Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

"etlrlws" [CLOSED]

Started by benh1984 , Mar 15 2008 01:53 AM

  • This topic is locked This topic is locked

#1
benh1984
Posted 15 March 2008 - 01:53 AM

benh1984

    Member

  • Member
  • PipPip
  • 31 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:53:02 AM, on 3/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS1\System32\smss.exe
C:\WINDOWS1\system32\csrss.exe
C:\WINDOWS1\system32\winlogon.exe
C:\WINDOWS1\system32\services.exe
C:\WINDOWS1\system32\lsass.exe
C:\WINDOWS1\system32\svchost.exe
C:\WINDOWS1\system32\svchost.exe
C:\WINDOWS1\System32\svchost.exe
C:\WINDOWS1\System32\svchost.exe
C:\WINDOWS1\System32\svchost.exe
C:\WINDOWS1\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS1\System32\lvhidsvc.exe
C:\WINDOWS1\system32\slserv.exe
C:\WINDOWS1\System32\svchost.exe
C:\WINDOWS1\Explorer.EXE
C:\WINDOWS1\system32\wscntfy.exe
C:\WINDOWS1\System32\hkcmd.exe
C:\Program Files\TVR\RecSche.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS1\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: GNX Rolex - {1E88C4FE-1FD6-427A-ADE5-86F647BEA2F0} - C:\WINDOWS1\drnpfdxkfw.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: CIEObjectObj Object - {CA13D72F-2DAC-4D99-B08D-C5EA1C920E89} - C:\WINDOWS1\IECodecPlg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: etlrlws - {EB2B30CB-5CB8-4734-8DEC-67708302DCAF} - C:\WINDOWS1\etlrlws.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS1\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS1\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RecSche] "C:\Program Files\TVR\RecSche.exe"
O4 - HKLM\..\Run: [WinDVRCtrl] C:\WINDOWS1\WDVRCtrl.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\W
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Workflow] E:\Install\Workflow.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Microsoft Setup Initialization] rundll32.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\RunServices: [Microsoft Setup Initialization] rundll32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O16 - DPF: CabBuilder - http://kiw.imgag.com...llerControl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1182808906437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1182808892296
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ad...ash/swflash.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnime...upv2.0.0.10.cab?
O21 - SSODL: altvxvm - {4FB6683F-1B09-43E9-AC4F-F995DAB0246F} - C:\WINDOWS1\altvxvm.dll
O21 - SSODL: bokpkov - {7C2ACCAA-605C-4F6B-B71D-5D3F64C92BA6} - C:\WINDOWS1\bokpkov.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote HID Service (LvHidSvc) - Philips - C:\WINDOWS1\System32\lvhidsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Unknown owner - C:\Program Files\Intel\NCS\Sync\NetSvc.exe (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS1\SYSTEM32\slserv.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS1\privacy_danger\index.htm

--
End of file - 8543 bytes
  • 0

Advertisements

#2
sage5
Posted 15 March 2008 - 06:59 AM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi benh1984,

Welcome to Geeks to Go!
My name is sage5, and I will be helping you with this problem.

Please download the following & save to your Desktop:
SmitfraudFix (by S!Ri)
Deckard's System Scanner
OTMoveIt2 by OldTimer.


Start the Smitfraud scan:
  • Double-click SmitfraudFix.exe
  • Select option #1 - Search by typing 1 and press "Enter". A text file will appear, which lists infected files (if present). It is saved as C:\rapport.txt
  • Please copy/paste the content of that file into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

Run Deckard's System Scanner:
  • Close all other windows before proceeding.
  • Double click on the dss.exe file on your Desktop and follow the prompts.
  • Scans will run, and 2 text files will open in Notepad.
  • Close both of the text files.
These files are C:\Deckard\System Scanner\main.txt & extra.txt. I will need you to copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt, extra.txt & C:\rapport.txtin your next reply.



Cheers,

sage5

Edited by sage5, 15 March 2008 - 07:03 AM.

  • 0

#3
benh1984
Posted 15 March 2008 - 11:27 AM

benh1984

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Thank you for your reply sage5 here are those txt files

SmitFraudFix v2.304

Scan done at 11:22:00.40, Sat 03/15/2008
Run from C:\Documents and Settings\ben\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS1\System32\smss.exe
C:\WINDOWS1\system32\csrss.exe
C:\WINDOWS1\system32\winlogon.exe
C:\WINDOWS1\system32\services.exe
C:\WINDOWS1\system32\lsass.exe
C:\WINDOWS1\system32\svchost.exe
C:\WINDOWS1\system32\svchost.exe
C:\WINDOWS1\System32\svchost.exe
C:\WINDOWS1\System32\svchost.exe
C:\WINDOWS1\System32\svchost.exe
C:\WINDOWS1\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS1\System32\lvhidsvc.exe
C:\WINDOWS1\System32\svchost.exe
C:\WINDOWS1\Explorer.EXE
C:\WINDOWS1\system32\wscntfy.exe
C:\WINDOWS1\System32\hkcmd.exe
C:\Program Files\TVR\RecSche.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS1\system32\cmd.exe
C:\WINDOWS1\System32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS1

C:\WINDOWS1\privacy_danger FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS1\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS1\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS1\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS1\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\ben


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\ben\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ben\FAVORI~1

C:\DOCUME~1\ben\FAVORI~1\Error Cleaner.url FOUND !
C:\DOCUME~1\ben\FAVORI~1\Privacy Protector.url FOUND !
C:\DOCUME~1\ben\FAVORI~1\Spyware?Malware Protection.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

C:\DOCUME~1\ben\Desktop\Error Cleaner.url FOUND !
C:\DOCUME~1\ben\Desktop\Privacy Protector.url FOUND !
C:\DOCUME~1\ben\Desktop\Spyware?Malware Protection.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///C:\\WINDOWS1\\privacy_danger\\index.htm"
"SubscribedURL"=""
"FriendlyName"="Privacy Protection"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
+--------------------------------------------------+
[!] Suspicious: drnpfdxkfw.dll
BHO: GNX Rolex - {1E88C4FE-1FD6-427A-ADE5-86F647BEA2F0}
TypeLib: {31E6DEDD-03C3-460D-9E17-D2716BD2AC17}
Interface: {3CEE686E-43BD-40A1-B791-BACD67486E6C}
Interface: {4C117776-CEEB-403D-9DBF-5997A88B260D}

[!] Suspicious: etlrlws.dll
Toolbar: etlrlws - {EB2B30CB-5CB8-4734-8DEC-67708302DCAF}
TypeLib: {0014B5E5-E576-4C52-8F03-FA32788FF7CC}
Interface: {29A4EC4B-1078-43A1-A0EF-0477C356CCE8}
Classe: etlrlws.bltm
Classe: etlrlws.ToolBar.1

[!] Suspicious: altvxvm.dll
SSODL: altvxvm - {4FB6683F-1B09-43E9-AC4F-F995DAB0246F}

[!] Suspicious: bokpkov.dll
SSODL: bokpkov - {7C2ACCAA-605C-4F6B-B71D-5D3F64C92BA6}


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 172.16.1.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{BDC11AC8-6678-4E32-84D8-57BA9ACE5A73}: DhcpNameServer=172.16.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BDC11AC8-6678-4E32-84D8-57BA9ACE5A73}: DhcpNameServer=172.16.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{BDC11AC8-6678-4E32-84D8-57BA9ACE5A73}: DhcpNameServer=172.16.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=172.16.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=172.16.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=172.16.1.254


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


Deckard's System Scanner v20071014.68
Run by ben on 2008-03-15 11:23:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 247 MiB (512 MiB recommended).
System Drive C: has 3.37 GiB (less than 15%) free.


-- HijackThis (run as ben.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:48 AM, on 3/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS1\System32\smss.exe
C:\WINDOWS1\system32\csrss.exe
C:\WINDOWS1\system32\winlogon.exe
C:\WINDOWS1\system32\services.exe
C:\WINDOWS1\system32\lsass.exe
C:\WINDOWS1\system32\svchost.exe
C:\WINDOWS1\system32\svchost.exe
C:\WINDOWS1\System32\svchost.exe
C:\WINDOWS1\System32\svchost.exe
C:\WINDOWS1\System32\svchost.exe
C:\WINDOWS1\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS1\System32\lvhidsvc.exe
C:\WINDOWS1\System32\svchost.exe
C:\WINDOWS1\Explorer.EXE
C:\WINDOWS1\system32\wscntfy.exe
C:\WINDOWS1\System32\hkcmd.exe
C:\Program Files\TVR\RecSche.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS1\System32\wbem\wmiprvse.exe
C:\WINDOWS1\System32\wbem\wmiprvse.exe
C:\Documents and Settings\ben\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ben.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: GNX Rolex - {1E88C4FE-1FD6-427A-ADE5-86F647BEA2F0} - C:\WINDOWS1\drnpfdxkfw.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: CIEObjectObj Object - {CA13D72F-2DAC-4D99-B08D-C5EA1C920E89} - C:\WINDOWS1\IECodecPlg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: etlrlws - {EB2B30CB-5CB8-4734-8DEC-67708302DCAF} - C:\WINDOWS1\etlrlws.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS1\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS1\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RecSche] "C:\Program Files\TVR\RecSche.exe"
O4 - HKLM\..\Run: [WinDVRCtrl] C:\WINDOWS1\WDVRCtrl.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\W
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Workflow] E:\Install\Workflow.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Microsoft Setup Initialization] rundll32.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\RunServices: [Microsoft Setup Initialization] rundll32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O16 - DPF: CabBuilder - http://kiw.imgag.com...llerControl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1182808906437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1182808892296
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ad...ash/swflash.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnime...upv2.0.0.10.cab?
O21 - SSODL: altvxvm - {4FB6683F-1B09-43E9-AC4F-F995DAB0246F} - C:\WINDOWS1\altvxvm.dll
O21 - SSODL: bokpkov - {7C2ACCAA-605C-4F6B-B71D-5D3F64C92BA6} - C:\WINDOWS1\bokpkov.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote HID Service (LvHidSvc) - Philips - C:\WINDOWS1\System32\lvhidsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Unknown owner - C:\Program Files\Intel\NCS\Sync\NetSvc.exe (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS1\SYSTEM32\slserv.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS1\privacy_danger\index.htm

--
End of file - 8630 bytes

-- Files created between 2008-02-15 and 2008-03-15 -----------------------------

2008-03-15 11:21:47 25600 --a------ C:\WINDOWS1\system32\WS2Fix.exe
2008-03-15 11:21:47 289144 --a------ C:\WINDOWS1\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-03-15 11:21:47 86528 --a------ C:\WINDOWS1\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-03-15 11:21:47 288417 --a------ C:\WINDOWS1\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-03-15 11:21:47 53248 --a------ C:\WINDOWS1\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-03-15 11:21:47 82432 --a------ C:\WINDOWS1\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-03-15 11:21:47 51200 --a------ C:\WINDOWS1\system32\dumphive.exe
2008-03-15 01:49:04 0 d-------- C:\Program Files\Trend Micro
2008-03-15 01:46:18 0 d-------- C:\WINDOWS1\system32\ActiveScan
2008-03-15 01:34:28 0 d-------- C:\Program Files\Enigma Software Group
2008-03-14 22:12:16 0 d-------- C:\WINDOWS1\privacy_danger
2008-03-14 16:25:52 98304 --a------ C:\WINDOWS1\fmsxwqs.exe
2008-03-14 16:25:52 172032 --a------ C:\WINDOWS1\etlrlws.dll
2008-03-14 16:25:52 221184 --a------ C:\WINDOWS1\drnpfdxkfw.dll
2008-03-14 16:25:52 221184 --a------ C:\WINDOWS1\bokpkov.dll
2008-03-14 16:25:52 208896 --a------ C:\WINDOWS1\altvxvm.dll
2008-03-11 10:13:42 0 d-------- C:\Documents and Settings\ben\Application Data\Yahoo!
2008-03-11 10:04:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-03-11 10:02:47 0 d-------- C:\Program Files\Yahoo!
2008-03-08 20:00:21 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-08 20:00:00 0 d-------- C:\Program Files\Windows Live
2008-03-08 19:59:39 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-07 22:24:52 0 d-------- C:\Program Files\Common Files\xing shared


-- Find3M Report ---------------------------------------------------------------

2008-03-15 11:22:07 3114 --a------ C:\WINDOWS1\system32\tmp.reg
2008-03-14 18:01:18 0 d-------- C:\Documents and Settings\ben\Application Data\gtk-2.0
2008-03-14 16:09:25 0 d-------- C:\Documents and Settings\ben\Application Data\LimeWire
2008-03-08 20:00:21 0 d-------- C:\Program Files\Common Files
2008-03-08 16:15:17 0 d-------- C:\Documents and Settings\ben\Application Data\uTorrent
2008-03-07 22:23:36 0 d-------- C:\Program Files\Real
2008-03-07 22:21:23 0 d-------- C:\Program Files\Common Files\Real
2008-03-06 20:00:39 0 d-------- C:\Documents and Settings\ben\Application Data\Real
2008-02-25 15:15:24 0 d-------- C:\Documents and Settings\ben\Application Data\Macromedia
2008-02-14 08:33:24 0 d-------- C:\Program Files\LimeWire
2008-02-06 17:05:26 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-05 00:56:16 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-23 23:56:48 0 d-------- C:\Program Files\Common Files\Macromedia Shared
2008-01-20 20:30:27 0 d-------- C:\Documents and Settings\ben\Application Data\U3
2008-01-20 17:10:51 0 d-------- C:\Documents and Settings\ben\Application Data\FarStone
2008-01-20 17:07:58 0 --a------ C:\WINDOWS1\system32\FSDataSvr.sys
2008-01-20 17:07:06 5501 --a------ C:\WINDOWS1\system32\dptlcg32.dll
2008-01-20 17:04:34 0 d-------- C:\Program Files\Common Files\InstallShield
2008-01-20 17:04:04 0 d-------- C:\Program Files\temp
2008-01-19 16:06:02 0 d-------- C:\Program Files\GIMP-2.0
2008-01-17 09:30:42 0 d-------- C:\Documents and Settings\ben\Application Data\WinRAR


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E88C4FE-1FD6-427A-ADE5-86F647BEA2F0}]
03/14/2008 12:19 PM 221184 --a------ C:\WINDOWS1\drnpfdxkfw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA13D72F-2DAC-4D99-B08D-C5EA1C920E89}]
12/01/2005 05:39 PM 113152 --a------ C:\WINDOWS1\IECodecPlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS1\System32\igfxtray.exe" [03/11/2003 09:24 AM]
"HotKeysCmds"="C:\WINDOWS1\System32\hkcmd.exe" [03/11/2003 09:11 AM]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" []
"RecSche"="C:\Program Files\TVR\RecSche.exe" [05/09/2004 08:34 PM]
"WinDVRCtrl"="C:\WINDOWS1\WDVRCtrl.exe" []
"ScanRegistry"="C:\W" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/2007 06:41 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 01:00 AM]
"Workflow"="E:\Install\Workflow.exe" []
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [03/26/2003 09:15 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06/28/2007 06:14 AM]
"Microsoft Setup Initialization"="rundll32.exe" [08/03/2004 09:56 PM C:\WINDOWS1\system32\rundll32.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [03/07/2008 10:16 PM]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [01/23/2008 02:47 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft Setup Initialization"=rundll32.exe

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS1\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"altvxvm"= {4FB6683F-1B09-43E9-AC4F-F995DAB0246F} - C:\WINDOWS1\altvxvm.dll [03/14/2008 12:19 PM 208896]
"bokpkov"= {7C2ACCAA-605C-4F6B-B71D-5D3F64C92BA6} - C:\WINDOWS1\bokpkov.dll [03/14/2008 12:19 PM 221184]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{935b3954-c725-11dc-907c-0007e9434a91}]
AutoRun\command- G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{935b3976-c725-11dc-907c-0007e9434a91}]
AutoRun\command- F:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-03-15 11:24:19 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.40GHz
Percentage of Memory in Use: 65%
Physical Memory (total/avail): 246.73 MiB / 84.61 MiB
Pagefile Memory (total/avail): 605.89 MiB / 378.95 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1936.26 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.27 GiB total, 3.38 GiB free.
D: is CDROM (No Media)
E: is CDROM (Unformatted)

\\.\PHYSICALDRIVE0 - WDC WD400EB-11CPF0 - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.27 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Documents and Settings\\ben\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\ben\\Desktop\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\WINDOWS1\\system32\\rundll32.exe"="C:\\WINDOWS1\\system32\\rundll32.exe:*:Disabled:rundll32"
"C:\\WINDOWS1\\system32\\system.exe"="C:\\WINDOWS1\\system32\\system.exe:*:Enabled:system"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\ben\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BEN-1C232D19C92
ComSpec=C:\WINDOWS1\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\ben
LOGONSERVER=\\BEN-1C232D19C92
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS1\system32;C:\WINDOWS1;C:\WINDOWS1\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Adaptec Shared\System;C:\Program Files\Common Files\GTK\2.0\bin;C:\Program Files\Common Files\Ulead Systems\MPEG
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS1
TEMP=C:\DOCUME~1\ben\LOCALS~1\Temp
TMP=C:\DOCUME~1\ben\LOCALS~1\Temp
USERDOMAIN=BEN-1C232D19C92
USERNAME=ben
USERPROFILE=C:\Documents and Settings\ben
windir=C:\WINDOWS1


-- User Profiles ---------------------------------------------------------------

ben (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS1\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Ad-Aware 2007 --> MsiExec.exe /X{46AC899A-9ECB-43DC-85DE-272E0D116A1E}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS1\System32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player ActiveX --> C:\WINDOWS1\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Apple Mobile Device Support --> MsiExec.exe /I{8FC46258-0843-4D79-B7F0-F2B82FE6173B}
Apple Software Update --> MsiExec.exe /I{A260B422-70E1-41E2-957D-F76FA21266D5}
AVI Movie Player --> C:\Program Files\AVI Movie Player\uninstall.exe
CleanUp! --> C:\Program Files\CleanUp!\uninstall.exe
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
Gateway Drivers and Applications Recovery --> C:\Program Files\Gateway\HPA\GWMenu.exe UNINSTALL
GIMP 2.4.2 --> "C:\Program Files\GIMP-2.0\setup\unins000.exe"
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
GTK+ 2.10.13 runtime environment --> "C:\Program Files\Common Files\GTK\2.0\setup\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS1\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Intel® PROSet --> MsiExec.exe /I{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}
InterVideo AVControlSDK --> "C:\Program Files\InstallShield Installation Information\{BB8AE808-F003-4C7F-B56B-8C80EEAFFE23}\setup.exe"
InterVideo DeviceService --> MsiExec.exe /I{521AAD14-5030-44BB-8B0E-5CE65FCE57E0}
iTunes --> MsiExec.exe /I{85B90D8C-70F3-4E84-BD31-5E9489C0F9FB}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Kate's Video Converter 3.0.2 --> "C:\Program Files\Kate's Video Converter\unins000.exe"
LimeWire 4.16.4 --> "C:\Program Files\LimeWire\uninstall.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS1\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS1\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
QuickTime --> MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine --> MsiExec.exe /I{22DE1881-9D24-4981-B5CC-EC7E9F2F4D52}
Smart Link 56K Modem --> C:\WINDOWS1\Modio\SLAMR2KO\Setup.exe /Remove
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpyHunter --> "C:\Program Files\Enigma Software Group\SpyHunter\Uninstall.exe" "C:\Program Files\Enigma Software Group\SpyHunter\install.log" -u
TVR --> C:\Program Files\TVR\Uninstal.EXE
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime --> "C:\WINDOWS1\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type2641 / Error
Event Submitted/Written: 03/15/2008 11:16:01 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2638 / Success
Event Submitted/Written: 03/15/2008 11:10:42 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type2620 / Success
Event Submitted/Written: 03/14/2008 05:33:05 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type2601 / Success
Event Submitted/Written: 03/14/2008 04:19:05 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type2557 / Success
Event Submitted/Written: 03/12/2008 05:01:27 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2037 / Error
Event Submitted/Written: 03/15/2008 11:17:38 AM
Event ID/Source: 7016 / Service Control Manager
Event Description:
The SmartLinkService service has reported an invalid current state 0.

Event Record #/Type2035 / Error
Event Submitted/Written: 03/15/2008 11:12:36 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Computer Browser service terminated with the following error:
%%1460

Event Record #/Type2012 / Error
Event Submitted/Written: 03/15/2008 11:07:11 AM / 03/15/2008 11:07:41 AM
Event ID/Source: 4311 / NetBT
Event Description:
Initialization failed because the driver device could not be created.

Event Record #/Type2011 / Error
Event Submitted/Written: 03/15/2008 11:07:11 AM / 03/15/2008 11:07:41 AM
Event ID/Source: 4311 / NetBT
Event Description:
Initialization failed because the driver device could not be created.

Event Record #/Type2010 / Error
Event Submitted/Written: 03/15/2008 11:07:11 AM / 03/15/2008 11:07:41 AM
Event ID/Source: 4311 / NetBT
Event Description:
Initialization failed because the driver device could not be created.



-- End of Deckard's System Scanner: finished at 2008-03-15 11:18:58 ------------
  • 0

#4
sage5
Posted 15 March 2008 - 05:44 PM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi benh1984,

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.


Run HijackThis.
  • Click the Do a system scan only button.
  • Check the boxes for the all the entries listed below: (if present:)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
O2 - BHO: GNX Rolex - {1E88C4FE-1FD6-427A-ADE5-86F647BEA2F0} - C:\WINDOWS1\drnpfdxkfw.dll
O2 - BHO: CIEObjectObj Object - {CA13D72F-2DAC-4D99-B08D-C5EA1C920E89} - C:\WINDOWS1\IECodecPlg.dll
O3 - Toolbar: etlrlws - {EB2B30CB-5CB8-4734-8DEC-67708302DCAF} - C:\WINDOWS1\etlrlws.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\W
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\RunServices: [Microsoft Setup Initialization] rundll32.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: CabBuilder - http://kiw.imgag.com...llerControl.cab
O21 - SSODL: altvxvm - {4FB6683F-1B09-43E9-AC4F-F995DAB0246F} - C:\WINDOWS1\altvxvm.dll
O21 - SSODL: bokpkov - {7C2ACCAA-605C-4F6B-B71D-5D3F64C92BA6} - C:\WINDOWS1\bokpkov.dll
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS1\privacy_danger\index.htm
  • Now close all windows other than HijackThis and click Fix Checked.
  • Close HijackThis.


I see you have µTorrent & LimeWire installed on your system.
While these programs themselves are legal, most of the files downloaded with them, are not.
These programs can also be some of the major infection routes for an otherwise secure PC, because you might be unknowingly downloading infected files.
I highly recommend uninstalling µTorrent & LimeWire as outlined below.

I see that you have SpyHunter installed:
See quote from Spyware Warrior

Note on Enigma SpyHunter: Enigma's SpyHunter anti-spyware application was listed on this page primarily because of the company's history of employing aggressive, deceptive advertising (1, 2, 3, 4, 5). The company was also known for exploiting the name "spybot" in its domain names and online advertising. These objectionable business practices were employed primarily from late-2002 to mid-2004.

Sometime during summer of 2004 the company halted the most obnoxious and objectionable aspects of its online advertising. It also unloaded all the "spybot" domains (which were promptly picked up by Paretologic for its XoftSpy anti-spyware application).

While there are still unresolved allegations that SpyHunter transmits the Windows Product ID from users' PCs (1), we can no longer classify this application as "rogue/suspect." Nonetheless, SpyHunter -- at least in its current state -- cannot be recommended because of its mediocre performance as an anti-spyware scanner. Testing indicates that it does not recognize some well-known spyware installations and has difficulty removing critical spyware/adware files even from those it does recognize (1). Given the many excellent competing anti-spyware applications that are available (some for free), users would do better looking elsewhere for trustworthy anti-spyware protection.


I would recommend that you uninstall SpyHunter and get a better, free Anti-Spyware application.


Remove folders & files:
  • Please go to Start > Control Panel > Add/Remove Programs and remove the following, (if present):
    µTorrent
    LimeWire 4.16.4
    SpyHunter
    Please take note of any other programs that you don't recognise in that list, and include them in your next response
  • We will remove the files and folders in one hit below:

Run OTMoveIt2:
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS1\drnpfdxkfw.dll
C:\WINDOWS1\IECodecPlg.dl
C:\WINDOWS1\etlrlws.dll
C:\WINDOWS1\altvxvm.dll
C:\WINDOWS1\bokpkov.dll
C:\WINDOWS1\fmsxwqs.exe
C:\WINDOWS1\system32\FSDataSvr.sys
C:\WINDOWS1\system32\dptlcg32.dll
C:\Program Files\Enigma Software Group
C:\WINDOWS1\privacy_danger
C:\WINDOWS1\system32\tmp.reg
C:\Documents and Settings\ben\Application Data\LimeWire
C:\Documents and Settings\ben\Application Data\uTorrent
C:\Program Files\LimeWire
C:\Program Files\uTorrent
  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Open Notepad
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
  • Paste the text into the Notepad file, click in the window and press Ctrl + V.
  • Click "Exit" to close OTMoveIt.
  • Save the text file as C:\otmove.txt
(If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.)


Clean up Registry with a Reg file:
  • Please open a new Notepad file by clicking Start\All Programs\Accessories\Notepad
  • Copy the text from the following Code box, by highlighting all the text and right click, Select Copy. (or use the Ctrl+C keyboard shortcut)
Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1E88C4FE-1FD6-427A-ADE5-86F647BEA2F0}]

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{CA13D72F-2DAC-4D99-B08D-C5EA1C920E89}]

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{EB2B30CB-5CB8-4734-8DEC-67708302DCAF}]

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{56336BCB-3D8A-11D6-A00B-0050DA18DE71}]

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{4FB6683F-1B09-43E9-AC4F-F995DAB0246F}]

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\ {7C2ACCAA-605C-4F6B-B71D-5D3F64C92BA6}]
  • Paste it into Notepad. Right click in the window and select Paste. (or use Ctrl+V)
  • Save the file to the Desktop, make sure Type is All Files, and name it Fixreg.reg
  • Double click on the file created and click Yes when asked to merge the information into the Registry


Next download AVG Anti-Spyware and save that file to your Desktop.
Update AVG Anti-Spyware:
This is a 30 day trial of the program
  • Double-click the AVG icon on the desktop to launch the set up program.
    Once setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select Update then select the Update now link.
    • Next select the Start Update button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
  • Once in the Settings screen click on Recommended actions and then select Quarantine.
  • Under Reports
    • Select Do no automatically generate report
    • Un-Select Only if threats were found
  • Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.


Run AVG Anti-Spyware:
  • Reboot your computer into SafeMode.
    • Restart your computer and tap the F8 key, repeatedly until a menu appears.
    • Use your up arrow key to highlight SafeMode then hit Enter.
    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning process:
  • Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
  • Once the scan is complete do the following:
    • If you have any infections you will prompted, then select Apply all actions
    • Next select the Reports icon at the top.
    • Select the Save report as button in the lower left hand of the screen and save it as C:\avg_as.txt
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode


Shut down & Reboot normally:

Run HijackThis again:
  • Select the Run a system scan and save a logfile button. The logfile will open in Notepad.
  • Start your Web Browser and navigate back to this thread.
  • Click the Add Reply button
  • Copy and Paste the text into the Reply window.
  • Also include the text from the C:\avg_as.txt & C:\rapport.txt in your nexy Reply.
Please include a note to tell me how your PC is running now.

The text from these files may exceed the maximum post length for this forum, and may need to be sent over 2 or more posts. Please ensure all text is posted.

Cheers,

sage5

Edited by sage5, 15 March 2008 - 05:48 PM.

  • 0

#5
sage5
Posted 28 March 2008 - 12:29 AM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP