spyware/malware

Unknown

something wrong with computer...whenever I try to access a variety of internet sites (including the link to register), the computer crashes ("microsoft explorer has encountered an error and needs to close). I know something is wrong "inside" the computer but need help. Here is my hijack this log....please help. many thanks!

Logfile of HijackThis v1.98.2
Scan saved at 9:20:50 PM, on 10/4/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\InetCntrl\InetCntrl.exe
C:\WINDOWS\system32\patlv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\gpuaysvr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\Mqrl425.exe
C:\WINDOWS\system32\AibK.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\InetCntrl\Maint\ControlCenter.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\DOCUME~1\WILLIAM\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Bsecure Popup Blocker - {E0019445-4C1F-414D-A70E-AD80F231C584} - C:\WINDOWS\system32\InetCntrl\PopupKil\BsafeBHO.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Fairbanks Family\Local Settings\Temp\wSXI.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: C:\documents and settings\william\local settings\temp\S.exe
O4 - HKLM\..\Run: [33L8Q9H5D@EEWE] C:\WINDOWS\system32\OzzG.exe
O4 - HKLM\..\Run: [InetCntrl] C:\WINDOWS\system32\InetCntrl\InetCntrl.exe
O4 - HKLM\..\Run: [5F6S3tQ] patlv.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Kop2RjcEV] gpuaysvr.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'inetcntrl.dll' missing
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/18a4ef893fc79f345623/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {70FBDD76-044D-40C4-95E0-E15791C24AA4} (GViewer.GuardianViewer) - http://www.guardiansoftware.com/en/GAudit.CAB
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

ps: two other quickery things that may (or may not) provide a hint to the problem:

1. Even though my internet options are set to keep 20 days of history, the browser is not keeping any history?!

2. When I open word documents from word, they open fine, but whenever I open them from windows explorer, they open VERY slowly

I realize these may be random but they are troubling.

I'm running a new 3.2ghz 512ram custom made computer....again many thanks!!!!

SpywareShooter

O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Fairbanks Family\Local Settings\Temp\wSXI.dll
O4 - HKLM\..\Run: C:\documents and settings\william\local settings\temp\S.exe
O4 - HKLM\..\Run: [33L8Q9H5D@EEWE] C:\WINDOWS\system32\OzzG.exe
O4 - HKLM\..\Run: [5F6S3tQ] patlv.exe
O4 - HKCU\..\Run: [Kop2RjcEV] gpuaysvr.exe


Fix those entries with HijackThis, then find and delete the following files:

C:\Documents and Settings\Fairbanks Family\Local Settings\Temp\wSXI.dll
C:\documents and settings\william\local settings\temp\S.exe
C:\WINDOWS\system32\OzzG.exe
patlv.exe
gpuaysvr.exe



Then reboot and post a new log.

fairbanksfamily

Thank you very much for your initial advice. I did run HiJackThis and found and fixed the 5 files you noted. However, I could not locate ANY of the 5 files you said to delete and I looked closely (but I could have missed something!). I will post my new HijackThis log below as you requested (since I have now rebooted), but, I wanted to first provide you with some info on problems I'm encountering that might provide a hint to you of the source of the problem:

1. I ran my antivirus program (SOPHOS) with the following results:
Files disinfected:
C\windows\system32\mqrl425.exe, LgnK8v3.exe, Aibk.exe, szepW5ln.exe, Qrnl.exe, PcwbliJQ.exe and
C\Documents and Settings\WILLIAM\Local Settings\Temp\instnotify.exe,
C\Documents and Settings\KEWEII\Local Settings\Temporary Internet Files\content.IE5\OIASLIVO\CA2RABUD.htm
C\Documents and Settings\KEWEII\Local Settings\Temp\mw_4s_stub.exe
C\Documents and Settings\KEWEII\Local Settings\Temp\instnotify.exe

DISINFECTION FAILED
C\windows\system 32\Jgpkzd.exe
C\windows\system 32\FMx274.exe

2. When I opened the Short Media Forum, User Control Panel and clicked on the "1" under "Replies", the computer crashed (internet explorer has to close); same crash occured when I clicked on the hyperlink "Malware Removal Procedure" in your article on Malware.

3. When I went into my webmail account (http:\\webmail.championbroadband.com) and typed in my user name and password and clicked "log in", what I wrote self erased; when I typed in the user name and password again and clicked "log in", what I just typed self erased again. Champion Broadband said they have never heard of anything like this occurring. When I went to my wireless laptop and typed in the same info on the same site, I was able to access my email - there was no self erasure

4. From no where I am receiving messages....like www.yellow-stickey.com wants to access your computer...and many others, unsolicited, from seemingly nowhere.

OK, now here is my hijack this log, THANK YOU AGAIN VERY VERY MUCH FOR YOUR HELP!!!

Logfile of HijackThis v1.98.2
Scan saved at 9:30:50 PM, on 10/5/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\InetCntrl\InetCntrl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Qrn1.exe
C:\WINDOWS\system32\Jgpkzd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\WILLIAM\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Bsecure Popup Blocker - {E0019445-4C1F-414D-A70E-AD80F231C584} - C:\WINDOWS\system32\InetCntrl\PopupKil\BsafeBHO.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [InetCntrl] C:\WINDOWS\system32\InetCntrl\InetCntrl.exe
O4 - HKLM\..\Run: [33L8Q9H5D@EEWE] C:\WINDOWS\system32\OzzG.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'inetcntrl.dll' missing
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/18a4ef893fc79f345623/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {70FBDD76-044D-40C4-95E0-E15791C24AA4} (GViewer.GuardianViewer) - http://www.guardiansoftware.com/en/GAudit.CAB
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab





IF IT HELPS, HERE ALSO IS MY SPYBOT LOG:
Search result list ---
Common Dialogs: History (4 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Log: Activity: SchedLgU.Txt (Backup file, nothing done)
C:\WINDOWS\SchedLgU.Txt

Log: Activity: Sti_Trace.log (Backup file, nothing done)
C:\WINDOWS\Sti_Trace.log

Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

Cubasis InWired: Folder history (2 files) (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Steinberg\Cubase VST\Directories

Cubasis InWired: Recent file #1 (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Steinberg\Cubase VST\Settings\1!=

Cubasis InWired: Recent file #2 (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Steinberg\Cubase VST\Settings\2!=

Cubasis InWired: Recent file #3 (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Steinberg\Cubase VST\Settings\3!=

Cubasis InWired: Recent file #4 (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Steinberg\Cubase VST\Settings\4!=

Cubasis InWired: Recent file #5 (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Steinberg\Cubase VST\Settings\5!=

Cubasis InWired: Last used folder (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Steinberg\Cubase VST\Settings\Initial Directory!=

Internet Explorer: AutoComplete data (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-448539723-706699826-725345543-1003\Software\Microsoft\Internet Explorer\IntelliForms\SPW

MS Media Player: Anonymous ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-448539723-706699826-725345543-1003\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0

MS DirectDraw: Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name!=

MS DirectInput: Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-448539723-706699826-725345543-1003\Software\Microsoft\DirectInput\MostRecentApplication\Name!=

MS DirectInput: Most recent application ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-448539723-706699826-725345543-1003\Software\Microsoft\DirectInput\MostRecentApplication\Id!=

MS DirectInput: Last mapped application ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-448539723-706699826-725345543-1003\Software\Microsoft\DirectInput\MostRecentMapperApplication\ID!=

MS DirectInput: Last mapped application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-448539723-706699826-725345543-1003\Software\Microsoft\DirectInput\MostRecentMapperApplication\Name!=

MS Search Assistant: Typed search terms history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-448539723-706699826-725345543-1003\Software\Microsoft\Search Assistant\ACMru

Windows Explorer: User Assistant history IE (39 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-448539723-706699826-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Explorer: User Assistant history files (14 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-448539723-706699826-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: Last visited history (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-448539723-706699826-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows Explorer: Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-448539723-706699826-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Cookie: Cookie (8) (Cookie, nothing done)


Cache: Cache (236) (Cache, nothing done)


Congratulations!: No immediate threats were found. ()



--- Spybot - Search & Destroy version: 1.3 .1 (build: 20040801) ---

2004-05-12 blindman.exe (1.0.0.0)
2004-08-05 SpyBotSD.exe (1.3.0.12)
2004-05-12 TeaTimer.exe (1.3.0.12)
2004-04-27 unins000.exe (51.13.0.0)
2004-05-12 Update.exe (1.3.0.0)
2004-08-01 advcheck.dll (1.0.1.0)
2004-05-12 borlndmm.dll (7.0.4.453)
2004-05-12 delphimm.dll (7.0.4.453)
2004-08-04 SDHelper.dll (1.3.0.12)
2004-05-12 Tools.dll (2.0.0.0)
2004-05-12 UnzDll.dll (1.73.1.1)
2004-05-12 ZipDll.dll (1.73.2.0)
2004-09-16 Includes\Beta.sbi
2004-08-30 Includes\Beta.uti
2004-08-11 Includes\Cookies.sbi
2004-09-16 Includes\Dialer.sbi
2004-09-16 Includes\Hijackers.sbi
2004-09-16 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-09-16 Includes\Malware.sbi
2004-08-12 Includes\Revision.sbi
2004-09-16 Includes\Security.sbi
2004-09-16 Includes\Spybots.sbi
2004-08-30 Includes\Tracks.uti
2004-09-16 Includes\Trojans.sbi



--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Security Update for Microsoft Data Access Components
/ DirectX: DirectX Update 819696
/ DirectX / DX9 / SP1: DirectX 9 Hotfix - KB839643
/ Windows Media Player: Windows Media Player Hotfix [See KB837272 for more information]
/ Windows Media Player: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player / SP0: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player: Windows Media Update 817787
/ Windows XP / SP2: Windows XP Service Pack 2


--- Startup entries list ---
Located: HK_LM:Run, 33L8Q9H5D@EEWE
command: C:\WINDOWS\system32\OzzG.exe
file: C:\WINDOWS\system32\OzzG.exe
size: 499763
MD5: 3549b5b782abacafd448964efbddf36d

Located: HK_LM:Run, InetCntrl
command: C:\WINDOWS\system32\InetCntrl\InetCntrl.exe
file: C:\WINDOWS\system32\InetCntrl\InetCntrl.exe
size: 479232
MD5: 6c977db9d327bff1bea8734b56a78e99

Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
file: C:\WINDOWS\system32\RUNDLL32.EXE
size: 33280
MD5: da285490bbd8a1d0ce6623577d5ba1ff

Located: HK_LM:Run, Pcsv
command: C:\WINDOWS\system32\pcs\pcsvc.exe
file: C:\WINDOWS\system32\pcs\pcsvc.exe
size: 35840
MD5: f03db954d348fe4ab79df8db7a5218b9

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 77824
MD5: 5d22b4258489575412f6d18affc847a2

Located: HK_LM:Run, SoundMAX
command: "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
file: C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
size: 585728
MD5: 5fa14654b827bc70dc14de586dc5d493

Located: HK_LM:Run, TkBellExe
command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 180269
MD5: 7237366a57a26b7ed71c9b081fbdd6eb

Located: HK_LM:RunOnceEx,
command:

Located: HK_CU:Run, MSMSGS
command: "C:\Program Files\Messenger\msmsgs.exe" /background
file: C:\Program Files\Messenger\msmsgs.exe
size: 1667584
MD5: b53343fe60a33ee765c2476d50d27b26

Located: HK_CU:Run, NvMediaCenter
command: RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
file: C:\WINDOWS\system32\RUNDLL32.EXE
size: 33280
MD5: da285490bbd8a1d0ce6623577d5ba1ff

Located: Startup (common), Kodak EasyShare software.lnk
command: C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
file: C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
size: 757760
MD5: 5849e088d0318421376e633018abe6f9

Located: Startup (common), Kodak software updater.lnk
command: C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
file: C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
size: 16423
MD5: db9012564169875f5b2aa7f5fc4905e4

Located: Startup (common), Microsoft Office.lnk
command: C:\Program Files\Microsoft Office\Office10\OSA.EXE
file: C:\Program Files\Microsoft Office\Office10\OSA.EXE
size: 83360
MD5: 5bc65464354a9fd3beaa28e18839734a

Located: Startup (disabled), ItsDeductible7PopUp (DISABLED)
command: C:\PROGRA~1\ITSDED~1\ItsD7.exe PopUp
file: C:\PROGRA~1\ITSDED~1\ItsD7.exe
size: 3645440
MD5: bba9cf3b90ec762db77ead7e5ecf4578

Located: WinLogon, crypt32chain
command: crypt32.dll

Located: WinLogon, cryptnet
command: cryptnet.dll

Located: WinLogon, cscdll
command: cscdll.dll

Located: WinLogon, ScCertProp
command: wlnotify.dll

Located: WinLogon, Schedule
command: wlnotify.dll

Located: WinLogon, sclgntfy
command: sclgntfy.dll

Located: WinLogon, SensLogn
command: WlNotify.dll

Located: WinLogon, termsrv
command: wlnotify.dll

Located: WinLogon, wlballoon
command: wlnotify.dll



--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\
Long name: AcroIEHelper.ocx
Short name: ACROIE~1.OCX
Date (created): 5/18/2004 2:50:30 PM
Date (last access): 10/5/2004 8:47:38 PM
Date (last write): 4/16/2001 4:39:02 PM
Filesize: 37808
Attributes:
MD5: 8394ABFC1BE196A62C9F532511936DF7
CRC32: 71D6E350
Version: 0.1.0.0

{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 5/12/2004 1:03:00 AM
Date (last access): 10/5/2004 8:50:46 PM
Date (last write): 8/4/2004 12:10:42 PM
Filesize: 773120
Attributes: archive
MD5: 0C332C33607F59C0FE0B788A0413A559
CRC32: 8928D78E
Version: 0.1.0.3

{E0019445-4C1F-414D-A70E-AD80F231C584} (Bsecure Popup Blocker)
BHO name: Bsecure Popup Blocker
CLSID name: PopBlockBHO Class
Path: C:\WINDOWS\system32\InetCntrl\PopupKil\
Long name: BsafeBHO.dll
Short name:
Date (created): 9/26/2004 1:50:36 PM
Date (last access): 10/5/2004 8:47:38 PM
Date (last write): 7/19/2004 4:11:46 PM
Filesize: 155648
Attributes: archive
MD5: A8EBE028B5FEE4085C6850016A5661F3
CRC32: 426631F1
Version: 0.4.0.3



--- ActiveX list ---
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object)
DPF name:
CLSID name: QuickTime Object
description: Apple Quicktime
classification: Legitimate
known filename: QTPLUGIN.OCX
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\QuickTime\
Long name: QTPlugin.ocx
Short name:
Date (created): 5/31/2004 4:29:42 PM
Date (last access): 10/5/2004 8:58:54 PM
Date (last write): 5/31/2004 4:29:42 PM
Filesize: 327736
Attributes: archive
MD5: CE3D865CCF4267C85934D9B7CA8521F2
CRC32: F9306ACA
Version: 0.6.0.4

{1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer)
DPF name:
CLSID name: Musicnotes Viewer
Path: C:\WINDOWS\Downloaded Program Files\
Long name: mnviewer.dll
Short name:
Date (created): 11/18/2003 1:21:52 PM
Date (last access): 10/5/2004 9:33:48 PM
Date (last write): 11/18/2003 1:21:52 PM
Filesize: 241664
Attributes: archive
MD5: 69FA61162945F71848D26B1C9AE1379A
CRC32: 38455488
Version: 0.1.0.15

{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
description: Macromedia ShockWave Flash Player 7
classification: Unknown
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Director\
Long name: SwDir.dll
Short name:
Date (created): 6/24/2004 9:54:38 PM
Date (last access): 10/5/2004 6:29:32 AM
Date (last write): 5/28/2004 1:38:00 AM
Filesize: 54480
Attributes: archive
MD5: 408F53722D9C1280BF4EDD70341EA7F2
CRC32: 4EB8819E
Version: 0.10.0.0

{19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class)
DPF name:
CLSID name: MSSecurityAdvisor Class
Path: C:\WINDOWS\System32\
Long name: mssecadv.dll
Short name:
Date (created): 9/8/2003 11:30:46 AM
Date (last access): 10/5/2004 6:29:38 AM
Date (last write): 9/8/2003 11:30:46 AM
Filesize: 36960
Attributes: archive
MD5: A4282FD762CE1C4FFA665538E335CFF0
CRC32: 51ECFB75
Version: 0.5.0.4

{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine)
DPF name:
CLSID name: Office Update Installation Engine
Path: C:\WINDOWS\
Long name: opuc.dll
Short name:
Date (created): 8/27/2003 4:10:30 AM
Date (last access): 10/5/2004 6:26:48 AM
Date (last write): 8/27/2003 4:10:30 AM
Filesize: 314368
Attributes: archive
MD5: 1E32EC4A8A17B19926B49EA5F6B79A76
CRC32: E98FC293
Version: 0.11.0.0

{56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class)
DPF name:
CLSID name: RdxIE Class
description: Netster
classification: Confirmed as malware
known filename:
info link:
info source:
Path: C:\WINDOWS\Downloaded Program Files\
Long name: RdxIE.dll
Short name:
Date (created): 6/3/2004 10:04:04 AM
Date (last access): 10/5/2004 9:33:48 PM
Date (last write): 6/3/2004 10:04:04 AM
Filesize: 520349
Attributes: archive
MD5: 2DBB57FDB7D3BFF88B21924187B3EE02
CRC32: B04A8C78
Version: 0.6.0.0

{62475759-9E84-458E-A1AB-5D2C442ADFDE} ()
DPF name:
CLSID name:

{70FBDD76-044D-40C4-95E0-E15791C24AA4} (GViewer.GuardianViewer)
DPF name:
CLSID name: GViewer.GuardianViewer
Path: C:\WINDOWS\Downloaded Program Files\
Long name: GAudit.ocx
Short name:
Date (created): 4/22/2003 11:11:00 PM
Date (last access): 10/5/2004 6:25:14 AM
Date (last write): 4/22/2003 11:11:00 PM
Filesize: 57344
Attributes: archive
MD5: DDA3A1E0465858ADA402A29695F4D4B1
CRC32: D998C185
Version: 0.1.0.7

{9F1C11AA-197B-4942-BA54-47A8489BB47F} ()
DPF name:
CLSID name:
description: Windows Update
classification: Legitimate
known filename: %WINDIR%\System32\iuctl.dll,iuengine.dll
info link:
info source: Patrick M. Kolla

{CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control)
DPF name:
CLSID name: ContentAuditX Control
Path: C:\WINDOWS\DOWNLO~1\
Long name: ContentAuditControl.ocx
Short name: CONTEN~1.OCX
Date (created): 8/21/2002 5:40:44 PM
Date (last access): 10/5/2004 6:25:14 AM
Date (last write): 8/21/2002 5:40:44 PM
Filesize: 783360
Attributes: archive
MD5: 9DF726E36654AA94AE9CDEBD75DC2F78
CRC32: 0E9DE165
Version: 0.1.0.2

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\System32\Macromed\Flash\
Long name: Flash.ocx
Short name:
Date (created): 4/8/2004 5:51:02 PM
Date (last access): 10/5/2004 7:45:24 AM
Date (last write): 4/8/2004 5:51:02 PM
Filesize: 939368
Attributes: archive
MD5: 2FB1D6FAB135CEE391AB3D70E1C26347
CRC32: 488FA4EC
Version: 0.7.0.0

{FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class)
DPF name:
CLSID name: IWinAmpActiveX Class
Path: C:\Program Files\Common Files\Nullsoft\ActiveX\2.0\
Long name: AmpX.dll
Short name:
Date (created): 8/4/2003 3:19:58 PM
Date (last access): 10/5/2004 6:19:48 AM
Date (last write): 8/4/2003 3:19:58 PM
Filesize: 126977
Attributes: archive
MD5: 4F1733DC81678E921A3B39F7D50C1B79
CRC32: E221CAC8
Version: 0.2.0.0



--- Process list ---

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 328 ( 588) C:\WINDOWS\system32\Qrn1.exe
PID: 420 ( 444) C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
PID: 444 ( 388) C:\WINDOWS\Explorer.EXE
PID: 532 ( 444) C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
PID: 540 ( 328) C:\WINDOWS\system32\Jgpkzd.exe
PID: 556 ( 444) C:\Program Files\QuickTime\qttask.exe
PID: 564 ( 444) C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PID: 580 ( 444) C:\WINDOWS\system32\InetCntrl\InetCntrl.exe
PID: 612 ( 444) C:\Program Files\Messenger\msmsgs.exe
PID: 620 ( 444) C:\WINDOWS\system32\RUNDLL32.EXE
PID: 696 (3024) C:\WINDOWS\notepad.exe
PID: 732 ( 444) C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
PID: 804 ( 4) \SystemRoot\System32\smss.exe
PID: 852 ( 804) csrss.exe
PID: 876 ( 804) \??\C:\WINDOWS\system32\winlogon.exe
PID: 920 ( 876) C:\WINDOWS\system32\services.exe
PID: 932 ( 876) C:\WINDOWS\system32\lsass.exe
PID: 1060 ( 920) wdfmgr.exe
PID: 1104 ( 920) C:\WINDOWS\system32\svchost.exe
PID: 1172 ( 920) svchost.exe
PID: 1276 ( 920) C:\WINDOWS\system32\drivers\KodakCCS.exe
PID: 1336 ( 920) C:\WINDOWS\System32\svchost.exe
PID: 1360 ( 920) C:\WINDOWS\System32\nvsvc32.exe
PID: 1488 ( 920) svchost.exe
PID: 1536 ( 920) C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
PID: 1584 ( 920) svchost.exe
PID: 1916 ( 920) C:\WINDOWS\system32\spoolsv.exe
PID: 1996 ( 920) C:\WINDOWS\System32\svchost.exe
PID: 2300 ( 920) alg.exe
PID: 3456 ( 444) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
PID: 3948 ( 444) C:\Program Files\Internet Explorer\IEXPLORE.EXE
Spybot - Search && Destroy process list report, 10/5/2004 9:35:18 PM


--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 10/5/2004 9:35:18 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com/

http://www.google.com/keyword/%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://channels.aimtoday.com/search/aimtoolbar.jsp
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: BSLSP MSAFD Tcpip [TCP/IP]
GUID: {0E8ECD55-367E-43A8-A999-46DBCAF51CA8}
Filename: InetCntrl.dll

Protocol 1: BSLSP MSAFD Tcpip [UDP/IP]
GUID: {6DAD8AEC-6E5D-4273-8F37-E867D4EE3B97}
Filename: InetCntrl.dll

Protocol 2: BSLSP MSAFD Tcpip [RAW/IP]
GUID: {0BB8E77D-0BED-43A4-AE97-52DBCDE391C9}
Filename: InetCntrl.dll

Protocol 3: BSLSP RSVP UDP Service Provider
GUID: {521AB21C-A0F6-4CF2-ABD5-19284B171C94}
Filename: InetCntrl.dll

Protocol 4: BSLSP RSVP TCP Service Provider
GUID: {ED34E753-9F1C-41CF-B26C-A0DEAC3FD882}
Filename: InetCntrl.dll

Protocol 5: BSLSP MSAFD NetBIOS [\Device\NetBT_Tcpip_{523C37C0-9032-46D4-9AFE-7FD1F143809E}] SEQPACKET 4
GUID: {3C65E55E-4158-46B5-BD8E-D1707C756950}
Filename: InetCntrl.dll

Protocol 6: BSLSP MSAFD NetBIOS [\Device\NetBT_Tcpip_{523C37C0-9032-46D4-9AFE-7FD1F143809E}] DATAGRAM 4
GUID: {EBC07B86-68C2-46A8-BCDA-4496FB503B11}
Filename: InetCntrl.dll

Protocol 7: BSLSP MSAFD NetBIOS [\Device\NetBT_Tcpip_{54DEF855-99B8-4C12-8B07-87E0D4FF1006}] SEQPACKET 3
GUID: {2CF5C4EB-6006-4120-8F3B-5D162925AA75}
Filename: InetCntrl.dll

Protocol 8: BSLSP MSAFD NetBIOS [\Device\NetBT_Tcpip_{54DEF855-99B8-4C12-8B07-87E0D4FF1006}] DATAGRAM 3
GUID: {DFD0B288-4B6F-4166-BA6F-97D1F56909EA}
Filename: InetCntrl.dll

Protocol 9: BSLSP MSAFD NetBIOS [\Device\NetBT_Tcpip_{2B574FFF-3D41-4C57-8AC8-358613FDF3AA}] SEQPACKET 0
GUID: {9B7DD0CA-153E-4B5A-BDBB-1651D4BA310D}
Filename: InetCntrl.dll

Protocol 10: BSLSP MSAFD NetBIOS [\Device\NetBT_Tcpip_{2B574FFF-3D41-4C57-8AC8-358613FDF3AA}] DATAGRAM 0
GUID: {4F9FCBB0-C692-4BDB-B01A-7C12C1E56F48}
Filename: InetCntrl.dll

Protocol 11: BSLSP MSAFD NetBIOS [\Device\NetBT_Tcpip_{401E4716-346F-41B1-ADE3-37EFCA324625}] SEQPACKET 1
GUID: {0C211CAF-C380-4D15-961F-9BD2990E9B15}
Filename: InetCntrl.dll

Protocol 12: BSLSP MSAFD NetBIOS [\Device\NetBT_Tcpip_{401E4716-346F-41B1-ADE3-37EFCA324625}] DATAGRAM 1
GUID: {2A4C014F-0679-46AF-A18E-021CFF1A4B5F}
Filename: InetCntrl.dll

Protocol 13: BSLSP MSAFD NetBIOS [\Device\NetBT_Tcpip_{522FE792-6FCF-48F1-8231-D07D627BBFD6}] SEQPACKET 2
GUID: {41E60773-2B77-4818-AD8A-42C7DA7128E2}
Filename: InetCntrl.dll

Protocol 14: BSLSP MSAFD NetBIOS [\Device\NetBT_Tcpip_{522FE792-6FCF-48F1-8231-D07D627BBFD6}] DATAGRAM 2
GUID: {C6C3D047-8C5D-4802-9BD8-E7580BF65728}
Filename: InetCntrl.dll

Protocol 15: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 16: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 17: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 18: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 19: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{523C37C0-9032-46D4-9AFE-7FD1F143809E}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip_{523C37C0-9032-46D4-9AFE-7FD1F143809E}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 22: MSAFD NetBIOS [\Device\NetBT_Tcpip_{54DEF855-99B8-4C12-8B07-87E0D4FF1006}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 23: MSAFD NetBIOS [\Device\NetBT_Tcpip_{54DEF855-99B8-4C12-8B07-87E0D4FF1006}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 24: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2B574FFF-3D41-4C57-8AC8-358613FDF3AA}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 25: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2B574FFF-3D41-4C57-8AC8-358613FDF3AA}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 26: MSAFD NetBIOS [\Device\NetBT_Tcpip_{401E4716-346F-41B1-ADE3-37EFCA324625}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 27: MSAFD NetBIOS [\Device\NetBT_Tcpip_{401E4716-346F-41B1-ADE3-37EFCA324625}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 28: MSAFD NetBIOS [\Device\NetBT_Tcpip_{522FE792-6FCF-48F1-8231-D07D627BBFD6}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 29: MSAFD NetBIOS [\Device\NetBT_Tcpip_{522FE792-6FCF-48F1-8231-D07D627BBFD6}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 30: BSafe Layered Service Provider
GUID: {97016DAA-8EEA-4CE5-94A9-B313D851D255}
Filename: InetCntrl.dll

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

fairbanksfamily

why no response to this?

SpywareShooter

Sorry about the late response. I may have missed your post.

O4 - HKLM\..\Run: [33L8Q9H5D@EEWE] C:\WINDOWS\system32\OzzG.exe

Fix that entry then set your computer to show hidden files and folders, and delete OzzG.exe, reboot, and post a new log.