Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

TR/Vundo.Gen problem [RESOLVED]


  • This topic is locked This topic is locked

#1
XXSavaXX

XXSavaXX

    New Member

  • Member
  • Pip
  • 8 posts
Hi, my PC restarts when ever i go to a certain website and now i get a pop up saying i have a TR/Vundo.Gen virus.

I have hijackthis, here the log list thing

Logfile of HijackThis v1.99.1
Scan saved at 21:14:24, on 02/09/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\DAP\DAP.exe
C:\DOCUME~1\Sava\LOCALS~1\Temp\Rar$EX00.859\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearsh...ar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearsh...ar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearsh...ar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.superherohype.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-dba2f02cba5a} - C:\Program Files\speed-bit\tbspee.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-dba2f02cba5a} - C:\Program Files\speed-bit\tbspee.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {9DA920A3-262B-43D0-B97A-A427D43199DD} - C:\WINDOWS\System32\ddayv.dll (file missing)
O2 - BHO: (no name) - {A3624CF3-54E1-4FD0-88EF-F9BDF3979F3A} - C:\WINDOWS\System32\yayyxxy.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB2.05.0000.1082\en-gb\msntb.dll
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-dba2f02cba5a} - C:\Program Files\speed-bit\tbspee.dll
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Startup: OpenOffice.org 1.1.5.lnk = C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB2.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB2.05.0001.1119\en-gb\msntabres.dll/229?be73083ee7ac479fa776bfb480fc3aba
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB2.05.0001.1119\en-gb\msntabres.dll/230?be73083ee7ac479fa776bfb480fc3aba
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O20 - Winlogon Notify: vtutt - C:\WINDOWS\
O20 - Winlogon Notify: winjyg32 - winjyg32.dll (file missing)
O20 - Winlogon Notify: yayyxxy - C:\WINDOWS\SYSTEM32\yayyxxy.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe (file missing)
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello XXSavaXX, my name is Rorschach and I'll be helping you with your problems.


Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.



Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

So post the following in your next reply : the VundoFix text, the two DSS texts in full, and tell me how your PC is running now and if you had any problems.
  • 0

#3
XXSavaXX

XXSavaXX

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks for helping

here's the VundoFix txt

VundoFix V6.5.7

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 20:28:42 02/09/2007

Listing files found while scanning....

C:\WINDOWS\System32\ddayv.dll
C:\WINDOWS\System32\vyadd.bak1
C:\WINDOWS\System32\vyadd.ini
C:\WINDOWS\System32\wlaotmwj.dll

Beginning removal...

Attempting to delete C:\WINDOWS\System32\ddayv.dll
C:\WINDOWS\System32\ddayv.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\vyadd.bak1
C:\WINDOWS\System32\vyadd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\vyadd.ini
C:\WINDOWS\System32\vyadd.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.7

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 20:36:53 02/09/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.5.7

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 06:48:48 03/09/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...




i'll post the other things in a couple of hours, i have to go out
  • 0

#4
XXSavaXX

XXSavaXX

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
hey, i used DSS, and here's what i got

Main Txt

eckard's System Scanner v20070826.66
Run by Sava on 2007-09-03 10:43:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
94: 2007-09-03 09:43:27 UTC - RP692 - Deckard's System Scanner Restore Point
93: 2007-09-02 15:24:06 UTC - RP691 - Restore Operation
92: 2007-09-02 15:18:26 UTC - RP690 - Restore Operation
91: 2007-09-01 15:46:22 UTC - RP689 - AntiVir PersonalEdition Classic - 01/09/2007 16:46
90: 2007-08-31 18:09:02 UTC - RP688 - Restore Operation


-- First Restore Point --
1: 2007-06-05 08:26:59 UTC - RP599 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Sava.exe) ------------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-09-03 10:45:08
Platform: Windows XP Service Pack 1 (5.01.2600)
MSIE: Internet Explorer (6.00.2800.1106)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\DAP\DAP.exe
C:\Documents and Settings\Sava\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearsh...ar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearsh...ar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearsh...ar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.superherohype.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page =
R3 - URLSearchHook: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-dba2f02cba5a} - C:\Program Files\speed-bit\tbspee.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-dba2f02cba5a} - C:\Program Files\speed-bit\tbspee.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {9DA920A3-262B-43D0-B97A-A427D43199DD} - C:\WINDOWS\System32\ddayv.dll (file missing)
O2 - BHO: (no name) - {A3624CF3-54E1-4FD0-88EF-F9BDF3979F3A} - C:\WINDOWS\system32\yayyxxy.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB2.05.0000.1082\en-gb\msntb.dll
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-dba2f02cba5a} - C:\Program Files\speed-bit\tbspee.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Startup: OpenOffice.org 1.1.5.lnk = C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB2.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB2.05.0001.1119\en-gb\msntabres.dll/229?be73083ee7ac479fa776bfb480fc3aba
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB2.05.0001.1119\en-gb\msntabres.dll/230?be73083ee7ac479fa776bfb480fc3aba
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O15 - Trusted Zone: https://techsatish.tv (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O20 - Winlogon Notify: vtutt - C:\WINDOWS\System32\
O20 - Winlogon Notify: winjyg32 - C:\WINDOWS\System32\winjyg32.dll (file missing)
O20 - Winlogon Notify: yayyxxy - C:\WINDOWS\System32\yayyxxy.dll
O23 - Service: Adobe LM Service - Adobe Systems - "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - "C:\Program Files\AntiVir PersonalEdition Classic\sched.exe"
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - "C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe"
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\uvbpjngl.exe /service
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SmartLinkService (SLService) - Unknown owner - C:\WINDOWS\system32\slserv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe



-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 avgntmgr - c:\windows\system32\drivers\avgntmgr.sys <Not Verified; AVIRA GmbH; AntiVir®>
R0 RecAgent - c:\windows\system32\drivers\recagent.sys <Not Verified; ; Modem>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 sbbotdi - c:\program files\speedbit video accelerator\sbbotdi.sys <Not Verified; SpeedBit Ltd.; Speedbit TDI Driver>
R3 Mtlmnt5 - c:\windows\system32\drivers\mtlmnt5.sys <Not Verified; ; Modem>
R3 Slntamr (SmartLink AMR_PCI Driver) - c:\windows\system32\drivers\slntamr.sys <Not Verified; ; Modem>
R3 SlWdmSup - c:\windows\system32\drivers\slwdmsup.sys <Not Verified; ; Modem>
R3 SunkFilt39 (Alcor Micro Corp - 3239) - c:\windows\system32\drivers\sunkfilt39.sys <Not Verified; Alcor Micro Corp.; SunkFilt39>

S0 szkg - c:\windows\system32\drivers\szkg.sys (file missing)
S1 intelppm (Intel Processor Driver) - c:\windows\system32\drivers\intelppm.sys (file missing)
S3 ALCXWDM (Service for Realtek AC97 Audio (WDM)) - c:\windows\system32\drivers\alcxwdm.sys (file missing)
S3 EL910 (3Com 3CSOHO100B-TX PCI) - c:\windows\system32\drivers\el910n51.sys <Not Verified; 3Com Corporation; 3Com 3CSOHO100B-TX PCI>
S3 HTTP - c:\windows\system32\drivers\http.sys (file missing)
S3 ip6fw (IPv6 Windows Firewall Driver) - c:\windows\system32\drivers\ip6fw.sys (file missing)
S3 Mtlstrm - c:\windows\system32\drivers\mtlstrm.sys <Not Verified; ; Modem>
S3 NtMtlFax - c:\windows\system32\drivers\ntmtlfax.sys <Not Verified; ; Modem>
S3 SlNtHal - c:\windows\system32\drivers\slnthal.sys <Not Verified; ; Modem>
S3 SunkFilt (Alcor Micro Corp - 9360) - c:\windows\system32\drivers\sunkfilt.sys <Not Verified; Alcor Micro Corp.; SunkFilt92>
S3 Sunkfiltp (HP && Alcor Micro Corp for Phison) - c:\windows\system32\drivers\sunkfiltp.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (AntiVir PersonalEdition Classic Scheduler) - "c:\program files\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; Scheduler>
R2 SLService (SmartLinkService) - slserv.exe <Not Verified; ; Modem>

S2 UserAccess7 (SecuROM User Access Service (V7)) - c:\windows\system32\uaservice7.exe (file missing)
S4 DomainService - c:\windows\system32\uvbpjngl.exe /service (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: SM Bus Controller
Device ID: PCI\VEN_8086&DEV_24D3&SUBSYS_24D01849&REV_02\3&267A616A&0&FB
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_8086&DEV_24D3&SUBSYS_24D01849&REV_02\3&267A616A&0&FB
Service:


-- Scheduled Tasks -------------------------------------------------------------

2007-08-29 19:19:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-08-03 and 2007-09-03 -----------------------------

2007-09-02 20:33:45 24576 --a------ C:\WINDOWS\System32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2007-09-02 20:28:42 0 d------c- C:\VundoFix Backups
2007-09-02 16:21:56 0 dr------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Start Menu
2007-09-02 16:21:56 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\SendTo
2007-09-02 16:21:56 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Recent
2007-09-02 16:21:56 0 d--h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\PrintHood
2007-09-02 16:21:56 0 d--h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\NetHood
2007-09-02 16:21:56 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Desktop
2007-09-02 16:21:56 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\InterTrust
2007-09-02 16:21:56 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\Identities
2007-09-02 16:21:56 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\Help
2007-09-02 16:21:56 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\CyberLink
2007-09-01 16:46:41 0 d-------- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2007-09-01 09:16:31 980375 ---hs---- C:\WINDOWS\System32\ttutv.ini2
2007-08-31 17:51:25 0 d--h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Templates
2007-08-31 17:51:25 0 dr------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\My Documents
2007-08-31 17:51:25 0 d--h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Local Settings
2007-08-31 17:51:25 0 dr------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Favorites
2007-08-31 17:51:25 0 d---s---- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Cookies
2007-08-31 17:51:25 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data
2007-08-31 17:51:25 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\Roxio
2007-08-31 17:51:25 0 d---s---- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\Microsoft
2007-08-31 17:51:25 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\Adobe
2007-08-31 17:51:24 1048576 --ah----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\NTUSER.DAT
2007-08-31 17:46:21 988140 ---hs---- C:\WINDOWS\System32\ttutv.bak2
2007-08-31 14:32:43 6488 ---hs---- C:\WINDOWS\System32\ttutv.bak1
2007-08-31 13:56:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-08-31 13:34:48 0 d-------- C:\Documents and Settings\Sava\Application Data\WinTouch
2007-08-31 13:27:38 55516 --a------ C:\WINDOWS\System32\xpdx.sys
2007-08-31 13:27:26 43542 -----n--- C:\WINDOWS\System32\yayyxxy.dll
2007-08-31 13:15:51 0 d-------- C:\Program Files\Spyware Doctor
2007-08-31 13:15:51 0 d-------- C:\Documents and Settings\Sava\Application Data\PC Tools
2007-08-31 12:53:05 0 d-------- C:\WINDOWS\LastGood.Tmp
2007-08-31 12:37:17 0 d-------- C:\Documents and Settings\Sava\Application Data\Uniblue
2007-08-31 12:18:40 0 d-------- C:\Program Files\Debugging Tools for Windows
2007-08-31 11:52:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Grid Blue Memo Site
2007-08-27 19:23:27 0 d-------- C:\Documents and Settings\All Users\Application Data\SpeedBit
2007-08-27 19:23:22 0 d-------- C:\Documents and Settings\Sava\Application Data\SpeedBit
2007-08-27 19:22:39 0 d-------- C:\Program Files\SpeedOptimizer
2007-08-27 19:11:47 0 d-------- C:\Program Files\SpeedBit Video Accelerator
2007-08-27 19:11:46 0 d-------- C:\Program Files\AskPBar
2007-08-27 19:11:28 0 d-------- C:\Program Files\speed-bit
2007-08-27 19:09:10 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-08-27 19:08:53 50688 --a------ C:\WINDOWS\System32\wbhelp2.dll <Not Verified; Stardock.Net, Inc; WindowBlinds for Win32 x86 machines>
2007-08-27 19:08:52 0 d-------- C:\Program Files\DAP
2007-08-23 10:06:06 0 d-------- C:\Program Files\Lavasoft
2007-08-23 10:06:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-08-23 10:05:26 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-22 21:21:30 0 d------c- C:\Downloads
2007-08-22 21:13:07 0 d-------- C:\Program Files\XviD
2007-08-19 19:20:30 0 d-------- C:\Program Files\XviD(2)
2007-08-18 03:47:40 6553600 --a------ C:\Documents and Settings\Sava\ntuser.dat
2007-08-08 09:22:33 0 d-------- C:\Program Files\InterActual


-- Find3M Report ---------------------------------------------------------------

2007-09-02 20:46:22 0 d-------- C:\Program Files\OpenOffice.org1.1.5
2007-09-02 16:22:04 0 d-------- C:\Program Files\SoftwareOnline
2007-09-01 18:05:12 0 d-------- C:\Program Files\SoftwareRevenue.org
2007-09-01 17:59:08 0 d-------- C:\Program Files\LimeWire
2007-08-31 13:35:30 10 --a------ C:\Program Files\.autoreg
2007-08-27 20:02:54 0 d-------- C:\Program Files\CoreCodec
2007-08-27 20:02:15 0 d-------- C:\Documents and Settings\Sava\Application Data\MP3Rocket
2007-08-23 10:06:04 0 d-------- C:\Documents and Settings\Sava\Application Data\Lavasoft
2007-08-23 10:05:26 0 d-a------ C:\Program Files\Common Files
2007-08-22 21:13:07 0 d-------- C:\Program Files\DivX
2007-07-24 09:51:12 0 d-------- C:\Program Files\Java
2007-07-11 20:56:36 0 d-------- C:\Program Files\BearShare Applications
2007-07-11 20:51:22 0 d-------- C:\Program Files\Incomplete


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2ba521ac-b9b9-4433-ba45-dba2f02cba5a}]
31/07/2007 16:33 1391640 --a------ C:\Program Files\speed-bit\tbspee.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9DA920A3-262B-43D0-B97A-A427D43199DD}]
C:\WINDOWS\System32\ddayv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3624CF3-54E1-4FD0-88EF-F9BDF3979F3A}]
31/08/2007 13:27 43542 --------- C:\WINDOWS\System32\yayyxxy.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2BA521AC-B9B9-4433-BA45-DBA2F02CBA5A}"= C:\Program Files\speed-bit\tbspee.dll [31/07/2007 16:33 1391640]

[-HKEY_CLASSES_ROOT\CLSID\{2BA521AC-B9B9-4433-BA45-DBA2F02CBA5A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [14/08/2007 17:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [12/10/2005 18:13]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [15/11/2004 16:18]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [03/05/2007 17:43]
"@"="" []
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

C:\Documents and Settings\Sava\Start Menu\Programs\Startup\
OpenOffice.org 1.1.5.lnk - C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe [12/07/2005 02:10:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A3624CF3-54E1-4FD0-88EF-F9BDF3979F3A}"= C:\WINDOWS\System32\yayyxxy.dll [31/08/2007 13:27 43542]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtutt]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjyg32]
winjyg32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayyxxy]
yayyxxy.dll 31/08/2007 13:27 43542 C:\WINDOWS\system32\yayyxxy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= :\WINDOW

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sava^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Sava\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sava^Start Menu^Programs^Startup^Morpheus.lnk]
path=C:\Documents and Settings\Sava\Start Menu\Programs\Startup\Morpheus.lnk
backup=C:\WINDOWS\pss\Morpheus.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet Acceleration Patch]
C:\Documents and Settings\All Users\Start Menu\Programs\BitComet Acceleration Patch\BitComet Acceleration Patch.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X5100 Series]
"C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ML1HelperStartUp]
C:\PROGRA~1\MIDNIG~1\ML1HEL~1.EXE /partner ML1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Morpheus Download Booster]
C:\Program Files\Morpheus Download Booster\Morpheus Download Booster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
"C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
"C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
C:\Program Files\eMachines Bay Reader\shwiconem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
"C:\Program Files\Save\Save.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSearch]
"C:\Program Files\WhenUSearch\Search.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSearchWHSE]
"C:\Program Files\WhenUSearch\whse.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Workflow]
D:\Workflow.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a3b20a80-9cf0-11db-ae79-806d6172696f}]
AutoRun\command- D:\install.EXE id= ver=1.0.0.0




-- Hosts -----------------------------------------------------------------------

127.0.0.1 localhost #***Inserted By STOPzilla***
127.0.0.1 2005-search.com # ***Inserted By STOPzilla***
127.0.0.1 600pics.com # ***Inserted By STOPzilla***
127.0.0.1 a1.interclick.com # ***Inserted By STOPzilla***
127.0.0.1 absolutepics.net # ***Inserted By STOPzilla***
127.0.0.1 ad.yieldmanager.com # ***Inserted By STOPzilla***
127.0.0.1 all-tgp.org # ***Inserted By STOPzilla***
127.0.0.1 all-websearch.com # ***Inserted By STOPzilla***
127.0.0.1 apps.deskwizz.com # ***Inserted By STOPzilla***
127.0.0.1 awmdabest.com # ***Inserted By STOPzilla***

166 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-09-03 10:48:14 ------------


Extra Txt

Deckard's System Scanner v20070826.66
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.60GHz
Percentage of Memory in Use: 60%
Physical Memory (total/avail): 510.8 MiB / 201.82 MiB
Pagefile Memory (total/avail): 1248.85 MiB / 387.86 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1968.41 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.53 GiB total, 31.44 GiB free.
D: is CDROM (UDF)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is CDROM (No Media)
J: is Removable (No Media)

\\.\PHYSICALDRIVE0 - ST380012A - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.53 GiB - C:

\\.\PHYSICALDRIVE1 - eM Bay Reader USB Device

\\.\PHYSICALDRIVE2 - eM Bay Reader USB Device

\\.\PHYSICALDRIVE3 - eM Bay Reader USB Device

\\.\PHYSICALDRIVE4 - eM Bay Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Sava\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-92A7W51YBH
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Sava
LOGONSERVER=\\YOUR-92A7W51YBH
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\Common Files\STOPzilla!;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Sava\LOCALS~1\Temp
TMP=C:\DOCUME~1\Sava\LOCALS~1\Temp
USERDOMAIN=YOUR-92A7W51YBH
USERNAME=Sava
USERPROFILE=C:\Documents and Settings\Sava
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Sava (admin)
Administrator.YOUR-92A7W51YBH.000 (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\PROGRA~1\BTBROA~1\Help\Uninstall.exe btbb
--> C:\PROGRA~1\ntl\BROADB~1\Uninstall.exe ntl
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 5.0 Sprint --> MsiExec.exe /X{4468EF97-A253-4699-9E1C-88CAE2C6832D}
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
Ad-Aware 2007 --> MsiExec.exe /X{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player Plugin --> C:\WINDOWS\System32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe Stock Photos 1.0 --> MsiExec.exe /I{47813E93-F2A0-484A-838E-47EC1B28D190}
AI RoboForm (All Users) --> "C:\Program Files\Siber Systems\AI RoboForm\rfwipeout.exe"
AOL UK --> C:\Program Files\Common Files\aolshare\Aolunins_uk.exe
Apple Software Update --> MsiExec.exe /I{A260B422-70E1-41E2-957D-F76FA21266D5}
Ask Toolbar --> rundll32 C:\PROGRA~1\AskPBar\bar\1.bin\AskPBar.dll,O
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,[email protected] -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI HydraVision --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}\setup.exe"
Audacity 1.2.6 --> "C:\Program Files\Audacity\unins000.exe"
Avira AntiVir PersonalEdition Classic --> C:\Program Files\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
BigFix --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\BigFix\Uninst.isu" -c"C:\Program Files\BigFix\Lib\UninstallHelper.dll"
BitComet Acceleration Patch 3.6 --> "C:\Program Files\BitComet Acceleration Patch\unins000.exe"
Broadband Desktop Help --> C:\WINDOWS\Motive\btbb\MCCUninst.exe
broadband medic --> C:\WINDOWS\Motive\ntl\MCCUninst.exe
BroadJump Client Foundation --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BroadJump\Client Foundation\Uninst.isu" -c"C:\Program Files\BroadJump\Client Foundation\RmvBJCFD.dll" -b"CFD" -h"CFD" -a
BT Yahoo! Applications --> C:\PROGRA~1\Yahoo!\Common\uninstall.exe
C-Media 3D Audio --> C:\WINDOWS\CMIUnInstall.exe
ComicRack v0.9.52 --> C:\Program Files\ComicRack\uninst.exe
Debugging Tools for Windows --> MsiExec.exe /I{5C741A01-05D6-4306-BA6A-DC8401285AE8}
DirectVobSub (remove only) --> "C:\Program Files\DirectVobSub\uninstall.exe"
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Download Accelerator Plus (DAP) --> C:\PROGRA~1\DAP\DAPREMOVE.EXE
Easy CD & DVD Creator 6 --> MsiExec.exe /I{46DDF76F-ACD4-42BC-B48F-B89C4EE2E1A9}
eMachines Bay Reader --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4DDF9CF9-9694-4B4F-93D3-0D8A0455D865}
F4L Setup --> MsiExec.exe /I{996859CA-18C5-4B5E-BA87-DA31F80269B6}
FaxTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F45298E5-0083-426F-A668-1A2C5F04B8A0}\setup.exe" -l0x9 ControlPanel
FM Modifier 2.11 --> MsiExec.exe /I{524302B7-E9A0-498A-896D-36C11C20D24F}
Football Manager 2007 --> C:\Documents and Settings\Sava\Desktop\Sava\uninstall\Uninstall FM 2007.exe
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
HijackThis 1.99.1 --> C:\DOCUME~1\Sava\LOCALS~1\Temp\Rar$EX00.953\HijackThis.exe /uninstall
ieSpell 2.1.1 (build 325) --> "C:\Program Files\ieSpell\uninst.exe"
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
IsoBuster 1.8 --> "C:\Program Files\Smart Projects\IsoBuster\Uninst\unins000.exe"
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{54C0D94A-F467-4ABC-9D02-6E58748668D4} /l1033
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Lexmark X5100 Series --> C:\WINDOWS\System32\spool\drivers\w32x86\3\LXBAUN5C.EXE -dLexmark X5100 Series
Microsoft Money --> MsiExec.exe /I{1D643CD2-4DD6-11D7-A4E0-000874180BB3}
Microsoft Money System Pack --> MsiExec.exe /I{8C64E149-54BA-11D6-91B1-00500462BE80}
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
Mozilla Firefox (2.0.0.3) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Messenger 7.5 --> MsiExec.exe /I{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5}
MSN Search Toolbar --> MsiExec.exe /X{BD23F73B-3A4A-43B4-BA66-B6FBA6C191AF}
Multimedia Keyboard Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF262740-C85A-11D5-BBEC-00D0B740900A}\Setup.exe" -l0x9
OpenOffice.org 1.1.5 --> C:\Program Files\OpenOffice.org1.1.5\program\setup.exe -deinstall
Orban/Coding Technologies AAC/aacPlus Player Plugin™ 1.0 --> "C:\Program Files\Orban\AAC-aacPlus Plugin\unins000.exe"
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{0B69DA57-BC7D-461D-B7D6-2AA9F08869CD} /l1033
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} /l1033
QuickTime --> MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Skype 1.3 --> "C:\Program Files\Skype\Phone\unins000.exe"
Smart Link 56K Voice Modem --> C:\WINDOWS\Modio\SLAMR2KV\Setup.exe /Remove
SopCast 1.1.2 --> C:\Program Files\SopCast\uninst.exe
SopCore 1.1.2 --> C:\Program Files\SopCast\uninst.exe
speed-bit Toolbar --> C:\PROGRA~1\SPEED-~1\UNWISE.EXE C:\PROGRA~1\SPEED-~1\INSTALL.LOG
SpeedBit Video Accelerator --> C:\PROGRA~1\SPEEDB~1\UNWISE.EXE C:\PROGRA~1\SPEEDB~1\INSTALL.LOG
SpeedOptimizer --> C:\PROGRA~1\SPEEDO~1\UNWISE.EXE C:\PROGRA~1\SPEEDO~1\INSTALL.LOG
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spyware Doctor 5.0 --> C:\Program Files\Spyware Doctor\unins000.exe
SUPER © Version 2007.bld.21 (Jan 4, 2007) --> C:\PROGRA~1\ERIGHT~1\SUPER\Setup.exe /remove /q0
Synacast Plug-in 1.0.9.5 --> C:\Program Files\Common Files\Synacast\SynaLive\uninst.exe
TVAnts 1.0 --> C:\PROGRA~1\TVAnts\UNWISE.EXE C:\PROGRA~1\TVAnts\INSTALL.LOG
Ulead GIF Animator 5 ESD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8AF3E926-ED59-11D4-A44B-0000E86D2305}\Setup.exe"
Veoh Player --> C:\Program Files\InstallShield Installation Information\{3D5A72E1-1467-4199-8CF6-12DA8D502A6B}\setup.exe -runfromtemp -l0x0409
Version 1.0.4 --> "C:\Program Files\Football4Less Desktop Buddy\unins000.exe"
VideoLAN VLC media player 0.8.4 --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
VobSub v2.23 (Remove Only) --> "C:\Program Files\Gabest\VobSub\uninstall.exe"
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinTouch --> C:\Documents and Settings\Sava\Application Data\WinTouch\WTUninstaller.exe
WinUHA 2.0 RC1 (2005.02.27) --> "C:\Program Files\WinUHA\unins000.exe"
XviD MPEG-4 Video Codec --> "C:\Program Files\XviD\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type1219 / Warning
Event Submitted/Written: 09/03/2007 10:45:42 AM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'TR/Vundo.Gen'
in the file
C:\WINDOWS\System32\yayyxxy.dll

Event Record #/Type1218 / Warning
Event Submitted/Written: 09/03/2007 10:45:11 AM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'TR/Vundo.Gen'
in the file
C:\WINDOWS\System32\yayyxxy.dll

Event Record #/Type1217 / Warning
Event Submitted/Written: 09/03/2007 10:42:41 AM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'TR/Vundo.Gen'
in the file
C:\WINDOWS\System32\yayyxxy.dll

Event Record #/Type1216 / Warning
Event Submitted/Written: 09/03/2007 07:20:58 AM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'TR/Dldr.Agent.buo.1'
in the file
C:\System Volume Information\_restore{9127EF84-21FD-4B28-94F9-8C7EB5EC9E7C}\RP689\A0373104.exe

Event Record #/Type1215 / Warning
Event Submitted/Written: 09/03/2007 07:03:42 AM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'TR/Vundo.Gen'
in the file
C:\WINDOWS\System32\yayyxxy.dll



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type52 / Error
Event Submitted/Written: 09/03/2007 10:45:38 AM
Event ID/Source: 7016 / Service Control Manager
Event Description:
The SmartLinkService service has reported an invalid current state 0.

Event Record #/Type51 / Warning
Event Submitted/Written: 09/03/2007 10:15:17 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type38 / Error
Event Submitted/Written: 09/02/2007 08:37:05 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
IKFileSec
szkg

Event Record #/Type36 / Error
Event Submitted/Written: 09/02/2007 08:37:05 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The SecuROM User Access Service (V7) service failed to start due to the following error:
%%2

Event Record #/Type18 / Error
Event Submitted/Written: 09/02/2007 08:19:23 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
IKFileSec
szkg



-- End of Deckard's System Scanner: finished at 2007-09-03 10:48:14 ------------



everytime i do anything, open a file or open IE, i get a pop up saying that i have this Trojen horse virus and it makes my PC work very slow. Hope that helps.
  • 0

#5
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello XXSavaXX, thanks for all that. However it is easier on my eyes if you don't put the logs in quote boxes :whistling:

We still have a bit of work to do.

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Spyware Doctor's OnGuard protective functionality may interfere with certain HijackThis fixes we need to make. Please follow these instructions to disable it:

To deactivate Spyware Doctor's OnGuard Tools

1. From within Spyware Doctor, click the "OnGuard" button on the left side.
2. Uncheck "Activate OnGuard".

You can reenable it once your system is clean.


Please go to UploadMalware to upload a suspicious file for analysis.
  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse for this filename: C:\WINDOWS\system32\yayyxxy.dll
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.



Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • If it says "No infected files were found", right-click the list box (white box) in the main VundoFix window.
  • Select "Add More Files?" from the menu that comes up.
  • This will open a new VundoFix window that says "Paste files into the boxes below:"
  • In that window, copy and paste the following file path in the first (top) field:
    C:\WINDOWS\System32\yayyxxy.dll <- (insert first file here with the full filepath like this example)
  • Click the 'Add Files' button.
  • Click the 'Close Window' button.
  • Click the 'Remove Vundo' button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.




Open Notepad and Copy (Control+C) and Paste (Control+V) the following code into the Notepad window.


@echo off
sc stop DomainService
sc delete DomainService
exit


Click on 'File' then 'Save As'
In the Save in drop down box select Desktop
In the File name box type in FixService.bat
In the Save as type drop down box select All Files
Close Notepad.

Now, find FixService.bat on your Desktop and Double click it
A window will open and close, do not be concerned this is normal.



1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {9DA920A3-262B-43D0-B97A-A427D43199DD} - C:\WINDOWS\System32\ddayv.dll (file missing)
O2 - BHO: (no name) - {A3624CF3-54E1-4FD0-88EF-F9BDF3979F3A} - C:\WINDOWS\system32\yayyxxy.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O20 - Winlogon Notify: vtutt - C:\WINDOWS\System32\
O20 - Winlogon Notify: winjyg32 - C:\WINDOWS\System32\winjyg32.dll (file missing)
O20 - Winlogon Notify: yayyxxy - C:\WINDOWS\System32\yayyxxy.dll
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\uvbpjngl.exe /service


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Finally :

Please download OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\System32\ttutv.ini2
    C:\WINDOWS\System32\ttutv.bak2
    C:\WINDOWS\System32\ttutv.bak1
    C:\WINDOWS\System32\xpdx.sys
    C:\WINDOWS\System32\yayyxxy.dll
    C:\WINDOWS\System32\uvbpjngl.exe


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.

Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.



So in your next reply I need to see the following : the SDFix report, the VundoFix text, a new DSS log, the OTMoveIt results, and tell me how your PC is running now and if you had any problems.
  • 0

#6
XXSavaXX

XXSavaXX

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
sorry about the quotes, i tried looking for C:\WINDOWS\system32\yayyxxy.dll but i couldnt find it, do i still continue with what you told me to do?
  • 0

#7
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Yes still continue on with the steps. VundoFix probably removed it.
  • 0

#8
XXSavaXX

XXSavaXX

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
i did everything you asked.

SDfix Report

SDFix: Version 1.101

Run by Sava on 03/09/2007 at 19:26

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
DomainService

ImagePath:
C:\WINDOWS\System32\uvbpjngl.exe /service

DomainService - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Service xpdx - Deleted after Reboot

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\xpdx.sys - Deleted


Folder C:\Documents and Settings\All Users\Documents\Settings - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Program Files\Common Files\aolshare\shell\uk\shellext.dll
C:\Program Files\eRightSoft\SUPER\cygwin1.dll
C:\Program Files\eRightSoft\SUPER\cygz.dll
C:\Program Files\eRightSoft\SUPER\mencoder\14_43260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\28_83260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\atrc3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\cook3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\ddnt3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\dnet3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\drv13260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\drv23260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\drv33260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\drv43260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\dspr3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\ivvideo.dll
C:\Program Files\eRightSoft\SUPER\mencoder\qtmlClient.dll
C:\Program Files\eRightSoft\SUPER\mencoder\raac.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rnco3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rnlt3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rv103260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rv203260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rv303260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rv403260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\sipr3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\tokr3260.dll
C:\WINDOWS\system32\flvDX.dll
C:\Program Files\eRightSoft\SUPER\Setup.exe
C:\Program Files\Smart Projects\IsoBuster\Help\AHlp.exe
C:\Deckard\System Scanner\backup\DOCUME~1\Sava\LOCALS~1\Temp\$b17a2e8.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\$b17a2e8.tmp
C:\Program Files\InterActual\InterActual Player\iti564.tmp
C:\WINDOWS\system32\ttutv.tmp

Finished


VundoFix Txt


undoFix V6.5.7

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 20:28:42 02/09/2007

Listing files found while scanning....

C:\WINDOWS\System32\ddayv.dll
C:\WINDOWS\System32\vyadd.bak1
C:\WINDOWS\System32\vyadd.ini
C:\WINDOWS\System32\wlaotmwj.dll

Beginning removal...

Attempting to delete C:\WINDOWS\System32\ddayv.dll
C:\WINDOWS\System32\ddayv.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\vyadd.bak1
C:\WINDOWS\System32\vyadd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\vyadd.ini
C:\WINDOWS\System32\vyadd.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.7

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 20:36:53 02/09/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.5.7

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 06:48:48 03/09/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.5.7

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 19:42:56 03/09/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Beginning removal...




OTMoveIt

C:\WINDOWS\System32\ttutv.ini2 moved successfully.
C:\WINDOWS\System32\ttutv.bak2 moved successfully.
C:\WINDOWS\System32\ttutv.bak1 moved successfully.
File/Folder C:\WINDOWS\System32\xpdx.sys not found.
File/Folder C:\WINDOWS\System32\yayyxxy.dll not found.
File/Folder C:\WINDOWS\System32\uvbpjngl.exe not found.

Created on 09/03/2007 19:57:57



DSS txt


Deckard's System Scanner v20070826.66
Run by Sava on 2007-09-03 20:00:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Sava.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 20:00:46, on 03/09/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Prevx2\PXAgent.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Prevx2\PXConsole.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Sava\Desktop\OTMoveIt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Sava\Desktop\dss.exe
C:\DOCUME~1\Sava\Desktop\Sava.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearsh...ar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearsh...ar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearsh...ar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = HTTP://WWW.SUPERHEROHYPE.COM/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-dba2f02cba5a} - C:\Program Files\speed-bit\tbspee.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PopupBlockerBHO.CPopupBlockerBHO - {0D929918-C804-4756-B0AC-640EF3F061E9} - C:\Program Files\SmartPopupBlocker\PopupBlockerBHO.dll
O2 - BHO: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-dba2f02cba5a} - C:\Program Files\speed-bit\tbspee.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB2.05.0000.1082\en-gb\msntb.dll
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O3 - Toolbar: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-dba2f02cba5a} - C:\Program Files\speed-bit\tbspee.dll
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Startup: OpenOffice.org 1.1.5.lnk = C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB2.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB2.05.0001.1119\en-gb\msntabres.dll/229?be73083ee7ac479fa776bfb480fc3aba
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB2.05.0001.1119\en-gb\msntabres.dll/230?be73083ee7ac479fa776bfb480fc3aba
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O20 - Winlogon Notify: vtutt - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PREVXAgent - Unknown owner - C:\Program Files\Prevx2\PXAgent.exe" -f (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe (file missing)


-- Files created between 2007-08-03 and 2007-09-03 -----------------------------

2007-09-03 19:25:03 0 d-------- C:\WINDOWS\ERUNT
2007-09-03 15:58:16 0 d-------- C:\Program Files\SmartPopupBlocker
2007-09-03 11:58:13 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\Prevx
2007-09-03 11:27:02 0 d-------- C:\Documents and Settings\Sava\Application Data\Prevx
2007-09-03 11:26:00 0 d-------- C:\WINDOWS\LastGood
2007-09-03 11:25:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-09-03 11:24:59 0 d-------- C:\Program Files\Prevx2
2007-09-02 20:33:45 24576 --a------ C:\WINDOWS\System32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2007-09-02 20:28:42 0 d------c- C:\VundoFix Backups
2007-09-02 16:21:56 0 dr------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Start Menu
2007-09-02 16:21:56 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\SendTo
2007-09-02 16:21:56 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Recent
2007-09-02 16:21:56 0 d--h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\PrintHood
2007-09-02 16:21:56 0 d--h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\NetHood
2007-09-02 16:21:56 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Desktop
2007-09-02 16:21:56 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\InterTrust
2007-09-02 16:21:56 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\Identities
2007-09-02 16:21:56 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\Help
2007-09-02 16:21:56 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\CyberLink
2007-09-01 16:46:41 0 d-------- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2007-08-31 17:51:25 0 d--h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Templates
2007-08-31 17:51:25 0 dr------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\My Documents
2007-08-31 17:51:25 0 d--h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Local Settings
2007-08-31 17:51:25 0 dr------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Favorites
2007-08-31 17:51:25 0 d---s---- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Cookies
2007-08-31 17:51:25 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data
2007-08-31 17:51:25 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\Roxio
2007-08-31 17:51:25 0 d---s---- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\Microsoft
2007-08-31 17:51:25 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\Adobe
2007-08-31 17:51:24 1048576 --ah----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\NTUSER.DAT
2007-08-31 13:56:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-08-31 13:34:48 0 d-------- C:\Documents and Settings\Sava\Application Data\WinTouch
2007-08-31 13:15:51 0 d-------- C:\Program Files\Spyware Doctor
2007-08-31 13:15:51 0 d-------- C:\Documents and Settings\Sava\Application Data\PC Tools
2007-08-31 12:37:17 0 d-------- C:\Documents and Settings\Sava\Application Data\Uniblue
2007-08-31 12:18:40 0 d-------- C:\Program Files\Debugging Tools for Windows
2007-08-31 11:52:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Grid Blue Memo Site
2007-08-27 19:23:27 0 d-------- C:\Documents and Settings\All Users\Application Data\SpeedBit
2007-08-27 19:23:22 0 d-------- C:\Documents and Settings\Sava\Application Data\SpeedBit
2007-08-27 19:22:39 0 d-------- C:\Program Files\SpeedOptimizer
2007-08-27 19:11:47 0 d-------- C:\Program Files\SpeedBit Video Accelerator
2007-08-27 19:11:46 0 d-------- C:\Program Files\AskPBar
2007-08-27 19:11:28 0 d-------- C:\Program Files\speed-bit
2007-08-27 19:09:10 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-08-27 19:08:53 50688 --a------ C:\WINDOWS\System32\wbhelp2.dll <Not Verified; Stardock.Net, Inc; WindowBlinds for Win32 x86 machines>
2007-08-27 19:08:52 0 d-------- C:\Program Files\DAP
2007-08-23 10:06:06 0 d-------- C:\Program Files\Lavasoft
2007-08-23 10:06:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-08-23 10:05:26 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-22 21:21:30 0 d------c- C:\Downloads
2007-08-22 21:13:07 0 d-------- C:\Program Files\XviD
2007-08-19 19:20:30 0 d-------- C:\Program Files\XviD(2)
2007-08-18 03:47:40 6553600 --a------ C:\Documents and Settings\Sava\ntuser.dat
2007-08-08 09:22:33 0 d-------- C:\Program Files\InterActual


-- Find3M Report ---------------------------------------------------------------

2007-09-03 19:39:49 0 d-------- C:\Program Files\OpenOffice.org1.1.5
2007-09-02 16:22:04 0 d-------- C:\Program Files\SoftwareOnline
2007-09-01 18:05:12 0 d-------- C:\Program Files\SoftwareRevenue.org
2007-09-01 17:59:08 0 d-------- C:\Program Files\LimeWire
2007-08-31 13:35:30 10 --a------ C:\Program Files\.autoreg
2007-08-27 20:02:54 0 d-------- C:\Program Files\CoreCodec
2007-08-27 20:02:15 0 d-------- C:\Documents and Settings\Sava\Application Data\MP3Rocket
2007-08-23 10:06:04 0 d-------- C:\Documents and Settings\Sava\Application Data\Lavasoft
2007-08-23 10:05:26 0 d-a------ C:\Program Files\Common Files
2007-08-22 21:13:07 0 d-------- C:\Program Files\DivX
2007-07-24 09:51:12 0 d-------- C:\Program Files\Java
2007-07-11 20:56:36 0 d-------- C:\Program Files\BearShare Applications
2007-07-11 20:51:22 0 d-------- C:\Program Files\Incomplete


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2ba521ac-b9b9-4433-ba45-dba2f02cba5a}]
31/07/2007 16:33 1391640 --a------ C:\Program Files\speed-bit\tbspee.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2BA521AC-B9B9-4433-BA45-DBA2F02CBA5A}"= C:\Program Files\speed-bit\tbspee.dll [31/07/2007 16:33 1391640]

[-HKEY_CLASSES_ROOT\CLSID\{2BA521AC-B9B9-4433-BA45-DBA2F02CBA5A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PrevxOne"="C:\Program Files\Prevx2\PXConsole.exe" [29/08/2007 11:05]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [27/04/2007 09:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [12/10/2005 18:13]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [15/11/2004 16:18]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [03/05/2007 17:43]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

C:\Documents and Settings\Sava\Start Menu\Programs\Startup\
OpenOffice.org 1.1.5.lnk - C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe [12/07/2005 02:10:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtutt]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= :\WINDOW

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sava^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Sava\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sava^Start Menu^Programs^Startup^Morpheus.lnk]
path=C:\Documents and Settings\Sava\Start Menu\Programs\Startup\Morpheus.lnk
backup=C:\WINDOWS\pss\Morpheus.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet Acceleration Patch]
C:\Documents and Settings\All Users\Start Menu\Programs\BitComet Acceleration Patch\BitComet Acceleration Patch.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X5100 Series]
"C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ML1HelperStartUp]
C:\PROGRA~1\MIDNIG~1\ML1HEL~1.EXE /partner ML1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Morpheus Download Booster]
C:\Program Files\Morpheus Download Booster\Morpheus Download Booster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
"C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
"C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
C:\Program Files\eMachines Bay Reader\shwiconem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
"C:\Program Files\Save\Save.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSearch]
"C:\Program Files\WhenUSearch\Search.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSearchWHSE]
"C:\Program Files\WhenUSearch\whse.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Workflow]
D:\Workflow.exe




-- End of Deckard's System Scanner: finished at 2007-09-03 20:01:17 ------------

i'm not getting the popups anymore
  • 0

#9
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello XXSavaXX, we are making good progress.

Right click on the Prevx icon in your system tray at the bottom-right corner of your screen and choose Show Management Console.

On the Management Console click the Protection Level drop-down menu.

You will see three levels:

Maximum

Off

User Defined


To disable all protection set the level to Off. You will receive a prompt asking "You are about to change your security settings. Do you wish to continue?" Click Yes.

Click the X on the upper right hand corner to exit the Management console. Once we are done cleaning up, you can repeat the steps setting the level this time to Maximum in order to reenable protection.




First, Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet.

To Get rid of NewDotNet, go to:

Start > Control Panel > Add or Remove Programs and remove the following:

New.Net Applications or New.Net Domains (anything that says New.Net)

If it is not there, go here and follow Procedure 4: NewDotNet Removal Procedure 4.

In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. Check the "I know what I'm doing" button. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.



Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe



Now we need to fix your problems by making a .reg file. Copy the code below into a Notepad file. Name the file as fix.reg, change the "Save as Type" to "All files" and save it on the desktop.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSearch]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSearchWHSE]


Then double click on the fix.reg file, when it prompts to merge click "Yes".



Please run OTMoveIt by OldTimer again.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Program Files\Save
    C:\Program Files\WhenUSearch
    C:\WINDOWS\system32\ttutv.tmp


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.

Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.


So in your next reply please post the following : a new DSS log, the OTMoveIt results, and tell me how your PC is running now and if you had any problems.
  • 0

#10
XXSavaXX

XXSavaXX

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
OTMoveIt results

File/Folder C:\Program Files\Save not found.
File/Folder C:\Program Files\WhenUSearch not found.
C:\WINDOWS\system32\ttutv.tmp moved successfully.
File/Folder not found.
File/Folder not found.

Created on 09/04/2007 08:32:45


DSS log

Deckard's System Scanner v20070826.66
Run by Sava on 2007-09-04 08:34:11
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Sava.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:35:24, on 04/09/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Prevx2\PXConsole.exe
C:\Program Files\Prevx2\PXAgent.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SmartPopupBlocker\SmartPopupBlockerTray.exe
C:\Documents and Settings\Sava\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Sava.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearsh...ar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearsh...ar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearsh...ar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = HTTP://WWW.SUPERHEROHYPE.COM/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-dba2f02cba5a} - C:\Program Files\speed-bit\tbspee.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PopupBlockerBHO.CPopupBlockerBHO - {0D929918-C804-4756-B0AC-640EF3F061E9} - C:\Program Files\SmartPopupBlocker\PopupBlockerBHO.dll
O2 - BHO: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-dba2f02cba5a} - C:\Program Files\speed-bit\tbspee.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB2.05.0000.1082\en-gb\msntb.dll
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O3 - Toolbar: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-dba2f02cba5a} - C:\Program Files\speed-bit\tbspee.dll
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OpenOffice.org 1.1.5.lnk = C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB2.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB2.05.0001.1119\en-gb\msntabres.dll/229?be73083ee7ac479fa776bfb480fc3aba
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB2.05.0001.1119\en-gb\msntabres.dll/230?be73083ee7ac479fa776bfb480fc3aba
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O20 - Winlogon Notify: vtutt - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe (file missing)

--
End of file - 7698 bytes

-- Files created between 2007-08-04 and 2007-09-04 -----------------------------

2007-09-04 08:35:11 0 d-------- C:\Program Files\Trend Micro
2007-09-03 19:25:03 0 d-------- C:\WINDOWS\ERUNT
2007-09-03 15:58:16 0 d-------- C:\Program Files\SmartPopupBlocker
2007-09-03 11:58:13 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\Prevx
2007-09-03 11:27:02 0 d-------- C:\Documents and Settings\Sava\Application Data\Prevx
2007-09-03 11:25:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-09-03 11:24:59 0 d-------- C:\Program Files\Prevx2
2007-09-02 20:33:45 24576 --a------ C:\WINDOWS\System32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2007-09-02 20:28:42 0 d------c- C:\VundoFix Backups
2007-09-02 16:21:56 0 dr------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Start Menu
2007-09-02 16:21:56 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\SendTo
2007-09-02 16:21:56 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Recent
2007-09-02 16:21:56 0 d--h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\PrintHood
2007-09-02 16:21:56 0 d--h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\NetHood
2007-09-02 16:21:56 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Desktop
2007-09-02 16:21:56 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\InterTrust
2007-09-02 16:21:56 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\Identities
2007-09-02 16:21:56 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\Help
2007-09-02 16:21:56 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\CyberLink
2007-09-01 16:46:41 0 d-------- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2007-08-31 17:51:25 0 d--h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Templates
2007-08-31 17:51:25 0 dr------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\My Documents
2007-08-31 17:51:25 0 d--h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Local Settings
2007-08-31 17:51:25 0 dr------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Favorites
2007-08-31 17:51:25 0 d---s---- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Cookies
2007-08-31 17:51:25 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data
2007-08-31 17:51:25 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\Roxio
2007-08-31 17:51:25 0 d---s---- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\Microsoft
2007-08-31 17:51:25 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\Adobe
2007-08-31 17:51:24 1048576 --ah----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\NTUSER.DAT
2007-08-31 13:56:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-08-31 13:34:48 0 d-------- C:\Documents and Settings\Sava\Application Data\WinTouch
2007-08-31 13:15:51 0 d-------- C:\Program Files\Spyware Doctor
2007-08-31 13:15:51 0 d-------- C:\Documents and Settings\Sava\Application Data\PC Tools
2007-08-31 12:37:17 0 d-------- C:\Documents and Settings\Sava\Application Data\Uniblue
2007-08-31 12:18:40 0 d-------- C:\Program Files\Debugging Tools for Windows
2007-08-31 11:52:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Grid Blue Memo Site
2007-08-27 19:23:27 0 d-------- C:\Documents and Settings\All Users\Application Data\SpeedBit
2007-08-27 19:23:22 0 d-------- C:\Documents and Settings\Sava\Application Data\SpeedBit
2007-08-27 19:22:39 0 d-------- C:\Program Files\SpeedOptimizer
2007-08-27 19:11:47 0 d-------- C:\Program Files\SpeedBit Video Accelerator
2007-08-27 19:11:46 0 d-------- C:\Program Files\AskPBar
2007-08-27 19:11:28 0 d-------- C:\Program Files\speed-bit
2007-08-27 19:09:10 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-08-27 19:08:53 50688 --a------ C:\WINDOWS\System32\wbhelp2.dll <Not Verified; Stardock.Net, Inc; WindowBlinds for Win32 x86 machines>
2007-08-27 19:08:52 0 d-------- C:\Program Files\DAP
2007-08-23 10:06:06 0 d-------- C:\Program Files\Lavasoft
2007-08-23 10:06:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-08-23 10:05:26 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-22 21:21:30 0 d------c- C:\Downloads
2007-08-22 21:13:07 0 d-------- C:\Program Files\XviD
2007-08-19 19:20:30 0 d-------- C:\Program Files\XviD(2)
2007-08-18 03:47:40 6553600 --a------ C:\Documents and Settings\Sava\ntuser.dat
2007-08-08 09:22:33 0 d-------- C:\Program Files\InterActual


-- Find3M Report ---------------------------------------------------------------

2007-09-04 08:26:29 0 d-------- C:\Program Files\OpenOffice.org1.1.5
2007-09-02 16:22:04 0 d-------- C:\Program Files\SoftwareOnline
2007-09-01 18:05:12 0 d-------- C:\Program Files\SoftwareRevenue.org
2007-09-01 17:59:08 0 d-------- C:\Program Files\LimeWire
2007-08-31 13:35:30 10 --a------ C:\Program Files\.autoreg
2007-08-27 20:02:54 0 d-------- C:\Program Files\CoreCodec
2007-08-27 20:02:15 0 d-------- C:\Documents and Settings\Sava\Application Data\MP3Rocket
2007-08-23 10:06:04 0 d-------- C:\Documents and Settings\Sava\Application Data\Lavasoft
2007-08-23 10:05:26 0 d-a------ C:\Program Files\Common Files
2007-08-22 21:13:07 0 d-------- C:\Program Files\DivX
2007-07-24 09:51:12 0 d-------- C:\Program Files\Java
2007-07-11 20:56:36 0 d-------- C:\Program Files\BearShare Applications
2007-07-11 20:51:22 0 d-------- C:\Program Files\Incomplete


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2ba521ac-b9b9-4433-ba45-dba2f02cba5a}]
31/07/2007 16:33 1391640 --a------ C:\Program Files\speed-bit\tbspee.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2BA521AC-B9B9-4433-BA45-DBA2F02CBA5A}"= C:\Program Files\speed-bit\tbspee.dll [31/07/2007 16:33 1391640]

[-HKEY_CLASSES_ROOT\CLSID\{2BA521AC-B9B9-4433-BA45-DBA2F02CBA5A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PrevxOne"="C:\Program Files\Prevx2\PXConsole.exe" [29/08/2007 11:05]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [27/04/2007 09:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [12/10/2005 18:13]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [15/11/2004 16:18]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [03/05/2007 17:43]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

C:\Documents and Settings\Sava\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [20/10/2005 12:04:08]
OpenOffice.org 1.1.5.lnk - C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe [12/07/2005 02:10:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtutt]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= :\WINDOW

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sava^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Sava\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sava^Start Menu^Programs^Startup^Morpheus.lnk]
path=C:\Documents and Settings\Sava\Start Menu\Programs\Startup\Morpheus.lnk
backup=C:\WINDOWS\pss\Morpheus.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet Acceleration Patch]
C:\Documents and Settings\All Users\Start Menu\Programs\BitComet Acceleration Patch\BitComet Acceleration Patch.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X5100 Series]
"C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ML1HelperStartUp]
C:\PROGRA~1\MIDNIG~1\ML1HEL~1.EXE /partner ML1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Morpheus Download Booster]
C:\Program Files\Morpheus Download Booster\Morpheus Download Booster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
"C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
"C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
C:\Program Files\eMachines Bay Reader\shwiconem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Workflow]
D:\Workflow.exe




-- End of Deckard's System Scanner: finished at 2007-09-04 08:35:53 ------------


my PC is still not back to normal, i tried a system restore but it wouldnt let me. Its slow too.
  • 0

Advertisements


#11
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello XXSavaXX

Please don't do a System Restore, you have more than likely re-infected yourself now. Often your type of infection takes a few posts to fully remove as it is rather nasty, so hang in there and we will get rid of it.


Right click on the Prevx icon in your system tray at the bottom-right corner of your screen and choose Show Management Console.

On the Management Console click the Protection Level drop-down menu.

You will see three levels:

Maximum

Off

User Defined


To disable all protection set the level to Off. You will receive a prompt asking "You are about to change your security settings. Do you wish to continue?" Click Yes.

Click the X on the upper right hand corner to exit the Management console. Once we are done cleaning up, you can repeat the steps setting the level this time to Maximum in order to reenable protection.



1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O20 - Winlogon Notify: vtutt - C:\WINDOWS\

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Please run OTMoveIt by OldTimer again.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\vtutt.dll

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.

Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.



Next download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

So in your next reply I need to see the following : a new DSS log, the OTMoveIt results, the AVG anti-spyware report, and tell me how your PC is running now.
  • 0

#12
XXSavaXX

XXSavaXX

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
i didnt get a report from AVG, i did everything you said but i didnt get anything at the end


Deckard's System Scanner v20070826.66
Run by Sava on 2007-09-05 15:25:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Sava.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:35:24, on 04/09/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Prevx2\PXConsole.exe
C:\Program Files\Prevx2\PXAgent.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SmartPopupBlocker\SmartPopupBlockerTray.exe
C:\Documents and Settings\Sava\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Sava.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearsh...ar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearsh...ar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearsh...ar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = HTTP://WWW.SUPERHEROHYPE.COM/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-dba2f02cba5a} - C:\Program Files\speed-bit\tbspee.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PopupBlockerBHO.CPopupBlockerBHO - {0D929918-C804-4756-B0AC-640EF3F061E9} - C:\Program Files\SmartPopupBlocker\PopupBlockerBHO.dll
O2 - BHO: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-dba2f02cba5a} - C:\Program Files\speed-bit\tbspee.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB2.05.0000.1082\en-gb\msntb.dll
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O3 - Toolbar: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-dba2f02cba5a} - C:\Program Files\speed-bit\tbspee.dll
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OpenOffice.org 1.1.5.lnk = C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB2.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB2.05.0001.1119\en-gb\msntabres.dll/229?be73083ee7ac479fa776bfb480fc3aba
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB2.05.0001.1119\en-gb\msntabres.dll/230?be73083ee7ac479fa776bfb480fc3aba
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O20 - Winlogon Notify: vtutt - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe (file missing)

--
End of file - 7698 bytes

-- Files created between 2007-08-05 and 2007-09-05 -----------------------------

2007-09-04 19:33:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-04 08:35:11 0 d-------- C:\Program Files\Trend Micro
2007-09-03 19:25:03 0 d-------- C:\WINDOWS\ERUNT
2007-09-03 15:58:16 0 d-------- C:\Program Files\SmartPopupBlocker
2007-09-03 11:58:13 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\Prevx
2007-09-03 11:27:02 0 d-------- C:\Documents and Settings\Sava\Application Data\Prevx
2007-09-03 11:25:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-09-03 11:24:59 0 d-------- C:\Program Files\Prevx2
2007-09-02 20:33:45 24576 --a------ C:\WINDOWS\System32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2007-09-02 20:28:42 0 d------c- C:\VundoFix Backups
2007-09-02 16:21:56 0 dr------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Start Menu
2007-09-02 16:21:56 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\SendTo
2007-09-02 16:21:56 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Recent
2007-09-02 16:21:56 0 d--h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\PrintHood
2007-09-02 16:21:56 0 d--h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\NetHood
2007-09-02 16:21:56 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Desktop
2007-09-02 16:21:56 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\InterTrust
2007-09-02 16:21:56 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\Identities
2007-09-02 16:21:56 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\Help
2007-09-02 16:21:56 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\CyberLink
2007-09-01 16:46:41 0 d-------- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2007-08-31 17:51:25 0 d--h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Templates
2007-08-31 17:51:25 0 dr------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\My Documents
2007-08-31 17:51:25 0 d--h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Local Settings
2007-08-31 17:51:25 0 dr------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Favorites
2007-08-31 17:51:25 0 d---s---- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Cookies
2007-08-31 17:51:25 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data
2007-08-31 17:51:25 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\Roxio
2007-08-31 17:51:25 0 d---s---- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\Microsoft
2007-08-31 17:51:25 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\Adobe
2007-08-31 17:51:24 1048576 --ah----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\NTUSER.DAT
2007-08-31 13:56:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-08-31 13:34:48 0 d-------- C:\Documents and Settings\Sava\Application Data\WinTouch
2007-08-31 13:15:51 0 d-------- C:\Program Files\Spyware Doctor
2007-08-31 13:15:51 0 d-------- C:\Documents and Settings\Sava\Application Data\PC Tools
2007-08-31 12:37:17 0 d-------- C:\Documents and Settings\Sava\Application Data\Uniblue
2007-08-31 12:18:40 0 d-------- C:\Program Files\Debugging Tools for Windows
2007-08-31 11:52:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Grid Blue Memo Site
2007-08-27 19:23:27 0 d-------- C:\Documents and Settings\All Users\Application Data\SpeedBit
2007-08-27 19:23:22 0 d-------- C:\Documents and Settings\Sava\Application Data\SpeedBit
2007-08-27 19:22:39 0 d-------- C:\Program Files\SpeedOptimizer
2007-08-27 19:11:47 0 d-------- C:\Program Files\SpeedBit Video Accelerator
2007-08-27 19:11:46 0 d-------- C:\Program Files\AskPBar
2007-08-27 19:11:28 0 d-------- C:\Program Files\speed-bit
2007-08-27 19:09:10 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-08-27 19:08:53 50688 --a------ C:\WINDOWS\System32\wbhelp2.dll <Not Verified; Stardock.Net, Inc; WindowBlinds for Win32 x86 machines>
2007-08-27 19:08:52 0 d-------- C:\Program Files\DAP
2007-08-23 10:06:06 0 d-------- C:\Program Files\Lavasoft
2007-08-23 10:06:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-08-23 10:05:26 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-22 21:21:30 0 d------c- C:\Downloads
2007-08-22 21:13:07 0 d-------- C:\Program Files\XviD
2007-08-19 19:20:30 0 d-------- C:\Program Files\XviD(2)
2007-08-18 03:47:40 6553600 --a------ C:\Documents and Settings\Sava\ntuser.dat
2007-08-08 09:22:33 0 d-------- C:\Program Files\InterActual


-- Find3M Report ---------------------------------------------------------------

2007-09-05 06:33:27 0 d-------- C:\Program Files\OpenOffice.org1.1.5
2007-09-02 16:22:04 0 d-------- C:\Program Files\SoftwareOnline
2007-09-01 18:05:12 0 d-------- C:\Program Files\SoftwareRevenue.org
2007-09-01 17:59:08 0 d-------- C:\Program Files\LimeWire
2007-08-31 13:35:30 10 --a------ C:\Program Files\.autoreg
2007-08-27 20:02:54 0 d-------- C:\Program Files\CoreCodec
2007-08-27 20:02:15 0 d-------- C:\Documents and Settings\Sava\Application Data\MP3Rocket
2007-08-23 10:06:04 0 d-------- C:\Documents and Settings\Sava\Application Data\Lavasoft
2007-08-23 10:05:26 0 d-a------ C:\Program Files\Common Files
2007-08-22 21:13:07 0 d-------- C:\Program Files\DivX
2007-07-24 09:51:12 0 d-------- C:\Program Files\Java
2007-07-11 20:56:36 0 d-------- C:\Program Files\BearShare Applications
2007-07-11 20:51:22 0 d-------- C:\Program Files\Incomplete


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2ba521ac-b9b9-4433-ba45-dba2f02cba5a}]
31/07/2007 16:33 1391640 --a------ C:\Program Files\speed-bit\tbspee.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2BA521AC-B9B9-4433-BA45-DBA2F02CBA5A}"= C:\Program Files\speed-bit\tbspee.dll [31/07/2007 16:33 1391640]

[-HKEY_CLASSES_ROOT\CLSID\{2BA521AC-B9B9-4433-BA45-DBA2F02CBA5A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PrevxOne"="C:\Program Files\Prevx2\PXConsole.exe" [29/08/2007 11:05]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [27/04/2007 09:41]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [04/09/2007 19:27]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [12/10/2005 18:13]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [15/11/2004 16:18]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [03/05/2007 17:43]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

C:\Documents and Settings\Sava\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [20/10/2005 12:04:08]
OpenOffice.org 1.1.5.lnk - C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe [12/07/2005 02:10:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= :\WINDOW

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sava^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Sava\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sava^Start Menu^Programs^Startup^Morpheus.lnk]
path=C:\Documents and Settings\Sava\Start Menu\Programs\Startup\Morpheus.lnk
backup=C:\WINDOWS\pss\Morpheus.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet Acceleration Patch]
C:\Documents and Settings\All Users\Start Menu\Programs\BitComet Acceleration Patch\BitComet Acceleration Patch.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X5100 Series]
"C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ML1HelperStartUp]
C:\PROGRA~1\MIDNIG~1\ML1HEL~1.EXE /partner ML1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Morpheus Download Booster]
C:\Program Files\Morpheus Download Booster\Morpheus Download Booster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
"C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
"C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
C:\Program Files\eMachines Bay Reader\shwiconem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Workflow]
D:\Workflow.exe




-- End of Deckard's System Scanner: finished at 2007-09-05 15:26:26 ------------



OTMoveIt results

File/Folder C:\WINDOWS\system32\vtutt.dll not found.

Created on 09/04/2007 19:23:55


now i'm getting pop ups of files in Sound and volume information, i got two didfferent popups now, one is called "TR/Dldr.Agent.22016.4", the second is "TR/Spy.Alexa.A"
  • 0

#13
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello XXSavaXX

We need to fix your problems by making a .reg file. Copy the code below into a Notepad file. Name the file as fix.reg, change the "Save as Type" to "All files" and save it on the desktop.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtutt]

Then double click on the fix.reg file, when it prompts to merge click "Yes".


Please run OTMoveIt by OldTimer again.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\vtutt.dll

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.

Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.



* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Double click the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

So in your next reply please post the following : a new DSS log, the OTMoveIt results, the Dr. Web Cureit report, and tell me how your PC is running now and if you had any problems.
  • 0

#14
XXSavaXX

XXSavaXX

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
sorry for the late reply


Deckard's System Scanner v20070826.66
Run by Sava on 2007-09-07 15:33:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Sava.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:33:35, on 07/09/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Prevx2\PXAgent.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Prevx2\PXConsole.exe
C:\PROGRA~1\SPEEDB~1\VideoAccelerator.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Sava\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Sava.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearsh...ar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearsh...ar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearsh...ar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = HTTP://WWW.SUPERHEROHYPE.COM/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-dba2f02cba5a} - C:\Program Files\speed-bit\tbspee.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PopupBlockerBHO.CPopupBlockerBHO - {0D929918-C804-4756-B0AC-640EF3F061E9} - C:\Program Files\SmartPopupBlocker\PopupBlockerBHO.dll
O2 - BHO: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-dba2f02cba5a} - C:\Program Files\speed-bit\tbspee.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB2.05.0000.1082\en-gb\msntb.dll
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O3 - Toolbar: speed-bit Toolbar - {2ba521ac-b9b9-4433-ba45-dba2f02cba5a} - C:\Program Files\speed-bit\tbspee.dll
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OpenOffice.org 1.1.5.lnk = C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB2.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB2.05.0001.1119\en-gb\msntabres.dll/229?be73083ee7ac479fa776bfb480fc3aba
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB2.05.0001.1119\en-gb\msntabres.dll/230?be73083ee7ac479fa776bfb480fc3aba
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe (file missing)
O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe

--
End of file - 8147 bytes

-- Files created between 2007-08-07 and 2007-09-07 -----------------------------

2007-09-07 13:37:31 0 d-------- C:\Documents and Settings\Sava\DoctorWeb
2007-09-04 19:33:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-04 08:35:11 0 d-------- C:\Program Files\Trend Micro
2007-09-03 19:25:03 0 d-------- C:\WINDOWS\ERUNT
2007-09-03 15:58:16 0 d-------- C:\Program Files\SmartPopupBlocker
2007-09-03 11:58:13 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\Prevx
2007-09-03 11:27:02 0 d-------- C:\Documents and Settings\Sava\Application Data\Prevx
2007-09-03 11:25:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-09-03 11:24:59 0 d-------- C:\Program Files\Prevx2
2007-09-02 20:33:45 24576 --a------ C:\WINDOWS\System32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2007-09-02 20:28:42 0 d------c- C:\VundoFix Backups
2007-09-02 16:21:56 0 dr------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Start Menu
2007-09-02 16:21:56 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\SendTo
2007-09-02 16:21:56 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Recent
2007-09-02 16:21:56 0 d--h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\PrintHood
2007-09-02 16:21:56 0 d--h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\NetHood
2007-09-02 16:21:56 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Desktop
2007-09-02 16:21:56 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\InterTrust
2007-09-02 16:21:56 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\Identities
2007-09-02 16:21:56 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\Help
2007-09-02 16:21:56 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\CyberLink
2007-09-01 16:46:41 0 d-------- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2007-08-31 17:51:25 0 d--h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Templates
2007-08-31 17:51:25 0 dr------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\My Documents
2007-08-31 17:51:25 0 d--h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Local Settings
2007-08-31 17:51:25 0 dr------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Favorites
2007-08-31 17:51:25 0 d---s---- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Cookies
2007-08-31 17:51:25 0 dr-h----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data
2007-08-31 17:51:25 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\Roxio
2007-08-31 17:51:25 0 d---s---- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\Microsoft
2007-08-31 17:51:25 0 d-------- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\Application Data\Adobe
2007-08-31 17:51:24 1048576 --ah----- C:\Documents and Settings\Administrator.YOUR-92A7W51YBH.000\NTUSER.DAT
2007-08-31 13:56:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-08-31 13:34:48 0 d-------- C:\Documents and Settings\Sava\Application Data\WinTouch
2007-08-31 13:15:51 0 d-------- C:\Program Files\Spyware Doctor
2007-08-31 13:15:51 0 d-------- C:\Documents and Settings\Sava\Application Data\PC Tools
2007-08-31 12:37:17 0 d-------- C:\Documents and Settings\Sava\Application Data\Uniblue
2007-08-31 12:18:40 0 d-------- C:\Program Files\Debugging Tools for Windows
2007-08-31 11:52:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Grid Blue Memo Site
2007-08-27 19:23:27 0 d-------- C:\Documents and Settings\All Users\Application Data\SpeedBit
2007-08-27 19:23:22 0 d-------- C:\Documents and Settings\Sava\Application Data\SpeedBit
2007-08-27 19:22:39 0 d-------- C:\Program Files\SpeedOptimizer
2007-08-27 19:11:47 0 d-------- C:\Program Files\SpeedBit Video Accelerator
2007-08-27 19:11:46 0 d-------- C:\Program Files\AskPBar
2007-08-27 19:11:28 0 d-------- C:\Program Files\speed-bit
2007-08-27 19:09:10 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-08-27 19:08:53 50688 --a------ C:\WINDOWS\System32\wbhelp2.dll <Not Verified; Stardock.Net, Inc; WindowBlinds for Win32 x86 machines>
2007-08-27 19:08:52 0 d-------- C:\Program Files\DAP
2007-08-23 10:06:06 0 d-------- C:\Program Files\Lavasoft
2007-08-23 10:06:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-08-23 10:05:26 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-22 21:21:30 0 d------c- C:\Downloads
2007-08-22 21:13:07 0 d-------- C:\Program Files\XviD
2007-08-19 19:20:30 0 d-------- C:\Program Files\XviD(2)
2007-08-18 03:47:40 6553600 --a------ C:\Documents and Settings\Sava\ntuser.dat
2007-08-08 09:22:33 0 d-------- C:\Program Files\InterActual


-- Find3M Report ---------------------------------------------------------------

2007-09-07 15:21:38 0 d-------- C:\Program Files\OpenOffice.org1.1.5
2007-09-02 16:22:04 0 d-------- C:\Program Files\SoftwareOnline
2007-09-01 18:05:12 0 d-------- C:\Program Files\SoftwareRevenue.org
2007-09-01 17:59:08 0 d-------- C:\Program Files\LimeWire
2007-08-31 13:35:30 10 --a------ C:\Program Files\.autoreg
2007-08-27 20:02:54 0 d-------- C:\Program Files\CoreCodec
2007-08-27 20:02:15 0 d-------- C:\Documents and Settings\Sava\Application Data\MP3Rocket
2007-08-23 10:06:04 0 d-------- C:\Documents and Settings\Sava\Application Data\Lavasoft
2007-08-23 10:05:26 0 d-a------ C:\Program Files\Common Files
2007-08-22 21:13:07 0 d-------- C:\Program Files\DivX
2007-07-24 09:51:12 0 d-------- C:\Program Files\Java
2007-07-11 20:56:36 0 d-------- C:\Program Files\BearShare Applications
2007-07-11 20:51:22 0 d-------- C:\Program Files\Incomplete


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2ba521ac-b9b9-4433-ba45-dba2f02cba5a}]
31/07/2007 16:33 1391640 --a------ C:\Program Files\speed-bit\tbspee.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2BA521AC-B9B9-4433-BA45-DBA2F02CBA5A}"= C:\Program Files\speed-bit\tbspee.dll [31/07/2007 16:33 1391640]

[-HKEY_CLASSES_ROOT\CLSID\{2BA521AC-B9B9-4433-BA45-DBA2F02CBA5A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PrevxOne"="C:\Program Files\Prevx2\PXConsole.exe" [29/08/2007 11:05]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [27/04/2007 09:41]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [04/09/2007 19:27]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [12/10/2005 18:13]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [15/11/2004 16:18]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [03/05/2007 17:43]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

C:\Documents and Settings\Sava\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [20/10/2005 12:04:08]
OpenOffice.org 1.1.5.lnk - C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe [12/07/2005 02:10:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= :\WINDOW

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sava^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Sava\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Sava^Start Menu^Programs^Startup^Morpheus.lnk]
path=C:\Documents and Settings\Sava\Start Menu\Programs\Startup\Morpheus.lnk
backup=C:\WINDOWS\pss\Morpheus.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet Acceleration Patch]
C:\Documents and Settings\All Users\Start Menu\Programs\BitComet Acceleration Patch\BitComet Acceleration Patch.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X5100 Series]
"C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ML1HelperStartUp]
C:\PROGRA~1\MIDNIG~1\ML1HEL~1.EXE /partner ML1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Morpheus Download Booster]
C:\Program Files\Morpheus Download Booster\Morpheus Download Booster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
"C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
"C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
C:\Program Files\eMachines Bay Reader\shwiconem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Workflow]
D:\Workflow.exe




-- End of Deckard's System Scanner: finished at 2007-09-07 15:34:10 ------------



File/Folder C:\WINDOWS\system32\vtutt.dll not found.
File/Folder not found.
File/Folder not found.

Created on 09/07/2007 13:29:41

i havent gotten the popups since the restart.





Accelerator.dll;C:\Deckard\System Scanner\20070903200032\backup\DOCUME~1\Sava\LOCALS~1\Temp\SAINST;Probably DLOADER.Trojan;;
Jeans_ARR_1998_ColumbusColumbus.mp3;C:\Documents and Settings\Sava\Desktop\Sava\Songs\Tamil songs\AR_Rahman_Collection\1998\Jeans;Modification of Lust.258;Moved.;
InstallHelper.exe;C:\Program Files\Common Files\Motive;Probably MULDROP.Trojan;;
SetupDTSB.exe;C:\Program Files\DAEMON Tools;Adware.SaveNow;;
Accelerator.dll;C:\Program Files\SpeedBit Video Accelerator;Probably DLOADER.Trojan;;
HPFix.reg;C:\SDFix\apps;Trojan.StartPage.1505;Deleted.;
HPFix2.reg;C:\SDFix\apps;Trojan.StartPage.1505;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;;
A0382899.reg;C:\System Volume Information\_restore{9127EF84-21FD-4B28-94F9-8C7EB5EC9E7C}\RP699;Trojan.StartPage.1505;Deleted.;
A0382900.reg;C:\System Volume Information\_restore{9127EF84-21FD-4B28-94F9-8C7EB5EC9E7C}\RP699;Trojan.StartPage.1505;Deleted.;
  • 0

#15
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello XXSavaXX, your logs are looking good ! We need to do a few little things

You can delete the following tools that we used
  • VundoFix.exe
  • DSS.exe
  • SDFix.exe
Right click on the Prevx icon in your system tray at the bottom-right corner of your screen and choose Show Management Console.

On the Management Console click the Protection Level drop-down menu.

You will see three levels:

Maximum

Off

User Defined


To re-enable all protection, check "Max" and set the level to On. You will receive a prompt asking "You are about to change your security settings. Do you wish to continue?" Click Yes.

Click the X on the upper right hand corner to exit the Management console.



Please go to Start > Control Panel > Add or Remove Programs > Remove

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java™ SE Runtime Environment 6 Update 1



I see you have Viewpoint Manager installed on your PC

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):
  • Click Start, point to Settings, and then click Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
  • Do the same for each Viewpoint component.
Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com.../readstep2.html



Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Some good free firewalls are ZoneAlarm, Comodo, or
Outpost
Make sure you only use one firewall though. A tutorial on understanding and using firewalls may be found here.

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.

Edited by Rorschach112, 07 September 2007 - 08:53 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP