Here are a couple logs Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:08:59 AM, on 3/23/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Intel\Intel® Active Monitor\imontray.exe C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\System32\igfxtray.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe C:\Palm\hotsync.exe C:\Program Files\Napster\napster.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Outlook Express\msimn.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [iMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe O4 - HKLM\..\Run: [CTCheck] C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user') O4 - Global Startup: AutorunsDisabled O4 - Global Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file) O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: http://onecare.live.com O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1232334420343 O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe -- End of file - 6201 bytes ComboFix 09-03-22.01 - Owner 2009-03-23 21:27:30.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.243 [GMT -4:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\documents and settings\Owner\Application Data\IUpd721 c:\documents and settings\Owner\Application Data\IUpd721\Logs\scns.log c:\windows\IE4 Error Log.txt ----- BITS: Possible infected sites ----- hxxp://bgbtorlopos.com . ((((((((((((((((((((((((( Files Created from 2009-02-24 to 2009-03-24 ))))))))))))))))))))))))))))))) . 2009-03-23 21:20 . 2009-03-23 21:26 <DIR> d-------- C:\32788R22FWJFW 2009-03-23 11:08 . 2009-03-23 11:08 <DIR> d-------- c:\program files\Trend Micro 2009-03-22 22:06 . 2009-03-22 22:06 <DIR> d-------- c:\program files\CCleaner 2009-03-22 13:41 . 2009-03-22 13:41 <DIR> d-------- c:\documents and settings\Owner\DoctorWeb 2009-03-21 22:47 . 2009-03-21 22:47 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com 2009-03-21 22:19 . 2009-03-21 22:19 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2009-03-21 21:09 . 2009-03-21 21:09 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-03-21 21:08 . 2009-03-21 21:08 <DIR> d-------- c:\documents and settings\Administrator 2009-03-17 22:56 . 2009-03-17 22:56 29,184 --a------ C:\Find_the_value Worksheet.doc 2009-03-03 16:54 . 2009-03-03 16:54 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-03-03 16:54 . 2009-03-03 16:54 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes 2009-03-03 16:54 . 2009-03-03 16:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-03-03 16:54 . 2009-02-11 11:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-03 16:54 . 2009-02-11 11:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-02-28 21:13 . 2009-03-23 21:33 54,156 --ah----- c:\windows\QTFont.qfn 2009-02-28 21:13 . 2009-02-28 21:13 1,409 --a------ c:\windows\QTFont.for 2009-02-25 23:49 . 2009-02-25 23:49 <DIR> d-------- C:\Amber . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-23 02:08 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-03-22 13:26 --------- d-----w c:\program files\Windows Live Safety Center 2009-03-22 02:19 --------- d-----w c:\program files\SUPERAntiSpyware 2009-03-22 02:19 --------- d-----w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com 2009-03-13 12:36 --------- d-----w c:\program files\support.com 2009-03-12 13:11 --------- d-----w c:\documents and settings\Owner\Application Data\Canon 2009-02-26 01:26 --------- d-----w c:\program files\Spybot - Search & Destroy 2009-02-12 23:19 --------- d-----w c:\program files\Free Offers from Freeze.com 2009-02-12 03:10 --------- d-----w c:\program files\MediaCoder 2009-02-12 02:42 --------- d-----w c:\documents and settings\All Users\Application Data\Winferno 2009-02-12 02:37 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion 2009-02-12 02:36 --------- d-----w c:\program files\Yahoo! 2009-02-12 02:31 --------- d-----w c:\program files\Common Files\eSellerate 2009-02-12 02:27 --------- d-----w c:\documents and settings\Owner\Application Data\Memeo 2009-02-07 00:11 --------- d-----w c:\program files\Common Files\Symantec Shared 2009-02-07 00:04 --------- d-----w c:\program files\Symantec 2009-02-06 23:48 --------- d-----w c:\program files\Norton Internet Security 2009-02-06 22:48 --------- d-----w c:\program files\Google 2009-02-06 13:40 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys 2009-02-06 13:40 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys 2009-02-02 16:51 --------- d-----w c:\documents and settings\All Users\Application Data\avg8 2009-01-31 17:48 --------- d-----w c:\documents and settings\Owner\Application Data\Windows Search 2009-01-29 21:58 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-01-29 00:30 --------- d-----w c:\program files\Napster 2009-01-26 18:43 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! 2009-01-24 04:54 --------- d-----w c:\documents and settings\Owner\Application Data\Windows Desktop Search 2009-01-24 04:53 --------- d-----w c:\program files\Windows Desktop Search 2009-01-24 04:51 --------- d-----w c:\program files\Windows Media Connect 2 . ------- Sigcheck ------- 2004-08-04 03:56 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe 2008-04-13 20:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe 2009-03-19 08:42 45568 7fec627ab624b76529de4ab91f7ad600 c:\windows\system32\userinit.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352] "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2009-01-08 4363504] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-07-26 114688] "IMONTRAY"="c:\program files\Intel\Intel® Active Monitor\imontray.exe" [2002-05-03 32768] "CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-06 1601304] "IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-07-26 155648] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HotSync Manager.lnk - c:\palm\hotsync.exe [2008-11-01 260096] c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-02-06 09:40 10520 c:\windows\system32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk backup=c:\windows\pss\Windows Search.lnkCommon Startup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2006-10-25 19:58 282624 c:\program files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "SymWSC"=2 (0x2) "SymProxySvc"=2 (0x2) "SNDSrvc"=3 (0x3) "NISUM"=3 (0x3) "NISSERV"=2 (0x2) "gusvc"=3 (0x3) "WMPNetworkSvc"=3 (0x3) "Seekeen Service"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [2002-12-13 8192] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-25 325128] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-25 107272] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024] R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-06 903960] R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-06 298264] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408] S4 Seekeen Service;Seekeen Service;"c:\program files\Seekeen\seekeen.exe" "c:\program files\Seekeen\seekeen.dll" Service --> c:\program files\Seekeen\seekeen.exe [?] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1aa173f8-ba70-11dd-af8b-00045a7ff8f1}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\m.exe /s . Contents of the 'Scheduled Tasks' folder 2009-03-18 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 18:13] 2009-03-24 c:\windows\Tasks\PCConfidential.job - c:\program files\Winferno\PC Confidential\PCConfidential.exe [] . - - - - ORPHANS REMOVED - - - - HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe MSConfigStartUp-loaottocyessnximk - c:\windows\system32\mmkvgezxlmuitcd.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html mStart Page = hxxp://www.yahoo.com uInternet Connection Wizard,ShellNext = iexplore uSearchURL,(Default) = hxxp://www.google.com/search?q=%s Trusted Zone: intuit.com\www.turbotax Trusted Zone: live.com\onecare Trusted Zone: nick.com\www DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-23 21:32:50 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(500) c:\program files\SUPERAntiSpyware\SASWINLO.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\CTSVCCDA.EXE c:\windows\system32\pctspk.exe c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\windows\system32\searchindexer.exe c:\program files\Intel\Intel® Active Monitor\imonNT.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-03-23 21:36:53 - machine was rebooted ComboFix-quarantined-files.txt 2009-03-24 01:36:49 Pre-Run: 18,351,726,592 bytes free Post-Run: 18,383,704,064 bytes free 189 --- E O F --- 2009-03-14 17:16:14 Thanks for looking.....