoint
2007-03-08 18:09 -------- d–h----- D:\Program Files\installshield installation information
2007-03-08 16:12 -------- d-------- D:\Program Files\lucasarts
2007-03-08 16:08 98304 --a------ D:\WINDOWS\system32\cmdlineext.dll
2007-02-24 13:09 -------- d-------- D:\Program Files\filesubmit
2007-02-21 15:13 73216 --a------ D:\WINDOWS\st6unst.exe
2007-02-21 12:25 -------- d-------- D:\Program Files\midi sms
2007-02-19 23:46 -------- d-------- D:\Program Files\media player classic
2007-02-18 23:28 -------- d-------- D:\Program Files\uselesscreations
2007-02-17 08:57 356352 --a------ D:\WINDOWS\freshwatertank3duninstaller.exe
2007-02-17 08:56 10432512 --a------ D:\WINDOWS\freshwatertank3d.scr
2007-02-17 00:21 -------- d-------- D:\Program Files\datahjaelp
2007-02-16 23:49 1175700 --a------ D:\WINDOWS\system32\rainyss.scr
2007-02-16 11:18 -------- d-------- D:\Program Files\sms-it
2007-02-16 09:02 -------- d-------- D:\DOCUME~1\Family\APPLIC~1\smith micro
2007-02-15 10:45 -------- d-------- D:\DOCUME~1\Family\APPLIC~1\skype
2007-02-14 10:54 -------- d-------- D:\Program Files\videolan
2007-02-13 08:03 -------- d-------- D:\Program Files\myspace
2007-02-13 08:03 -------- d-------- D:\DOCUME~1\Family\APPLIC~1\myspace
2007-02-12 21:10 -------- d-------- D:\Program Files\msn messenger
2007-02-11 10:08 51712 --a------ D:\WINDOWS\wc98pp.dll
2007-02-10 16:37 880 --a------ D:\DOCUME~1\Family\APPLIC~1\autogk.ini
2007-02-10 16:00 43602 --a------ D:\WINDOWS\system32\xvid-uninstall.exe
2007-02-04 11:24 108768 --a------ D:\WINDOWS\system32\drivers\ACEDRV08.sys
2007-01-30 21:38 51733 --a------ D:\WINDOWS\system32\plugin1.dat
2007-01-29 23:25 -------- d–h----- D:\Program Files\messenger
2007-01-24 08:16 15781 --a------ D:\WINDOWS\system32\drivers\mdc8021x.sys
2007-01-23 21:51 -------- d-------- D:\Program Files\trymedia
2007-01-19 12:53 51056 --a------ D:\WINDOWS\system32\sirenacm.dll
2007-01-16 04:32 689280 --a------ D:\WINDOWS\system32\aswboot.exe
2007-01-16 04:23 90112 --a------ D:\WINDOWS\system32\avastss.scr
2007-01-13 16:48 2106368 --a------ D:\WINDOWS\system32\radarss.scr

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

Note empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
“Taskbar Hide”=“C:\Programs\TASKBA~1\TaskBar.exe -Start”
“AIM”=“D:\Program Files\AIM95\aim.exe -cnetwait.odl”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
“SoundMan”=“SOUNDMAN.EXE”
“SMSERIAL”=“sm56hlpr.exe”
“avast!”=“c:\programs\Avast4\ashDisp.exe”
“NeroFilterCheck”=“D:\WINDOWS\system32\NeroCheck.exe”
“NvCplDaemon”=“RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup”
“SunJavaUpdateSched”=“"D:\Program Files\Java\jre1.6.0\bin\jusched.exe"”
“CloneCDTray”=“"C:\programs\CloneCD\CloneCDTray.exe" /s”
“Zone Labs Client”=“"D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"”
“QuickTime Task”=“"C:\programs\QuickTime\qttask.exe" -atboottime”
“DAEMON Tools”=“"C:\programs\DAEMON Tools\daemon.exe" -lang 1033”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
“Installed”=“1”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
“NoChange”=“1”
“Installed”=“1”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
“Installed”=“1”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^palstart.exe]
“path”=“D:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe”
“backup”=“D:\WINDOWS\pss\palstart.exeCommon Startup”
“location”=“Common Startup”
“command”=“D:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe”
“item”=“palstart”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
“path”=“D:\Documents and Settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk”
“backup”=“D:\WINDOWS\pss\VIA RAID TOOL.lnkCommon Startup”
“location”=“Common Startup”
“command”="D:\PROGRA~1\VIA\RAID\RAID_T~1.EXE "
“item”=“VIA RAID TOOL”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“CTFMON”
“hkey”=“HKCU”
“command”=“D:\WINDOWS\System32\CTFMON.EXE”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“tfswctrl”
“hkey”=“HKLM”
“command”=“D:\WINDOWS\system32\dla\tfswctrl.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EbatesMoeMoneyMaker]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“EbatesMoeMoneyMaker"”
“hkey”=“HKLM”
“command”=“wjview /cp:p "D:\Program Files\EbatesMoeMoneyMaker\System\Code" Main lp: "D:\Program Files\EbatesMoeMoneyMaker"”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“iTunesHelper”
“hkey”=“HKLM”
“command”=“"C:\programs\iTunes\iTunesHelper.exe"”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“dumprep 0 -k”
“hkey”=“HKLM”
“command”=“%systemroot%\system32\dumprep 0 -k”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“keyboard2”
“hkey”=“HKLM”
“command”=“c:\\keyboard2.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Application Viewer]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“msappview32”
“hkey”=“HKLM”
“command”=“msappview32.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“NvCpl”
“hkey”=“HKLM”
“command”=“RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“NvMcTray”
“hkey”=“HKLM”
“command”=“RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“nwiz”
“hkey”=“HKLM”
“command”=“nwiz.exe /install”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“FirstStart”
“hkey”=“HKLM”
“command”=“C:\programs\OLYMPUS Master\FirstStart.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“PowerBar”
“hkey”=“HKCU”
“command”=“"\PowerBar.exe" /AtBootTime”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“qttask”
“hkey”=“HKLM”
“command”=“"C:\programs\QuickTime\qttask.exe" -atboottime”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\seekmo]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“seekmo”
“hkey”=“HKLM”
“command”=“"d:\program files\seekmo\seekmo.exe"”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“sgtray”
“hkey”=“HKLM”
“command”=“"D:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“jusched”
“hkey”=“HKLM”
“command”=“D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“GoogleToolbarNotifier”
“hkey”=“HKCU”
“command”=“D:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToolbarInstall]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“MirarSetup”
“hkey”=“HKLM”
“command”=“D:\DOCUME~1\Family\LOCALS~1\Temp\MirarSetup.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\was_check]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“”
“hkey”=“HKLM”
“command”=“”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win32 Kernel Update]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“win32update”
“hkey”=“HKLM”
“command”=“D:\WINDOWS\System32\win32update.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“windows”
“hkey”=“HKCU”
“command”=“D:\WINDOWS\System32\windows.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows ASN2 Services]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“xnmw”
“hkey”=“HKLM”
“command”=“xnmw.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows auto update]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“msblast”
“hkey”=“HKLM”
“command”=“msblast.exe”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“YAHOOM~1”
“hkey”=“HKCU”
“command”=“"D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet”
“inimapping”=“0”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
“IDriverT”=dword:00000003
“Win32Kernel”=dword:00000002
“Adobe LM Service”=dword:00000003
“iPodService”=dword:00000003
“CSRSS”=dword:00000002
“usnjsvc”=dword:00000003

[HKEY_USERS.default\software\microsoft\windows\currentversion\run]
“msnmsgr”=“"D:\Program Files\MSN Messenger\msnmsgr.exe" /background”
“MySpaceIM”=“D:\Program Files\MySpace\IM\MySpaceIM.exe”

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
“DisableChangePassword”=dword:00000000
“DisableLockWorkstation”=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“NoClose”=dword:00000000
“NoLogoff”=dword:00000000
@=“0”

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ file:///D:/DOCUME~1/Family/LOCALS~1/Temp/msoclip1/01/clip_image002.jpg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
“SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll”

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070317-105110-969
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
backup-20070317-103354-924
O4 - HKCU..\Run: [AIM] D:\Program Files\AIM95\aim.exe -cnetwait.odl


catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes …

scanning hidden services …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Completion time: 07-03-20 22:18:46

Ok looking better but a few more things to do firstly re-run OTMoveit, same procedure and these are the files to copy and paste

D:\WINDOWS\ktfsec32.exe
D:\Temp
D:\WINDOWS\system32\plugin1.dat

Next

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose:
Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Then

I see no sign of an anti-spyware product so :

Download and then run SuperAntispyware

[*]On the first page select Check for Updates
[*]On completion select SCAN YOUR COMPUTER
[*]On the next page select COMPLETE SCAN and tick ALL your drives
[*]The next stage will take a while as your entire drive(s), memory and registry are scanned
[*]When it has completed click NEXT
[*]The next screen shows the problems found click OK
[*]On the next screen place a tick against all items and select NEXT
[*]Now to get the log Go to the PREFERENCES button on the right bottom
[*]Select the STATISTICS/LOG tab
[*]Highlight the scan just completed and click VIEW LOG
[*]This will open a notepad text file copy and paste this to your next reply

Plus a new HJT log 8)

You may lose your e-bates toolbar with SAS but if you wish you can re-install

That alright I’m not even suupposed to have an “ebates toolbar”, I think I got that involunatrily ages ago, so I hope it will delete it. Thanks again, will post the log very soon

SUPERAntiSpyware Scan Log
Generated 03/21/2007 at 12:25 PM

Application Version : 3.6.1000

Core Rules Database Version : 3203
Trace Rules Database Version: 1213

Scan type : Complete Scan
Total Scan Time : 04:32:22

Memory items scanned : 381
Memory threats detected : 0
Registry items scanned : 6117
Registry threats detected : 147
File items scanned : 115722
File threats detected : 150

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID{54645654-2225-4455-44A1-9F4543D34546}
HKCR\CLSID{54645654-2225-4455-44A1-9F4543D34546}
HKCR\CLSID{54645654-2225-4455-44A1-9F4543D34546}
HKCR\CLSID{54645654-2225-4455-44A1-9F4543D34546}\InProcServer32
D:\WINDOWS\SYSTEM32\VBSYS2.DLL

Adware.IST/YourSiteBar
HKLM\Software\Classes\CLSID{86227D9C-0EFE-4f8a-AA55-30386A3F5686}
HKCR\CLSID{86227D9C-0EFE-4F8A-AA55-30386A3F5686}
HKCR\CLSID{86227D9C-0EFE-4F8A-AA55-30386A3F5686}
HKCR\CLSID{86227D9C-0EFE-4F8A-AA55-30386A3F5686}\Implemented Categories
HKCR\CLSID{86227D9C-0EFE-4F8A-AA55-30386A3F5686}\Implemented Categories{7DD95801-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID{86227D9C-0EFE-4F8A-AA55-30386A3F5686}\Implemented Categories{7DD95802-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID{86227D9C-0EFE-4F8A-AA55-30386A3F5686}\InprocServer32
HKCR\CLSID{86227D9C-0EFE-4F8A-AA55-30386A3F5686}\InprocServer32#ThreadingModel
HKCR\CLSID{86227D9C-0EFE-4F8A-AA55-30386A3F5686}\ProgID
HKCR\CLSID{86227D9C-0EFE-4F8A-AA55-30386A3F5686}\Programmable
HKCR\CLSID{86227D9C-0EFE-4F8A-AA55-30386A3F5686}\TypeLib
HKCR\CLSID{86227D9C-0EFE-4F8A-AA55-30386A3F5686}\VersionIndependentProgID
D:\PROGRAM FILES\YOURSITEBAR\YSB.DLL
HKCR\Ysb.YsbObj
HKCR\Ysb.YsbObj\CLSID
HKCR\Ysb.YsbObj\CurVer
HKCR\Ysb.YsbObj.1
HKCR\Ysb.YsbObj.1\CLSID
HKCR\Interface{03B800F9-2536-4441-8CDA-2A3E6D15B4F8}
HKCR\Interface{03B800F9-2536-4441-8CDA-2A3E6D15B4F8}\ProxyStubClsid
HKCR\Interface{03B800F9-2536-4441-8CDA-2A3E6D15B4F8}\ProxyStubClsid32
HKCR\Interface{03B800F9-2536-4441-8CDA-2A3E6D15B4F8}\TypeLib
HKCR\Interface{03B800F9-2536-4441-8CDA-2A3E6D15B4F8}\TypeLib#Version
HKCR\Interface{DFBCC1EB-B149-487E-80C1-CC1562021542}
HKCR\Interface{DFBCC1EB-B149-487E-80C1-CC1562021542}\ProxyStubClsid
HKCR\Interface{DFBCC1EB-B149-487E-80C1-CC1562021542}\ProxyStubClsid32
HKCR\Interface{DFBCC1EB-B149-487E-80C1-CC1562021542}\TypeLib
HKCR\Interface{DFBCC1EB-B149-487E-80C1-CC1562021542}\TypeLib#Version
HKCR\TypeLib{4EE12B71-AA5E-45EC-8666-2DB3AD3FDF44}
HKCR\TypeLib{4EE12B71-AA5E-45EC-8666-2DB3AD3FDF44}\1.0
HKCR\TypeLib{4EE12B71-AA5E-45EC-8666-2DB3AD3FDF44}\1.0\0
HKCR\TypeLib{4EE12B71-AA5E-45EC-8666-2DB3AD3FDF44}\1.0\0\win32
HKCR\TypeLib{4EE12B71-AA5E-45EC-8666-2DB3AD3FDF44}\1.0\FLAGS
HKCR\TypeLib{4EE12B71-AA5E-45EC-8666-2DB3AD3FDF44}\1.0\HELPDIR
HKLM\Software\YourSiteBar
HKLM\Software\YourSiteBar#installTitle
HKLM\Software\YourSiteBar#barTitle
HKLM\Software\YourSiteBar#serverpath
HKLM\Software\YourSiteBar#urlAfterInstall
HKLM\Software\YourSiteBar#gUpdate
HKLM\Software\YourSiteBar#TBRowMode
HKLM\Software\YourSiteBar#yoursitebar.xml
HKLM\Software\YourSiteBar#imagemap_normal.bmp
HKLM\Software\YourSiteBar#imagemap_over.bmp
HKLM\Software\YourSiteBar#showcorrupted
HKLM\Software\YourSiteBar#updatever
HKLM\Software\YourSiteBar#refreshscope
HKLM\Software\YourSiteBar#allowupdate
HKLM\Software\YourSiteBar#LastCheckTime
HKLM\Software\YourSiteBar#version.txt
HKLM\Software\YourSiteBar#UpdateBegin
HKCR\YSBactivex.Installer
HKCR\YSBactivex.Installer\CLSID
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs#D:\WINDOWS\Downloaded Program Files\ysbactivex.dll [  ]

Adware.Mirar/NetNucleus
HKLM\Software\Classes\CLSID{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
HKCR\CLSID{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
HKCR\CLSID{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
HKCR\CLSID{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\InprocServer32
HKCR\CLSID{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\InprocServer32#ThreadingModel
HKCR\CLSID{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties
HKCR\CLSID{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#Version
HKCR\CLSID{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#BuildName
HKCR\CLSID{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\TypeLib
D:\WINDOWS\SYSTEM32\WINNB63.DLL
HKCR\Interface{1037B06C-84B7-4240-8D80-485810A0497D}
HKCR\Interface{1037B06C-84B7-4240-8D80-485810A0497D}\ProxyStubClsid
HKCR\Interface{1037B06C-84B7-4240-8D80-485810A0497D}\ProxyStubClsid32
HKCR\Interface{1037B06C-84B7-4240-8D80-485810A0497D}\TypeLib
HKCR\Interface{1037B06C-84B7-4240-8D80-485810A0497D}\TypeLib#Version
HKCR\Interface{224302B0-94E9-45C2-9E5B-BA989EE556E1}
HKCR\Interface{224302B0-94E9-45C2-9E5B-BA989EE556E1}\ProxyStubClsid
HKCR\Interface{224302B0-94E9-45C2-9E5B-BA989EE556E1}\ProxyStubClsid32
HKCR\Interface{224302B0-94E9-45C2-9E5B-BA989EE556E1}\TypeLib
HKCR\Interface{224302B0-94E9-45C2-9E5B-BA989EE556E1}\TypeLib#Version
HKCR\Interface{54B287F9-FD90-4457-B65E-CB91560C021D}
HKCR\Interface{54B287F9-FD90-4457-B65E-CB91560C021D}\ProxyStubClsid
HKCR\Interface{54B287F9-FD90-4457-B65E-CB91560C021D}\ProxyStubClsid32
HKCR\Interface{54B287F9-FD90-4457-B65E-CB91560C021D}\TypeLib
HKCR\Interface{54B287F9-FD90-4457-B65E-CB91560C021D}\TypeLib#Version
HKCR\Interface{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}
HKCR\Interface{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\ProxyStubClsid
HKCR\Interface{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\ProxyStubClsid32
HKCR\Interface{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\TypeLib
HKCR\Interface{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\TypeLib#Version
HKCR\NN_Bar_Dummy.NN_BarDummy
HKCR\NN_Bar_Dummy.NN_BarDummy\CLSID
HKCR\NN_Bar_Dummy.NN_BarDummy\CurVer
HKCR\NN_Bar_Dummy.NN_BarDummy.1
HKCR\NN_Bar_Dummy.NN_BarDummy.1\CLSID
HKCR\TypeLib{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}
HKCR\TypeLib{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0
HKCR\TypeLib{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\0
HKCR\TypeLib{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\0\win32
HKCR\TypeLib{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\FLAGS
HKCR\TypeLib{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\HELPDIR
HKCR\TypeLib{F8310E7D-4C4D-46A4-A068-B5BB99411CC7}
HKCR\TypeLib{F8310E7D-4C4D-46A4-A068-B5BB99411CC7}\1.0
HKCR\TypeLib{F8310E7D-4C4D-46A4-A068-B5BB99411CC7}\1.0\0
HKCR\TypeLib{F8310E7D-4C4D-46A4-A068-B5BB99411CC7}\1.0\0\win32
HKCR\TypeLib{F8310E7D-4C4D-46A4-A068-B5BB99411CC7}\1.0\FLAGS
HKCR\TypeLib{F8310E7D-4C4D-46A4-A068-B5BB99411CC7}\1.0\HELPDIR

Adware.UCMore/The Search Accelerator
HKU.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar#{44BE0690-5429-47f0-85BB-3FFD8020233E}
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar#{44BE0690-5429-47f0-85BB-3FFD8020233E}
HKU.DEFAULT\Software\Effective-i
HKU\S-1-5-18\Software\Effective-i
HKU.DEFAULT\Software\Maxthon\Plugin\toolbar{44BE0690-5429-47f0-85BB-3FFD8020233E}
HKU\S-1-5-18\Software\Maxthon\Plugin\toolbar{44BE0690-5429-47f0-85BB-3FFD8020233E}

Browser Hijacker.Internet Explorer Zone Hijack
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com\click
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com\click#https
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\click
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\click#https
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\redirect
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\redirect#https
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\www
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\www#https
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\net-nucleus.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\net-nucleus.com\awbeta
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\net-nucleus.com\awbeta#https

Adware.IST/ISTBar (Slotch Bar)
HKCR\TypeLib{67907B3C-A6EF-4A01-99AD-3FCD5F526429}
HKCR\TypeLib{67907B3C-A6EF-4A01-99AD-3FCD5F526429}\1.1
HKCR\TypeLib{67907B3C-A6EF-4A01-99AD-3FCD5F526429}\1.1\0
HKCR\TypeLib{67907B3C-A6EF-4A01-99AD-3FCD5F526429}\1.1\0\win32
HKCR\TypeLib{67907B3C-A6EF-4A01-99AD-3FCD5F526429}\1.1\FLAGS
HKCR\TypeLib{67907B3C-A6EF-4A01-99AD-3FCD5F526429}\1.1\HELPDIR
HKCR\Interface{0985C112-2562-46F2-8DA6-92648BA4630F}
HKCR\Interface{0985C112-2562-46F2-8DA6-92648BA4630F}\ProxyStubClsid
HKCR\Interface{0985C112-2562-46F2-8DA6-92648BA4630F}\ProxyStubClsid32
HKCR\Interface{0985C112-2562-46F2-8DA6-92648BA4630F}\TypeLib
HKCR\Interface{0985C112-2562-46F2-8DA6-92648BA4630F}\TypeLib#Version
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main#BandRest [ Never ]

Adware.180solutions/ZangoSearch
HKCR\TypeLib{8BE3FABA-7468-4851-B97C-0750AF2B908E}
HKCR\TypeLib{8BE3FABA-7468-4851-B97C-0750AF2B908E}\1.0
HKCR\TypeLib{8BE3FABA-7468-4851-B97C-0750AF2B908E}\1.0\0
HKCR\TypeLib{8BE3FABA-7468-4851-B97C-0750AF2B908E}\1.0\0\win32
HKCR\TypeLib{8BE3FABA-7468-4851-B97C-0750AF2B908E}\1.0\FLAGS
HKCR\TypeLib{8BE3FABA-7468-4851-B97C-0750AF2B908E}\1.0\HELPDIR

Trojan.Error Safe Free
HKLM\Software\Error Safe Free
HKLM\Software\Error Safe Free#EulUERS_9999_N91S2507

Adware.180solutions/Seekmo
HKCR\seekmohook.SABHO
HKCR\seekmohook.SABHO\CLSID
HKCR\seekmohook.SABHO\CurVer
HKCR\seekmohook.SABHO.1
HKCR\seekmohook.SABHO.1\CLSID

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.burstnet[1].txt
C:\Documents and Settings\zpo\Cookies\family@2o7[2].txt
C:\Documents and Settings\zpo\Cookies\family@ad.isohunt[2].txt
C:\Documents and Settings\zpo\Cookies\family@ad.yieldmanager[2].txt
C:\Documents and Settings\zpo\Cookies\family@adopt.hbmediapro[2].txt
C:\Documents and Settings\zpo\Cookies\family@ads.addynamix[2].txt
C:\Documents and Settings\zpo\Cookies\family@ads.pointroll[2].txt
C:\Documents and Settings\zpo\Cookies\family@ads.realcastmedia[2].txt
C:\Documents and Settings\zpo\Cookies\family@ads.realtechnetwork[1].txt
C:\Documents and Settings\zpo\Cookies\family@ads1.revenue[1].txt
C:\Documents and Settings\zpo\Cookies\family@advertising[2].txt
C:\Documents and Settings\zpo\Cookies\family@apmebf[2].txt
C:\Documents and Settings\zpo\Cookies\family@as-us.falkag[2].txt
C:\Documents and Settings\zpo\Cookies\family@atdmt[2].txt
C:\Documents and Settings\zpo\Cookies\family@atwola[1].txt
C:\Documents and Settings\zpo\Cookies\family@belnk[1].txt
C:\Documents and Settings\zpo\Cookies\family@bluestreak[2].txt
C:\Documents and Settings\zpo\Cookies\family@burstnet[2].txt
C:\Documents and Settings\zpo\Cookies\family@c5.zedo[1].txt
C:\Documents and Settings\zpo\Cookies\family@casalemedia[2].txt
C:\Documents and Settings\zpo\Cookies\family@citi.bridgetrack[2].txt
C:\Documents and Settings\zpo\Cookies\family@directtrack[1].txt
C:\Documents and Settings\zpo\Cookies\family@dist.belnk[2].txt
C:\Documents and Settings\zpo\Cookies\family@doubleclick[1].txt
C:\Documents and Settings\zpo\Cookies\family@e-2dj6wfkiqoazmlq.stats.esomniture[2].txt
C:\Documents and Settings\zpo\Cookies\family@e-2dj6wfkywlcjafq.stats.esomniture[1].txt
C:\Documents and Settings\zpo\Cookies\family@e-2dj6wfl4uodzogo.stats.esomniture[2].txt
C:\Documents and Settings\zpo\Cookies\family@e-2dj6wfmysocpwaq.stats.esomniture[2].txt
C:\Documents and Settings\zpo\Cookies\family@e-2dj6wgkyohd5ocq.stats.esomniture[2].txt
C:\Documents and Settings\zpo\Cookies\family@e-2dj6wgkysidjglq.stats.esomniture[1].txt
C:\Documents and Settings\zpo\Cookies\family@e-2dj6wgloqmdpalo.stats.esomniture[2].txt
C:\Documents and Settings\zpo\Cookies\family@e-2dj6wglykpdjggp.stats.esomniture[2].txt
C:\Documents and Settings\zpo\Cookies\family@e-2dj6wjk4cjczkaq.stats.esomniture[1].txt
C:\Documents and Settings\zpo\Cookies\family@e-2dj6wjkyakd5oeq.stats.esomniture[1].txt
C:\Documents and Settings\zpo\Cookies\family@e-2dj6wjkygicjwgq.stats.esomniture[2].txt
C:\Documents and Settings\zpo\Cookies\family@e-2dj6wjlichdjchq.stats.esomniture[2].txt
C:\Documents and Settings\zpo\Cookies\family@e-2dj6wjmyspdzelp.stats.esomniture[2].txt
C:\Documents and Settings\zpo\Cookies\family@fastclick[1].txt
C:\Documents and Settings\zpo\Cookies\family@h.starware[2].txt
C:\Documents and Settings\zpo\Cookies\family@hits.clickandtrack[2].txt
C:\Documents and Settings\zpo\Cookies\family@hotlog[1].txt
C:\Documents and Settings\zpo\Cookies\family@media.fastclick[1].txt
C:\Documents and Settings\zpo\Cookies\family@mediaplex[2].txt
C:\Documents and Settings\zpo\Cookies\family@nbads[1].txt
C:\Documents and Settings\zpo\Cookies\family@ocean.directtrack[2].txt
C:\Documents and Settings\zpo\Cookies\family@qksrv[2].txt
C:\Documents and Settings\zpo\Cookies\family@questionmarket[1].txt
C:\Documents and Settings\zpo\Cookies\family@realmedia[2].txt
C:\Documents and Settings\zpo\Cookies\family@reduxads.valuead[1].txt
C:\Documents and Settings\zpo\Cookies\family@revenue[2].txt
C:\Documents and Settings\zpo\Cookies\family@sel.as-us.falkag[1].txt
C:\Documents and Settings\zpo\Cookies\family@serving-sys[2].txt
C:\Documents and Settings\zpo\Cookies\family@tacoda[1].txt
C:\Documents and Settings\zpo\Cookies\family@targetnet[2].txt
C:\Documents and Settings\zpo\Cookies\family@tribalfusion[1].txt
C:\Documents and Settings\zpo\Cookies\family@tripod[1].txt
C:\Documents and Settings\zpo\Cookies\family@web4.realtracker[2].txt
C:\Documents and Settings\zpo\Cookies\family@www.starware[1].txt
C:\Documents and Settings\zpo\Cookies\family@www.ticketsnow1[1].txt
C:\Documents and Settings\zpo\Cookies\family@www.ticketsnow[2].txt
C:\Documents and Settings\zpo\Cookies\family@xml.bravenetmedianetwork[1].txt
C:\Documents and Settings\zpo\Cookies\family@yadro[2].txt
C:\Documents and Settings\zpo\Cookies\family@z1.adserver[1].txt
C:\Documents and Settings\zpo\Cookies\family@zedo[2].txt