Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help with WinAntiVirus and maybe more


  • Please log in to reply

#1
kevinmc

kevinmc

    New Member

  • Member
  • Pip
  • 5 posts
When i launch IE and i open a new tab or window all of IE will crash, and sometimes when i open it I will get popups for WinAntiVirsu Pro 2006/ along with some popup message dialogs asking to clean my comp/ect.

I ran Ewido/AdAware/Spybot S&D/Trojan Hunter/CW Shredder/Trend/ect , all found things and got rid of them.

The problems seemed to go away for a bit then they returned. So then i looked on google and such to try and remove it, and tried VundoFix. It found some files and deleted all but one which it could not.

Here is the vundofix log:


VundoFix V6.1.2

Checking Java version...

Sun Java not detected
Scan started at 6:13:39 PM 8/27/2006

Listing files found while scanning....

C:\WINDOWS\system32\awtqnkh.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awtqnkh.dll
C:\WINDOWS\system32\awtqnkh.dll Could not be deleted.

Performing Repairs to the registry.
Done!




---


And here is the HJT Log:


Logfile of HijackThis v1.99.1
Scan saved at 9:18:33 PM, on 8/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\Airlink101\AWLH4030\WLService.exe
E:\Program Files\Airlink101\AWLH4030\WLanCfgAG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\SmartSpeed\ITESmart.exe
E:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
E:\Program Files\DAP\DAP.EXE
E:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
E:\Program Files\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
E:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\TEMP\win1C.tmp.exe
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\ismon.exe
C:\WINDOWS\TEMP\win20.tmp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
E:\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SmartGuardian] E:\Program Files\SmartSpeed\ITESmart.exe
O4 - HKLM\..\Run: [NVIDIA nTune] "E:\Program Files\Ntune\\nTune.exe" clear
O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [mmtask] "E:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DownloadAccelerator] "E:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [2f0f5fed.exe] C:\WINDOWS\system32\2f0f5fed.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [2f0f5fed.exe] C:\Documents and Settings\Kevin\Local Settings\Application Data\2f0f5fed.exe
O4 - Startup: .protected
O4 - Global Startup: .protected
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Clean Traces - E:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - E:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - E:\Program Files\DAP\dapextie2.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - E:\PROGRA~1\DAP\DAP.EXE
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - E:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: Super G Wireless Cardbus Adapter Service (Super G Wireless Cardbus Service) - Unknown owner - E:\Program Files\Airlink101\AWLH4030\WLService.exe




Thanks for any help :whistling:.

Edited by kevinmc, 27 August 2006 - 07:21 PM.

  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :whistling:

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • 0

#3
kevinmc

kevinmc

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi Sam thanks for fast reply.

Here is the log:

Kevin - 06-08-27 22:50:56.57
ComboFix 06.08.27BT - Running from: C:\Documents and Settings\Kevin\Desktop

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Y1123OU.exe
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\ismon.exe
C:\WINDOWS\system32\winsys.exe
C:\Program Files\ToolBar888
C:\Program Files\winupdates
C:\Program Files\Common Files\{CC65EBDA-0924-1033-0510-050921040001}
C:\Program Files\Common Files\{CC65EBDA-0951-1033-0510-050921040001}
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\ismon.exe
C:\Program Files\Cowabanga
C:\WINDOWS\system32\components

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Kevin\Application Data\ICROSO~1.NET
C:\QooBox\Purity\Documents and Settings\Kevin\My Documents\SSTEM3~1
C:\QooBox\Purity\Documents and Settings\Kevin\My Documents\SSTEM3~1\spool32.exe
C:\QooBox\Purity\Documents and Settings\Kevin\My Documents\SSTEM3~1\SSTEM3~1
C:\QooBox\Purity\Program Files\WNSXS~1
C:\QooBox\Purity\Program Files\Common Files\RACLE~1
C:\QooBox\Purity\Program Files\Common Files\YSTEM~1
C:\QooBox\Purity\Program Files\Common Files\RACLE~1\??oolsv.exe
C:\QooBox\Purity\WINDOWS\system32\PPATCH~1


((((((((((((((((((((((((((((((( Files Created from 2006-07-27 to 2006-08-27 ))))))))))))))))))))))))))))))))))


2006-08-27 21:23 139,264 --a------ C:\WINDOWS\system32\vre.dll
2006-08-27 21:02 40,973 ---hs---- C:\WINDOWS\system32\xxyvsqp.dll
2006-08-27 21:02 13,312 --a------ C:\WINDOWS\system32\2f0f5fed.exe
2006-08-27 19:42 635,898 ---hs---- C:\WINDOWS\system32\srutv.bak1
2006-08-27 19:42 13,844 --a------ C:\WINDOWS\system32\otypaemx.exe
2006-08-27 19:41 573,492 ---hs---- C:\WINDOWS\system32\vturs.dll
2006-08-21 19:47 637,465 ---hs---- C:\WINDOWS\system32\ybadd.bak2
2006-08-21 19:47 13,844 --a------ C:\WINDOWS\system32\plptbvki.exe
2006-08-20 19:46 573,492 --ahs---- C:\WINDOWS\system32\ddaby.dll.vir
2006-08-20 19:25 721,602 ---hs---- C:\WINDOWS\system32\nqtss.bak1
2006-08-20 19:24 573,492 --ahs---- C:\WINDOWS\system32\sstqn.dll.vir
2006-08-20 18:43 5,120 --a------ C:\WINDOWS\system32\ismon.exe
2006-08-20 18:43 36,368 --a------ C:\WINDOWS\system32\ishost.exe
2006-08-19 22:52 180,224 --a-s---- C:\WINDOWS\system32\archlib.dll
2006-08-18 18:47 117,760 --------- C:\WINDOWS\system32\xmllite.dll
2006-08-12 11:36 40,973 --------- C:\WINDOWS\system32\awtqnkh.dll
2006-08-09 22:57 561,179 --a------ C:\WINDOWS\system32\dao360.dll
2006-08-09 22:57 185 --a------ C:\WINDOWS\system32\msblcd32.dll
2006-08-09 00:35 9,728 --a------ C:\WINDOWS\system32\sysinfoX64.sys
2006-08-09 00:35 8,192 --a------ C:\WINDOWS\system32\sysinfo.sys
2006-08-09 00:35 69,632 --a------ C:\WINDOWS\system32\sw24.exe
2006-08-09 00:35 208,896 --a------ C:\WINDOWS\system32\sw20.exe
2006-08-09 00:35 114,688 --a------ C:\WINDOWS\system32\sysinfo.dll
2006-08-08 22:42 94,208 --a------ C:\WINDOWS\system32\GTW32N50.dll
2006-08-08 22:42 40,960 --a------ C:\WINDOWS\system32\airlink101.dll
2006-08-08 22:42 15,872 --a------ C:\WINDOWS\system32\GTNDIS5.sys
2006-08-04 16:57 2 --a------ C:\WINDOWS\system32\wnstssv.exe
2006-08-04 16:54 18,944 --------- C:\WINDOWS\system32\winjks32.dll
2006-08-04 14:20 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2006-08-04 14:20 1,047,552 --a------ C:\WINDOWS\system32\MFC71u.dll
2006-08-04 14:05 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2006-07-29 19:32 48,936 --a------ C:\WINDOWS\system32\sirenacm.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-27 22:51 -------- d-------- C:\Program Files\Common Files
2006-08-27 00:39 -------- d-------- C:\Documents and Settings\Kevin\Application Data\Xfire
2006-08-27 00:38 -------- d-------- C:\Documents and Settings\Kevin\Application Data\Xfire Plus
2006-08-25 14:52 -------- d-------- C:\Program Files\PokerRoom.com
2006-08-23 22:09 -------- d-------- C:\Program Files\Windows Media Player
2006-08-22 20:18 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-08-22 20:13 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-22 15:58 -------- d-------- C:\Documents and Settings\Kevin\Application Data\Apple Computer
2006-08-20 19:27 -------- d-------- C:\Program Files\Common Files\Java
2006-08-20 19:19 -------- d-------- C:\Documents and Settings\Kevin\Application Data\greateachsurf
2006-08-20 18:47 -------- d-------- C:\Program Files\Yahoo!
2006-08-19 22:56 -------- d-------- C:\Documents and Settings\Kevin\Application Data\Tenebril
2006-08-19 11:48 -------- d-------- C:\Program Files\MSN Messenger
2006-08-19 11:47 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-08-19 10:28 -------- d-------- C:\Program Files\iPod
2006-08-19 00:17 -------- d-------- C:\Program Files\Internet Explorer
2006-08-17 22:52 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-08-16 16:39 -------- d-------- C:\Program Files\HoldemPoker
2006-08-15 18:55 -------- d-------- C:\Program Files\MTV Networks
2006-08-13 12:15 -------- d-------- C:\Program Files\America's Army Server Manager
2006-08-12 11:34 -------- d-------- C:\Documents and Settings\Kevin\Application Data\TrojanHunter
2006-08-12 10:22 -------- d---s---- C:\Documents and Settings\Kevin\Application Data\Microsoft
2006-08-10 19:30 -------- d-------- C:\Documents and Settings\Kevin\Application Data\NetPumper
2006-08-10 15:41 -------- d-------- C:\Documents and Settings\Kevin\Application Data\BitTorrent
2006-08-09 22:57 -------- d-------- C:\Program Files\AF Uninstalls
2006-08-08 22:42 17801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2006-08-08 13:36 65 --a------ C:\WINDOWS\taskmen.pif
2006-08-04 14:21 -------- d-------- C:\Documents and Settings\Kevin\Application Data\Logitech
2006-08-04 14:20 -------- d-------- C:\Program Files\Common Files\Logitech
2006-07-28 22:34 -------- d-------- C:\Program Files\AGEIA Technologies
2006-07-28 14:41 -------- d-------- C:\Program Files\Sierra On-Line
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-23 13:15 -------- d-------- C:\Program Files\Poker.com
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-20 15:58 -------- d-------- C:\Documents and Settings\Kevin\Application Data\Microgaming
2006-07-15 00:44 -------- d-------- C:\Documents and Settings\Kevin\Application Data\Microsoft Games
2006-07-15 00:15 223128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2006-07-15 00:14 96256 --a------ C:\WINDOWS\system32\drivers\sptd2381.sys
2006-07-15 00:14 643072 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-07-11 19:35 -------- d-------- C:\Program Files\directx
2006-07-03 17:40 778240 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-07-03 17:40 778240 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-07-03 17:40 761856 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-07-03 17:40 620180 --a------ C:\WINDOWS\system32\DivX.dll
2006-06-28 11:28 -------- d-------- C:\Program Files\Dell
2006-06-23 09:28 5512704 --------- C:\WINDOWS\system32\ieframe.dll
2006-06-23 09:28 47616 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-06-23 09:28 454144 --------- C:\WINDOWS\system32\msfeeds.dll
2006-06-23 09:28 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-06-23 09:28 223744 --a------ C:\WINDOWS\system32\webcheck.dll
2006-06-23 09:28 179200 --------- C:\WINDOWS\system32\ieui.dll
2006-06-23 09:28 155648 --a------ C:\WINDOWS\system32\msls31.dll
2006-06-23 05:41 172544 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-06-23 05:40 78848 --a------ C:\WINDOWS\system32\ieencode.dll
2006-06-23 05:40 40960 --a------ C:\WINDOWS\system32\url.dll
2006-06-23 05:39 99328 --a------ C:\WINDOWS\system32\occache.dll
2006-06-23 05:39 39424 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-06-23 05:37 14336 --a------ C:\WINDOWS\system32\corpol.dll
2006-06-23 05:34 81920 --a------ C:\WINDOWS\system32\admparse.dll
2006-06-23 05:34 50688 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-06-23 05:34 372736 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-06-23 05:34 228864 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-06-23 05:34 167936 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-06-23 05:33 54272 --a------ C:\WINDOWS\system32\iesetup.dll
2006-06-23 05:33 41984 --a------ C:\WINDOWS\system32\iernonce.dll
2006-06-23 05:33 121856 --a------ C:\WINDOWS\system32\advpack.dll
2006-06-23 05:30 11776 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-06-23 05:29 55296 --------- C:\WINDOWS\system32\icardie.dll
2006-06-23 05:29 35328 --a------ C:\WINDOWS\system32\imgutil.dll
2006-06-23 05:27 251392 --------- C:\WINDOWS\system32\iertutil.dll
2006-06-23 05:26 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-06-23 04:46 377856 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-06-23 04:45 48640 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-06-23 04:41 172032 --a------ C:\WINDOWS\system32\ieakui.dll
2006-06-21 15:44 109568 -----c--- C:\WINDOWS\system32\pxinsi64.exe
2006-06-21 06:49 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2006-06-21 06:43 520192 --a------ C:\WINDOWS\system32\DivXsm.exe
2006-06-21 06:43 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-06-21 06:42 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-06-21 06:42 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-06-21 06:34 90112 --a------ C:\WINDOWS\system32\dpl100.dll
2006-06-21 06:34 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2006-06-21 06:34 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-06-21 06:34 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-06-21 06:34 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-06-21 06:34 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-06-21 06:34 200704 --a------ C:\WINDOWS\system32\dtu100.dll
2006-06-21 06:33 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2006-06-21 06:33 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2006-06-19 15:18 23552 --------- C:\WINDOWS\system32\idndl.dll
2006-06-19 15:18 22752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-06-19 15:18 20480 --------- C:\WINDOWS\system32\normaliz.dll
2006-06-01 19:09 208896 --a--c--- C:\WINDOWS\system32\nvusmb.exe
2006-06-01 19:09 208896 --a--c--- C:\WINDOWS\system32\nvunrm.exe
2006-06-01 19:09 208896 --a--c--- C:\WINDOWS\system32\NVUNINST.EXE
2006-06-01 19:09 208896 --a--c--- C:\WINDOWS\system32\nvuide.exe
2006-06-01 19:09 208896 --a--c--- C:\WINDOWS\system32\nvuaudio.exe
2006-06-01 19:09 208896 -----c--- C:\WINDOWS\system32\nvudisp.exe
2006-06-01 17:22 888832 --a------ C:\WINDOWS\system32\nvmobls.dll
2006-06-01 17:22 5652480 --a------ C:\WINDOWS\system32\nvdisps.dll
2006-06-01 17:22 5246976 --a------ C:\WINDOWS\system32\nvdispsr.dll
2006-06-01 17:22 462848 --a------ C:\WINDOWS\system32\nvmccssr.dll
2006-06-01 17:22 3100672 --a------ C:\WINDOWS\system32\nvgames.dll
2006-06-01 17:22 2977792 --a------ C:\WINDOWS\system32\nvvitvsr.dll
2006-06-01 17:22 2924544 --a------ C:\WINDOWS\system32\nvvitvs.dll
2006-06-01 17:22 2916352 --a------ C:\WINDOWS\system32\nvgamesr.dll
2006-06-01 17:22 2859008 --a------ C:\WINDOWS\system32\nvmoblsr.dll
2006-06-01 17:22 188416 --a------ C:\WINDOWS\system32\nvmccss.dll
2006-06-01 17:22 1740800 --a------ C:\WINDOWS\system32\nvwssr.dll
2006-06-01 17:22 1257472 --a------ C:\WINDOWS\system32\nvwss.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"SmartGuardian"="E:\\Program Files\\SmartSpeed\\ITESmart.exe"
"NVIDIA nTune"="\"E:\\Program Files\\Ntune\\\\nTune.exe\" clear"
"NVCLOCK"="rundll32 nvclock.dll,fnNvclock"
"mmtask"="\"E:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mmtask.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"DownloadAccelerator"="\"E:\\Program Files\\DAP\\DAP.EXE\" /STARTUP"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"SunJavaUpdateSched"="\"E:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"
"2f0f5fed.exe"="C:\\WINDOWS\\system32\\2f0f5fed.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"2f0f5fed.exe"="C:\\Documents and Settings\\Kevin\\Local Settings\\Application Data\\2f0f5fed.exe"
"Trti"="\"C:\\DOCUME~1\\Kevin\\MYDOCU~1\\SSTEM3~1\\spool32.exe\" -vt yazr"
"Cbpcf"="C:\\Program Files\\Common Files\\?racle\\??oolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,80,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{5A3E97DD-2A08-48BC-8F43-C0DEABC90266}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
"{668B1E21-4DE0-450A-AB10-121220442EA6}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^3D!Turbo Experience.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\3D!Turbo Experience.lnk"
"backup"="C:\\WINDOWS\\pss\\3D!Turbo Experience.lnkCommon Startup"
"location"="Common Startup"
"command"="E:\\PROGRA~1\\MSI\\3D!TUR~1\\3D!Turbo.exe "
"item"="3D!Turbo Experience"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpyCatcher Protector.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\SpyCatcher Protector.lnk"
"backup"="C:\\WINDOWS\\pss\\SpyCatcher Protector.lnkCommon Startup"
"location"="Common Startup"
"command"="E:\\PROGRA~1\\SPYCAT~1\\PROTEC~1.EXE "
"item"="SpyCatcher Protector"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BearShare]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BearShare"
"hkey"="HKLM"
"command"="\"E:\\Program Files\\Opera\\BearShare.exe\" /pause"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Burnmeetteamflag]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="browse default"
"hkey"="HKLM"
"command"="C:\\Documents and Settings\\All Users\\Application Data\\ELSELOUDBURNMEET\\browse default.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\cash bib]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BALLBINBOOB"
"hkey"="HKCU"
"command"="C:\\DOCUME~1\\Kevin\\APPLIC~1\\GREATE~1\\BALLBINBOOB.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"E:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\desktop]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="idemlog"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\idemlog.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\EssSpkPhone]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="essspk"
"hkey"="HKLM"
"command"="essspk.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"E:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\JAguAr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CToolBar"
"hkey"="HKLM"
"command"="CToolBar.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Logitech Utility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Logi_MwX"
"hkey"="HKLM"
"command"="Logi_MwX.Exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MON76234]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bingo9"
"hkey"="HKCU"
"command"="bingo9.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsnMsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\newbreed]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Kargo"
"hkey"="HKLM"
"command"="Kargo.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PSPVideo9]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pspVideo9"
"hkey"="HKLM"
"command"="C:\\Program Files\\pspvideo9\\pspVideo9.exe -t"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"E:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SmartSpeed]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SmartSpeed2"
"hkey"="HKLM"
"command"="C:\\Program Files\\Smart-Speed\\SmartSpeed2.0.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SpyCatcher Reminder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpyCatcher"
"hkey"="HKLM"
"command"="\"E:\\Program Files\\SpyCatcher 2006\\SpyCatcher.exe\" reminder"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Steam"
"hkey"="HKCU"
"command"="E:\\Program Files\\Valve\\Steam\\\\Steam.exe -silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SW20]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sw20"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\sw20.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SW24]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sw24"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\sw24.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SysSupport]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="keybdll"
"hkey"="HKCU"
"command"="keybdll.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\THGuard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="THGuard"
"hkey"="HKLM"
"command"="\"E:\\TrojanHunter 4.5\\THGuard.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Two Degrees]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Two Degrees"
"hkey"="HKCU"
"command"="\"E:\\Program Files\\Two Degrees\\Two Degrees.exe\" /server"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\UnSpyPC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UnSpyPC"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\UnSpyPC\\UnSpyPC.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"ewido anti-spyware 4.0 guard"=dword:00000002

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vturs
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjks32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvsqp



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20060827-194617-472
O20 - Winlogon Notify: winjks32 - C:\WINDOWS\SYSTEM32\winjks32.dll
backup-20060827-194617-279
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
backup-20060827-194617-608
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
backup-20060827-194617-709
O17 - HKLM\System\CCS\Services\Tcpip\..\{FEA34390-D0AB-42E8-8BA9-523B7C2B8E3C}: NameServer = 85.255.113.150,85.255.112.12
backup-20060827-194617-933
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
backup-20060827-194617-995
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
backup-20060827-194617-784
O15 - Trusted Zone: http://locator.cdn.imageservr.com
backup-20060827-194617-322
O11 - Options group: [INTERNATIONAL] International*
backup-20060827-194617-839
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
backup-20060827-194617-247
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
backup-20060827-194617-546
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00303} - (no file)
backup-20060827-194617-788
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00304} - (no file)
backup-20060827-194617-347
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00311} - (no file)
backup-20060827-194617-849
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00309} - (no file)
backup-20060827-194617-305
O2 - BHO: (no name) - {DF00FFA0-AEA9-4EA8-A10F-8BB9A7F8508C} - (no file)
backup-20060827-194617-952
O2 - BHO: (no name) - {C02D8750-12EE-1237-B8C0-37B6AA9425C3} - (no file)
backup-20060827-194617-706
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00305} - (no file)
backup-20060827-194617-771
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00306} - (no file)
backup-20060827-194617-119
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00320} - (no file)
backup-20060827-194617-116
O2 - BHO: (no name) - {82EF4D84-D6CE-1EF0-AE5F-5878579E35B7} - (no file)
backup-20060827-194616-394
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
backup-20060827-194616-903
O2 - BHO: (no name) - {5E9968ED-5186-44DC-B46B-82B4EDE5B86D} - (no file)
backup-20060827-194616-657
O2 - BHO: (no name) - {621D36CC-09F4-44F6-BA4C-C8FBEAA00207} - (no file)
backup-20060827-194616-441
O2 - BHO: (no name) - {5A3E97DD-2A08-48BC-8F43-C0DEABC90266} - C:\WINDOWS\system32\awtqnkh.dll
backup-20060827-194616-710
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\Opera\GetRight\xx2gr.dll
backup-20060827-194616-421
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....cid={SUB_CLCID}
backup-20060827-194616-244
O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
backup-20060827-194616-511
O2 - BHO: (no name) - {0B5F7FDF-0717-45BF-B49D-695F3168C7FE} - (no file)
backup-20060827-194616-263
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
backup-20060827-194616-867
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
backup-20060827-194616-108
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
backup-20060820-192916-446
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.....cab?refid=1123
backup-20060820-192916-271
O4 - HKCU\..\Run: [2f0f5fed.exe] C:\Documents and Settings\Kevin\Local Settings\Application Data\2f0f5fed.exe
backup-20060820-192916-354
O4 - HKLM\..\Run: [2f0f5fed.exe] C:\WINDOWS\system32\2f0f5fed.exe
backup-20060820-152002-403
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamesp...nch/alaunch.cab
backup-20060820-152001-429
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20060820-152001-272
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20060820-152001-792
R3 - Default URLSearchHook is missing
backup-20060813-154859-156
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
backup-20060813-154859-328
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
backup-20060813-154859-550
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.micro...n7/dlhelper.cab
backup-20060813-154859-863
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
backup-20060813-154859-904
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
backup-20060813-154859-124
O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\Opera\GetRight\GRbrowse.htm
backup-20060813-154859-341
O4 - HKLM\..\Run: [SpeedOptimizer] E:\PROGRA~1\DAP\SPEEDO~1\SPO.EXE -s
backup-20060812-134726-585
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (HKCU)
backup-20060812-134726-126
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe (file missing)
backup-20060812-134726-357
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
backup-20060812-134726-224
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
backup-20060812-134726-576
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyPoker\PartyPoker.exe (file missing)
backup-20060812-134726-714
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyPoker\PartyPoker.exe (file missing)
backup-20060812-134726-841
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - E:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
backup-20060812-134726-723
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - E:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
backup-20060812-134726-867
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe
backup-20060812-134726-481
O9 - Extra 'Tools' menuitem: Intertops Poker - {5706EACE-252A-4af9-AA8D-1F8813B50469} - E:\Program Files\Intertops Poker\IntertopsPoker.exe (file missing)
backup-20060812-134726-778
O9 - Extra button: Intertops Poker - {5706EACE-252A-4af9-AA8D-1F8813B50469} - E:\Program Files\Intertops Poker\IntertopsPoker.exe (file missing)
backup-20060812-134726-888
O8 - Extra context menu item: Download with NetPumper - E:\NetPumper\AddUrl.htm
backup-20060812-134726-678
O8 - Extra context menu item: Download with GetRight - E:\Program Files\Opera\GetRight\GRdownload.htm
backup-20060812-134726-898
O4 - HKCU\..\Run: [cash bib] C:\DOCUME~1\Kevin\APPLIC~1\GREATE~1\BALLBINBOOB.exe
backup-20060812-134726-981
O4 - HKCU\..\Run: [BitTorrent] "E:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
backup-20060812-105844-862
O4 - HKLM\..\Run: [NetPumper] "E:\NetPumper\NetPumperIEProxy.exe"
backup-20060812-105844-945
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - E:\Program Files\DAP\DAPIEBar.dll

Completion time: Sun 08/27/2006 22:52:42.43
ComboFix.txt
  • 0

#4
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
You've got a lot going on there. This is going to take a few steps.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.


============


Download SmitfraudFix (by S!Ri) to your Desktop.
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.


Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log.
  • 0

#5
kevinmc

kevinmc

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
VundoFix Log:


VundoFix V6.1.2

Checking Java version...

Sun Java not detected
Scan started at 5:23:30 PM 8/28/2006

Listing files found while scanning....

C:\WINDOWS\system32\vturs.dll
C:\WINDOWS\system32\srutv.ini
C:\WINDOWS\system32\srutv.bak1
C:\WINDOWS\system32\xxyvsqp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\vturs.dll
C:\WINDOWS\system32\vturs.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\srutv.ini
C:\WINDOWS\system32\srutv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\srutv.bak1
C:\WINDOWS\system32\srutv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxyvsqp.dll
C:\WINDOWS\system32\xxyvsqp.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.1.2

Checking Java version...

Sun Java not detected
Scan started at 5:27:02 PM 8/28/2006

Listing files found while scanning....

C:\WINDOWS\system32\vturs.dll
C:\WINDOWS\system32\xxyvsqp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\vturs.dll
C:\WINDOWS\system32\vturs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxyvsqp.dll
C:\WINDOWS\system32\xxyvsqp.dll Has been deleted!

Performing Repairs to the registry.
Done!


------

SmitFraudFix Log:

SmitFraudFix v2.81

Scan done at 17:30:44.42, Mon 08/28/2006
Run from C:\Documents and Settings\Kevin\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\.protected FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ishost.exe FOUND !
C:\WINDOWS\system32\ismon.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Kevin\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\Kevin\STARTM~1\Programs\Startup\.protected FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Kevin\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#6
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
We're making headway. :whistling:


Please print out or copy these instructions/tutorial to Notepad as the internet will not be available to you at certain points of the removal process (while in Safe Mode). Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.


1. Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

2. Run Smitfraud
  • Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
  • Select option #2 - Clean by typing 2 and press Enter.
  • Wait for the tool to complete and disk cleanup to finish.
  • You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
  • The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.


    A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

    The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
3. Clean out your Temporary Internet files
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start -> Control Panel and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.

4. Next Click Start -> Control Panel and then double-click Display.
  • Click on the Desktop tab, then click the Customize Desktop button.
  • Click on the Web tab.
  • Under Web Pages you may see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button.
  • Click Ok then Apply and Ok.

5. Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.


6. Lauch Ewido-Anti-spyware by double-clicking the icon on your desktop.
  • IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess.

  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • Ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close Ewido.
7. Reboot back into Normal Windows Mode


8. Run SmitfraudFix.
  • Open the SmitfraudFix folder and double-click smitfraudfix.cmd
  • Select option #3 - Delete Trusted zone by typing 3 and press Enter
  • Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.


    Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
9.Please Post the following logs:
  • c:\rapport.txt
  • Ewido log
  • A new HijackThis log
You may need several replies to post the requested logs, otherwise they might get cut off.

  • 0

#7
kevinmc

kevinmc

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Rapport.txt:


SmitFraudFix v2.81

Scan done at 19:16:38.20, Mon 08/28/2006
Run from C:\Documents and Settings\Kevin\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\.protected Deleted
C:\WINDOWS\system32\ishost.exe Deleted
C:\WINDOWS\system32\ismon.exe Deleted
C:\DOCUME~1\Kevin\STARTM~1\Programs\Startup\.protected Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



--------


Ewidio Report:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:53:27 PM 8/28/2006

+ Scan result:



C:\QooBox\Purity\Program Files\Common Files\RACLE~1\ѕрoolsv.exe -> Adware.PurityScan : Cleaned.
C:\WINDOWS\system32\vre.dll -> Adware.PurityScan : Cleaned.
C:\VundoFix Backups\awtqnkh.dll -> Adware.Virtumonde : Cleaned.
C:\Documents and Settings\Kevin\Local Settings\Application Data\2f0f5fed.exe -> Downloader.Obfuscated.a : Cleaned.
C:\WINDOWS\system32\2f0f5fed.exe -> Downloader.Obfuscated.a : Cleaned.
C:\QooBox\Purity\Documents and Settings\Kevin\My Documents\SSTEM3~1\spool32.exe -> Downloader.PurityScan.da : Cleaned.
C:\WINDOWS\system32\gxmqtcxu.exe -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned.
C:\WINDOWS\system32\otypaemx.exe -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned.
C:\WINDOWS\system32\plptbvki.exe -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned.
:mozilla.11:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lg0lzyp5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.12:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lg0lzyp5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Kevin\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Kevin\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.50:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lg0lzyp5.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.53:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lg0lzyp5.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.54:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lg0lzyp5.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.146:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lg0lzyp5.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.147:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lg0lzyp5.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.148:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lg0lzyp5.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.61:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lg0lzyp5.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Kevin\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.101:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lg0lzyp5.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.106:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lg0lzyp5.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.107:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lg0lzyp5.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.108:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lg0lzyp5.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.109:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lg0lzyp5.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.47:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lg0lzyp5.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Kevin\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.137:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lg0lzyp5.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.138:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lg0lzyp5.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.139:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lg0lzyp5.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.89:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lg0lzyp5.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.13:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lg0lzyp5.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.82:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lg0lzyp5.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.83:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lg0lzyp5.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.84:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lg0lzyp5.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.85:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lg0lzyp5.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.87:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lg0lzyp5.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.144:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lg0lzyp5.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.149:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lg0lzyp5.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.110:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lg0lzyp5.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.38:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lg0lzyp5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.39:C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lg0lzyp5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
E:\DAPDownloads\UDefender_Installer.exe -> Trojan.Fakealert : Cleaned.
C:\WINDOWS\system32\winjks32.dll -> Trojan.Mezzia : Cleaned.


::Report end



---


HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:59:30 PM, on 8/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\Airlink101\AWLH4030\WLService.exe
E:\Program Files\Airlink101\AWLH4030\WLanCfgAG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\SmartSpeed\ITESmart.exe
E:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
E:\Program Files\DAP\DAP.EXE
E:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
E:\Program Files\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
E:\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {E17FBED0-2E49-25B4-48E6-55C0AD565097} - C:\WINDOWS\system32\vre.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - E:\Program Files\DAP\dapbho.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: (no name) - {5A3E97DD-2A08-48BC-8F43-C0DEABC90266} - (no file)
O2 - BHO: (no name) - {5E9968ED-5186-44DC-B46B-82B4EDE5B86D} - (no file)
O2 - BHO: (no name) - {621D36CC-09F4-44F6-BA4C-C8FBEAA00207} - (no file)
O2 - BHO: (no name) - {668B1E21-4DE0-450A-AB10-121220442EA6} - C:\WINDOWS\system32\xxyvsqp.dll (file missing)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {82EF4D84-D6CE-1EF0-AE5F-5878579E35B7} - (no file)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00303} - (no file)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00304} - (no file)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00305} - (no file)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00306} - (no file)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00311} - (no file)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00320} - (no file)
O2 - BHO: (no name) - {C02D8750-12EE-1237-B8C0-37B6AA9425C3} - (no file)
O2 - BHO: (no name) - {D2C721A3-B6BF-4468-A77C-15CAC9C6FACE} - C:\WINDOWS\system32\vturs.dll (file missing)
O2 - BHO: (no name) - {E17FBED0-2E49-25B4-48E6-55C0AD565097} - C:\WINDOWS\system32\vre.dll (file missing)
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SmartGuardian] E:\Program Files\SmartSpeed\ITESmart.exe
O4 - HKLM\..\Run: [NVIDIA nTune] "E:\Program Files\Ntune\\nTune.exe" clear
O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [mmtask] "E:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DownloadAccelerator] "E:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [2f0f5fed.exe] C:\Documents and Settings\Kevin\Local Settings\Application Data\2f0f5fed.exe
O4 - HKCU\..\Run: [Trti] "C:\DOCUME~1\Kevin\MYDOCU~1\SSTEM3~1\spool32.exe" -vt yazr
O4 - HKCU\..\Run: [Cbpcf] C:\Program Files\Common Files\?racle\??oolsv.exe
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Clean Traces - E:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - E:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - E:\Program Files\DAP\dapextie2.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - E:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winjks32 - winjks32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - E:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: Super G Wireless Cardbus Adapter Service (Super G Wireless Cardbus Service) - Unknown owner - E:\Program Files\Airlink101\AWLH4030\WLService.exe



--

End
  • 0

#8
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R3 - URLSearchHook: (no name) - {E17FBED0-2E49-25B4-48E6-55C0AD565097} - C:\WINDOWS\system32\vre.dll (file missing)
O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: (no name) - {5A3E97DD-2A08-48BC-8F43-C0DEABC90266} - (no file)
O2 - BHO: (no name) - {5E9968ED-5186-44DC-B46B-82B4EDE5B86D} - (no file)
O2 - BHO: (no name) - {621D36CC-09F4-44F6-BA4C-C8FBEAA00207} - (no file)
O2 - BHO: (no name) - {668B1E21-4DE0-450A-AB10-121220442EA6} - C:\WINDOWS\system32\xxyvsqp.dll (file missing)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {82EF4D84-D6CE-1EF0-AE5F-5878579E35B7} - (no file)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00303} - (no file)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00304} - (no file)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00305} - (no file)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00306} - (no file)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00311} - (no file)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00320} - (no file)
O2 - BHO: (no name) - {C02D8750-12EE-1237-B8C0-37B6AA9425C3} - (no file)
O2 - BHO: (no name) - {D2C721A3-B6BF-4468-A77C-15CAC9C6FACE} - C:\WINDOWS\system32\vturs.dll (file missing)
O2 - BHO: (no name) - {E17FBED0-2E49-25B4-48E6-55C0AD565097} - C:\WINDOWS\system32\vre.dll (file missing)
O4 - HKCU\..\Run: [2f0f5fed.exe] C:\Documents and Settings\Kevin\Local Settings\Application Data\2f0f5fed.exe
O4 - HKCU\..\Run: [Trti] "C:\DOCUME~1\Kevin\MYDOCU~1\SSTEM3~1\spool32.exe" -vt yazr
O4 - HKCU\..\Run: [Cbpcf] C:\Program Files\Common Files\?racle\??oolsv.exe
O20 - Winlogon Notify: winjks32 - winjks32.dll (file missing)



Delete this file, if present.

C:\Documents and Settings\Kevin\Local Settings\Application Data\2f0f5fed.exe




Reboot and post a new hijackthis log.
Let me know how things are working now.
  • 0

#9
kevinmc

kevinmc

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi, Things seem to be clean :whistling:.

Here is HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:28:11 PM, on 8/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\Airlink101\AWLH4030\WLService.exe
E:\Program Files\Airlink101\AWLH4030\WLanCfgAG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\SmartSpeed\ITESmart.exe
E:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
E:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
E:\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SmartGuardian] E:\Program Files\SmartSpeed\ITESmart.exe
O4 - HKLM\..\Run: [NVIDIA nTune] "E:\Program Files\Ntune\\nTune.exe" clear
O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [mmtask] "E:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DownloadAccelerator] "E:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Clean Traces - E:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - E:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - E:\Program Files\DAP\dapextie2.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - E:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - E:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe
O23 - Service: Super G Wireless Cardbus Adapter Service (Super G Wireless Cardbus Service) - Unknown owner - E:\Program Files\Airlink101\AWLH4030\WLService.exe


--


Everything seems to be going good =) so thank you very much, what you guys do here is great :blink:.
  • 0

#10
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Glad I could help you out! :blink:


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:whistling: :help:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP