[Pete88]

Hi! I'm new here and this is my first post.. I have followed the steps in the

"You Must Read This Before Posting A Hijackthis Log, Required steps before posting your log."

thread. I have run the programs and I think I have removed most, if not all, spyware.. But I'm not sure if I have some virus left that renames itself. I think so. So here is my hijackthis log. I do not include a log file from Ewidoguard cause it didn't find anything the last time I ran it.

Right now I have this programs installed. Do they conflict with eachother?

CleanUp!
Ad-aware SE
CWShredder
Spybot S&D
Ewido
AVG

Should I uninstall any of this and install SpywareBlaster instead?

One last question. Shall I have windows firewall running or not?

Anyway, here is my Hijackthis log, any help apriciated!

Logfile of HijackThis v1.99.1
Scan saved at 2:13:15 AM, on 05/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
E:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Program\iTunes\iTunesHelper.exe
E:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Mixer.exe
E:\Program\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\rundll32.exe
E:\Program\PCI Audio Applications\Bin\EchoCtrl.exe
E:\Program\ewido\security suite\ewidoguard.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
E:\Program\Winamp\winampa.exe
E:\Program\Grisoft\AVGFRE~1\avgcc.exe
E:\Program\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\w?nlogon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {29CAA0AD-6C4C-47B5-3EC0-36E63DDA9ECC} - C:\WINDOWS\System32\uotbtcb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {60D7D6D1-1865-30CE-43CD-4671747ED4C9} - C:\WINDOWS\System32\cmqmpgbm.dll (file missing)
O2 - BHO: (no name) - {D75D2BA2-C5B5-47FC-AB6B-3FAD96B511BD} - C:\WINDOWS\System32\ndpi.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] E:\Program\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [C-Media Echo Control] E:\Program\PCI Audio Applications\Bin\EchoCtrl.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SDKcore Update Components2] SDKC0R3.exe
O4 - HKLM\..\Run: [Nbhde] C:\Program Files\Exaom\Gaxal.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [windhost.exe] C:\WINDOWS\winos.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [33mO3EU] srvhz.exe
O4 - HKLM\..\Run: [apcojx] c:\windows\system32\auoelw.exe
O4 - HKLM\..\Run: [WinampAgent] E:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\Program\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [SDKcore Update Components2] SDKC0R3.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Rymt] C:\WINDOWS\System32\w?nlogon.exe
O4 - HKCU\..\Run: [wupdate] C:\WINDOWS\System32\wi32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\Program\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - F:\Spel\Poker\Eurobet\coraleurobetpoker.exe
O9 - Extra 'Tools' menuitem: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - F:\Spel\Poker\Eurobet\coraleurobetpoker.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: StarLuck.com - {2B6AA6C9-1646-46e7-8D23-D54274F2F2F2} - F:\Spel\Poker\Starluck Casino\bin\IEExtension_SL.dll
O9 - Extra 'Tools' menuitem: StarLuck.com - {2B6AA6C9-1646-46e7-8D23-D54274F2F2F2} - F:\Spel\Poker\Starluck Casino\bin\IEExtension_SL.dll
O9 - Extra button: PokerNow - {2DB0FBAF-5223-4c96-8C25-F60D5E437D34} - F:\Spel\Poker\PokerNow\PokerNow.exe
O9 - Extra 'Tools' menuitem: PokerNow - {2DB0FBAF-5223-4c96-8C25-F60D5E437D34} - F:\Spel\Poker\PokerNow\PokerNow.exe
O9 - Extra button: Expekt.com Poker - {3852AC86-965F-4abe-A75F-3DCB7E81A4B2} - C:\Program Files\expektMPP\MPPoker.exe
O9 - Extra button: Intertops Poker - {5706EACE-252A-4af9-AA8D-1F8813B50469} - F:\Spel\Poker\Intertops\IntertopsPoker.exe
O9 - Extra 'Tools' menuitem: Intertops Poker - {5706EACE-252A-4af9-AA8D-1F8813B50469} - F:\Spel\Poker\Intertops\IntertopsPoker.exe
O9 - Extra button: MultiPoker - {641F4F4E-6C91-4159-869E-9F5CE6F0F64E} - F:\Spel\Poker\MultiPoker\MultiPoker.exe
O9 - Extra 'Tools' menuitem: MultiPoker - {641F4F4E-6C91-4159-869E-9F5CE6F0F64E} - F:\Spel\Poker\MultiPoker\MultiPoker.exe
O9 - Extra button: PlanetLuck.com - {6F477182-DE4F-4326-ACE3-3110A676771B} - F:\Spel\Poker\Planetluck\bin\IEExtension_PL.dll
O9 - Extra 'Tools' menuitem: PlanetLuck.com - {6F477182-DE4F-4326-ACE3-3110A676771B} - F:\Spel\Poker\Planetluck\bin\IEExtension_PL.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - F:\Spel\Poker\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - F:\Spel\Poker\EmpirePoker\EmpirePoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Spel\Poker\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Spel\Poker\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {0E29238B-8CCA-4F47-90E9-95E6CEFF83F2} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0E29238B-8CCA-4F47-90E9-95E6CEFF83F2} - (no file) (HKCU)
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c8.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by1fd.bay1.ho...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1111641210527
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.micro...n7/dlhelper.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: F-Secure Anti-Virus 2005 (BackWeb Plug-in - 4476822) - Unknown owner - E:\Program\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE (file missing)
O23 - Service: ewido security suite control - ewido networks - E:\Program\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\Program\ewido\security suite\ewidoguard.exe
O23 - Service: fsbwsys - Unknown owner - E:\Program\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe (file missing)
O23 - Service: iPod-tjänst (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

[Advertisements]

Hi Pete88 and Welcome to the Geeks to Go Help Forums!

You have quite the mess in there but I think you have arrived at the place to get this PC fixed Up!

I will need you to "Identify" whether you installed these 2 games and "IF NOT" include both the entries in HijackThis and "Add" the "Folders" to the list for Pocket Killbox!

Starluck Casino
PokerNow


Create a folder on the Desktop for all the Downloads I need you to make!

Just Right Click the Desktop>Select New>Select Folder>Name it whatever you like!

Please Print out or Save to Notepad the Instructions below as we will perform a good deal of this fix in Safe Mode!

It may take Several passes so please be patient!

Attached to the post is Zip.Zap that Contains Zap.bat

Download it to the New Folder and Unzip it but dont run it yet!

Download Pocket KillBox from here:
http://www.bleepingc...les/killbox.php
There is a Direct Download and a description of what the Program does inside this link.

Please Download F-Secure Blacklight Rootkit Elimination Technology
http://www.f-secure....light/try.shtml

Once at the page,Click "I Accept" then "Download"

Download it to the Desktop but dont run it yet!

Right-Click Here and Click "Save As" to download DelDomains.inf to the new folder but dont run it yet!

Download "The Hoster" from here but dont run it yet!
http://www.funkytoad...load/hoster.zip
Press "Restore Original Hosts" and press "OK". Exit Program.

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

Open and Run "The Hoster" just as described above!

Now run "DelDomains.inf"Right Click DelDomains.inf and select "Install"

It will perform a silent process>Give it a minute to run!

Click Start>Run>Type in Services.msc and Click OK!

Scroll that list and locate
System Startup Service
or
SvcProc

Right Click and Select Properties>Click Stop>Change the StartUp Type to Disabled!

Scroll the list again and locate any of these that may exist

Delprot
LEGACY_MSDIRECTX
msdirectx
wuauserv

Follow the same Instructions as above!

Now Double Click F-Secures blbeta.exe to Start it,then Click "I accept the agreement" and click "Next"

Now Click "Expert Mode" and then"Scan" and let it do its thing,if it finds anything,it will automatically tell you and go to Step 2 to begin the cleaning process!

Once its complete you should see "fsbl.log" on the Desktop,Save that and place it in the Next Post! (If BlackLight didnt ID anything the log will be empty.)

If Blacklight identified anything,it will be in that log,I will need to see those Results!

Now locate the Attached Zip Folder you downloaded and Double Click Zap.bat

If prompted>Allow it to Run!

Please Highlight and Right Click the list of Files and Folders below and the Select Copy!

C:\Windows\System32\msdirectx.sys
C:\Windows\System32\SDKC0R3.exe
C:\Windows\System32\mskdll.dll
C:\WINDOWS\System32\internat.dll
C:\Windows\System32\wldr.dll
C:\WINDOWS\System32\System32.exe
C:\WINDOWS\System32\srvhz.exe
C:\WINDOWS\System32\auoelw.exe
C:\WINDOWS\System32\wi32.exe
C:\WINDOWS\UserTemp
C:\WINDOWS\User32
C:\WINDOWS\winos.exe
C:\WINDOWS\svcproc.exe
C:\Program Files\Exaom\Gaxal.exe
C:\Program Files\Exaom

Now Open Pocket KillBox and Click File>>Paste from Clipboard!

When available place a tick by these selections:

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"

Click the Red Circle with the White X in the Middle to Delete!!

Keep a list of any files that Killbox says it "CAN NOT" delete!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

O2 - BHO: (no name) - {29CAA0AD-6C4C-47B5-3EC0-36E63DDA9ECC} - C:\WINDOWS\System32\uotbtcb.dll (file missing)

O2 - BHO: (no name) - {60D7D6D1-1865-30CE-43CD-4671747ED4C9} - C:\WINDOWS\System32\cmqmpgbm.dll (file missing)

O2 - BHO: (no name) - {D75D2BA2-C5B5-47FC-AB6B-3FAD96B511BD} - C:\WINDOWS\System32\ndpi.dll (file missing)

O4 - HKLM\..\Run: [SDKcore Update Components2] SDKC0R3.exe

O4 - HKLM\..\Run: [Nbhde] C:\Program Files\Exaom\Gaxal.exe

O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile

O4 - HKLM\..\Run: [windhost.exe] C:\WINDOWS\winos.exe

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe

O4 - HKLM\..\Run: [33mO3EU] srvhz.exe

O4 - HKLM\..\Run: [apcojx] c:\windows\system32\auoelw.exe

O4 - HKLM\..\RunServices: [SDKcore Update Components2] SDKC0R3.exe

O4 - HKCU\..\Run: [Rymt] C:\WINDOWS\System32\w?nlogon.exe

O4 - HKCU\..\Run: [wupdate] C:\WINDOWS\System32\wi32.exe

O9 - Extra button: Microsoft AntiSpyware helper - {0E29238B-8CCA-4F47-90E9-95E6CEFF83F2} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0E29238B-8CCA-4F47-90E9-95E6CEFF83F2} - (no file) (HKCU)

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c8.cab

O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.micro...n7/dlhelper.cab

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

If you have a list from Killbox>Copy&Paste them into Killbox and Select "Delete on Reboot"

Click "Yes" to Confirm!

Click "Yes" to Reboot!

If you get a PendingFileRenameOperations Registry Data has been Removed by External Process! message then just restart manually!

Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates!

Once all is completed>Post the Results from Panda>Blacklight> and a fresh HijackThis log!

Attached Files

•  Zap.zip   369bytes   194 downloads

[Wizard]

Hi Pete88 and Welcome to the Geeks to Go Help Forums!

You have quite the mess in there but I think you have arrived at the place to get this PC fixed Up!

I will need you to "Identify" whether you installed these 2 games and "IF NOT" include both the entries in HijackThis and "Add" the "Folders" to the list for Pocket Killbox!

Starluck Casino
PokerNow


Create a folder on the Desktop for all the Downloads I need you to make!

Just Right Click the Desktop>Select New>Select Folder>Name it whatever you like!

Please Print out or Save to Notepad the Instructions below as we will perform a good deal of this fix in Safe Mode!

It may take Several passes so please be patient!

Attached to the post is Zip.Zap that Contains Zap.bat

Download it to the New Folder and Unzip it but dont run it yet!

Download Pocket KillBox from here:
http://www.bleepingc...les/killbox.php
There is a Direct Download and a description of what the Program does inside this link.

Please Download F-Secure Blacklight Rootkit Elimination Technology
http://www.f-secure....light/try.shtml

Once at the page,Click "I Accept" then "Download"

Download it to the Desktop but dont run it yet!

Right-Click Here and Click "Save As" to download DelDomains.inf to the new folder but dont run it yet!

Download "The Hoster" from here but dont run it yet!
http://www.funkytoad...load/hoster.zip
Press "Restore Original Hosts" and press "OK". Exit Program.

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

Open and Run "The Hoster" just as described above!

Now run "DelDomains.inf"Right Click DelDomains.inf and select "Install"

It will perform a silent process>Give it a minute to run!

Click Start>Run>Type in Services.msc and Click OK!

Scroll that list and locate
System Startup Service
or
SvcProc

Right Click and Select Properties>Click Stop>Change the StartUp Type to Disabled!

Scroll the list again and locate any of these that may exist

Delprot
LEGACY_MSDIRECTX
msdirectx
wuauserv

Follow the same Instructions as above!

Now Double Click F-Secures blbeta.exe to Start it,then Click "I accept the agreement" and click "Next"

Now Click "Expert Mode" and then"Scan" and let it do its thing,if it finds anything,it will automatically tell you and go to Step 2 to begin the cleaning process!

Once its complete you should see "fsbl.log" on the Desktop,Save that and place it in the Next Post! (If BlackLight didnt ID anything the log will be empty.)

If Blacklight identified anything,it will be in that log,I will need to see those Results!

Now locate the Attached Zip Folder you downloaded and Double Click Zap.bat

If prompted>Allow it to Run!

Please Highlight and Right Click the list of Files and Folders below and the Select Copy!

C:\Windows\System32\msdirectx.sys
C:\Windows\System32\SDKC0R3.exe
C:\Windows\System32\mskdll.dll
C:\WINDOWS\System32\internat.dll
C:\Windows\System32\wldr.dll
C:\WINDOWS\System32\System32.exe
C:\WINDOWS\System32\srvhz.exe
C:\WINDOWS\System32\auoelw.exe
C:\WINDOWS\System32\wi32.exe
C:\WINDOWS\UserTemp
C:\WINDOWS\User32
C:\WINDOWS\winos.exe
C:\WINDOWS\svcproc.exe
C:\Program Files\Exaom\Gaxal.exe
C:\Program Files\Exaom

Now Open Pocket KillBox and Click File>>Paste from Clipboard!

When available place a tick by these selections:

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"

Click the Red Circle with the White X in the Middle to Delete!!

Keep a list of any files that Killbox says it "CAN NOT" delete!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

O2 - BHO: (no name) - {29CAA0AD-6C4C-47B5-3EC0-36E63DDA9ECC} - C:\WINDOWS\System32\uotbtcb.dll (file missing)

O2 - BHO: (no name) - {60D7D6D1-1865-30CE-43CD-4671747ED4C9} - C:\WINDOWS\System32\cmqmpgbm.dll (file missing)

O2 - BHO: (no name) - {D75D2BA2-C5B5-47FC-AB6B-3FAD96B511BD} - C:\WINDOWS\System32\ndpi.dll (file missing)

O4 - HKLM\..\Run: [SDKcore Update Components2] SDKC0R3.exe

O4 - HKLM\..\Run: [Nbhde] C:\Program Files\Exaom\Gaxal.exe

O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile

O4 - HKLM\..\Run: [windhost.exe] C:\WINDOWS\winos.exe

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe

O4 - HKLM\..\Run: [33mO3EU] srvhz.exe

O4 - HKLM\..\Run: [apcojx] c:\windows\system32\auoelw.exe

O4 - HKLM\..\RunServices: [SDKcore Update Components2] SDKC0R3.exe

O4 - HKCU\..\Run: [Rymt] C:\WINDOWS\System32\w?nlogon.exe

O4 - HKCU\..\Run: [wupdate] C:\WINDOWS\System32\wi32.exe

O9 - Extra button: Microsoft AntiSpyware helper - {0E29238B-8CCA-4F47-90E9-95E6CEFF83F2} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0E29238B-8CCA-4F47-90E9-95E6CEFF83F2} - (no file) (HKCU)

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c8.cab

O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.micro...n7/dlhelper.cab

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

If you have a list from Killbox>Copy&Paste them into Killbox and Select "Delete on Reboot"

Click "Yes" to Confirm!

Click "Yes" to Reboot!

If you get a PendingFileRenameOperations Registry Data has been Removed by External Process! message then just restart manually!

Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates!

Once all is completed>Post the Results from Panda>Blacklight> and a fresh HijackThis log!

Attached Files

•  Zap.zip   369bytes   194 downloads

[Pete88]

Thank you very much for taking you time to answer and help me! Now I have followed some of the steps but I must ask a couple of questions just to make sure I have done nothing wrong..

1. About The Hoster you say download but do not run it yet. Right under that line you say I should restore original hosts. I did that after I rebooted to safemode.. Is this right? I also couldn't restore original hosts immediately, I had to change them from read only status.

2. Then I followed the steps to F-secures blbeta.exe. I tried to use it but it didn't work in safe mode so I guess it was time to restart?

So, here I am.. Have I done everything right and shall I continue with the instructions in normal mode?

/Peter

[Wizard]

I apologize for the Brain Fart involving BlackLight>Please run the tool in Normal Mode and Post its findings!

Explain in abit more detail about The Hoster?

Where are you with the Fix?

[Pete88]

Ok.. I'll try to explain in more detail..


Download "The Hoster" from here but dont run it yet!
http://www.funkytoad...load/hoster.zip
Press "Restore Original Hosts" and press "OK". Exit Program.

Ok.. I downloaded the hoster. Then you write in the top sentence "dont run it yet" but after that in the third line you write "Press "Restore Original Hosts" and press "OK". Exit Program" I did this after the reboot.

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

Open and Run "The Hoster" just as described above!

So I'm asking if it is right to reboot to safemode and then do the "restore original hosts" thing.

And I couldn't press the button resore hosts immediately. It was activated first after i used the button "make hosts writable?" in the upper right corner.

Now run "DelDomains.inf"Right Click DelDomains.inf and select "Install"

It will perform a silent process>Give it a minute to run!

Click Start>Run>Type in Services.msc and Click OK!

Scroll that list and locate
System Startup Service
or
SvcProc

Right Click and Select Properties>Click Stop>Change the StartUp Type to Disabled!

Scroll the list again and locate any of these that may exist

Delprot
LEGACY_MSDIRECTX
msdirectx
wuauserv

Follow the same Instructions as above!

I have done this step and restarted. And after that I have surfed a little and listened to some music. Is it ok to proceed to the next step now?

/Peter

[Wizard]

Yes Sir its fine to move on...if you feel the need run Hoster again...TY for the Info....I see where this would be conffusing!

I will edit future post!

Of the Services listed...How many did you find?

Go ahead and Proceed with the fix and post back!

[Pete88]

Hmm.. I think something is not right here.. I am not in safemode anymore and I did run blbeta and accepted the agreement and clicked next.. After that I get to a meny and there I can only choose scan.. no expert mode.. The meny says "Scan for hidden items" and scantargets are hidden processes and hidden files and folders.. Should it be like that? Anyway, I did run the scan and it didn't find anything. After the scan I can choose "show all processes or next for the result.
The logfile doesn't not show anything.. just that the scan has taken place.

And among the services earlier I did find and changed the System startup service. But I didn't find any of the others and I doublechecked..

Thanks for the help so far..

[Wizard]

Thats fine....they just updated it 2 days ago and I missed the email!

Go ahead and finish the Fix!

Dont forget Zap.bat!!!

[Pete88]

Hmm.. getting some messeges here.. I run the Zap file but get the message

"Load library("C:\WINNT\isrvs\sysupd.dll") failed - The specified module could not be found"

I click ok and then I get

"Load library("C:\WINNT\isrvs\mfiltis.dll") failed - The specified module could not be found"

I click ok and then I get "Load library("C:\WINNT\isrvs\msdbhk.dll") failed - The specified module could not be found"

then I click ok again and the program exits..

[Wizard]

Unregister these DLLs,to do this:

Click Start>>>Click Run>>>Copy&Paste the Text below into the Text Box and Click OK!

regsvr32 /u sysupd.dll


regsvr32 /u mfiltis.dll


regsvr32 /u msdbhk.dll


Lets see if that doesnt help!

Edited by Cretemonster, 24 May 2005 - 05:48 PM.

[Pete88]

When I try I get similar messages..

"Load library("sysupd.dll") failed - The specified module could not be found"

"Load library("mfiltis.dll") failed - The specified module could not be found"

"Load library("msdbhk.dll") failed - The specified module could not be found"

[Wizard]

Cool....that means they are gone!!!

Are you all finished with the fix?

Post a fresh hijackthis log if you are!

[Pete88]

Ok.. I copied the list and pasted from clipboard in killbox. But I couldn't choose "Unregister .dll before deleting. But I didn't got any messages so I think everything was deleted.

When I scanned in HJ after that I got a couple of error messages.. I just clicked ok and tried to restart HJ and then they didn't appear?.. I fixed the files and restarted. I ran pandascan and found some infected files. After that I ran HJ again and here are both of them. I attached the pandascan.

Logfile of HijackThis v1.99.1
Scan saved at 4:29:43 AM, on 05/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
E:\Program\iTunes\iTunesHelper.exe
C:\WINDOWS\Mixer.exe
E:\Program\PCI Audio Applications\Bin\EchoCtrl.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
E:\Program\Winamp\winampa.exe
E:\Program\Grisoft\AVGFRE~1\avgcc.exe
E:\Program\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
E:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] E:\Program\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [C-Media Echo Control] E:\Program\PCI Audio Applications\Bin\EchoCtrl.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] E:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\Program\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\Program\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - F:\Spel\Poker\Eurobet\coraleurobetpoker.exe
O9 - Extra 'Tools' menuitem: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - F:\Spel\Poker\Eurobet\coraleurobetpoker.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: StarLuck.com - {2B6AA6C9-1646-46e7-8D23-D54274F2F2F2} - F:\Spel\Poker\Starluck Casino\bin\IEExtension_SL.dll
O9 - Extra 'Tools' menuitem: StarLuck.com - {2B6AA6C9-1646-46e7-8D23-D54274F2F2F2} - F:\Spel\Poker\Starluck Casino\bin\IEExtension_SL.dll
O9 - Extra button: PokerNow - {2DB0FBAF-5223-4c96-8C25-F60D5E437D34} - F:\Spel\Poker\PokerNow\PokerNow.exe
O9 - Extra 'Tools' menuitem: PokerNow - {2DB0FBAF-5223-4c96-8C25-F60D5E437D34} - F:\Spel\Poker\PokerNow\PokerNow.exe
O9 - Extra button: Expekt.com Poker - {3852AC86-965F-4abe-A75F-3DCB7E81A4B2} - C:\Program Files\expektMPP\MPPoker.exe
O9 - Extra button: Intertops Poker - {5706EACE-252A-4af9-AA8D-1F8813B50469} - F:\Spel\Poker\Intertops\IntertopsPoker.exe
O9 - Extra 'Tools' menuitem: Intertops Poker - {5706EACE-252A-4af9-AA8D-1F8813B50469} - F:\Spel\Poker\Intertops\IntertopsPoker.exe
O9 - Extra button: MultiPoker - {641F4F4E-6C91-4159-869E-9F5CE6F0F64E} - F:\Spel\Poker\MultiPoker\MultiPoker.exe
O9 - Extra 'Tools' menuitem: MultiPoker - {641F4F4E-6C91-4159-869E-9F5CE6F0F64E} - F:\Spel\Poker\MultiPoker\MultiPoker.exe
O9 - Extra button: PlanetLuck.com - {6F477182-DE4F-4326-ACE3-3110A676771B} - F:\Spel\Poker\Planetluck\bin\IEExtension_PL.dll
O9 - Extra 'Tools' menuitem: PlanetLuck.com - {6F477182-DE4F-4326-ACE3-3110A676771B} - F:\Spel\Poker\Planetluck\bin\IEExtension_PL.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - F:\Spel\Poker\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - F:\Spel\Poker\EmpirePoker\EmpirePoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Spel\Poker\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Spel\Poker\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by1fd.bay1.ho...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1111641210527
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: F-Secure Anti-Virus 2005 (BackWeb Plug-in - 4476822) - Unknown owner - E:\Program\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE (file missing)
O23 - Service: fsbwsys - Unknown owner - E:\Program\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe (file missing)
O23 - Service: iPod-tjänst (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 Activescan.txt   4.66KB   156 downloads

[Wizard]

That looks alot better....I see Panda did find a few things!

Go to Safe Mode>Copy the list below into Killbox!

C:\WINDOWS\system32\wi32.0xe
C:\WINDOWS\CXTPLS_LOADER.0XE
C:\WINDOWS\delprot.ini
C:\WINDOWS\deskbar.ini
C:\WINDOWS\system32\intronsad.exe
C:\WINDOWS\system32\WNLOGO~1.EXE
C:\WINDOWS\ucmoreiex.exe
C:\WINDOWS\jxrgbpd.exe
C:\WINDOWS\inst
C:\WINDOWS\isrvs

Make all the same selections and Delete!

Please Install these 2 programs to Help out Internet Explorer and Mozilla Firefox!

SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!

IE Spyad:
http://www.bleepingc...showtutorial=53
There is a direct download inside and great tutorial also!

Post back and let me know how the PC is running?

[Pete88]

Hi again.. I ran pandascan once again after the killboxfix and it still found some files. So I attach the scan again and a fresh hijack. There was one file that killbox could not delete: C:\WINDOWS\system32\WNLOGO~1.EXE

Logfile of HijackThis v1.99.1
Scan saved at 1:26:51 AM, on 05/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
E:\Program\iTunes\iTunesHelper.exe
C:\WINDOWS\Mixer.exe
E:\Program\PCI Audio Applications\Bin\EchoCtrl.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
E:\Program\Winamp\winampa.exe
E:\Program\Grisoft\AVGFRE~1\avgcc.exe
E:\Program\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
E:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] E:\Program\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [C-Media Echo Control] E:\Program\PCI Audio Applications\Bin\EchoCtrl.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] E:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\Program\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\Program\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - F:\Spel\Poker\Eurobet\coraleurobetpoker.exe
O9 - Extra 'Tools' menuitem: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - F:\Spel\Poker\Eurobet\coraleurobetpoker.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: StarLuck.com - {2B6AA6C9-1646-46e7-8D23-D54274F2F2F2} - F:\Spel\Poker\Starluck Casino\bin\IEExtension_SL.dll
O9 - Extra 'Tools' menuitem: StarLuck.com - {2B6AA6C9-1646-46e7-8D23-D54274F2F2F2} - F:\Spel\Poker\Starluck Casino\bin\IEExtension_SL.dll
O9 - Extra button: PokerNow - {2DB0FBAF-5223-4c96-8C25-F60D5E437D34} - F:\Spel\Poker\PokerNow\PokerNow.exe
O9 - Extra 'Tools' menuitem: PokerNow - {2DB0FBAF-5223-4c96-8C25-F60D5E437D34} - F:\Spel\Poker\PokerNow\PokerNow.exe
O9 - Extra button: Expekt.com Poker - {3852AC86-965F-4abe-A75F-3DCB7E81A4B2} - C:\Program Files\expektMPP\MPPoker.exe
O9 - Extra button: Intertops Poker - {5706EACE-252A-4af9-AA8D-1F8813B50469} - F:\Spel\Poker\Intertops\IntertopsPoker.exe
O9 - Extra 'Tools' menuitem: Intertops Poker - {5706EACE-252A-4af9-AA8D-1F8813B50469} - F:\Spel\Poker\Intertops\IntertopsPoker.exe
O9 - Extra button: MultiPoker - {641F4F4E-6C91-4159-869E-9F5CE6F0F64E} - F:\Spel\Poker\MultiPoker\MultiPoker.exe
O9 - Extra 'Tools' menuitem: MultiPoker - {641F4F4E-6C91-4159-869E-9F5CE6F0F64E} - F:\Spel\Poker\MultiPoker\MultiPoker.exe
O9 - Extra button: PlanetLuck.com - {6F477182-DE4F-4326-ACE3-3110A676771B} - F:\Spel\Poker\Planetluck\bin\IEExtension_PL.dll
O9 - Extra 'Tools' menuitem: PlanetLuck.com - {6F477182-DE4F-4326-ACE3-3110A676771B} - F:\Spel\Poker\Planetluck\bin\IEExtension_PL.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - F:\Spel\Poker\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - F:\Spel\Poker\EmpirePoker\EmpirePoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Spel\Poker\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Spel\Poker\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by1fd.bay1.ho...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1111641210527
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: F-Secure Anti-Virus 2005 (BackWeb Plug-in - 4476822) - Unknown owner - E:\Program\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE (file missing)
O23 - Service: fsbwsys - Unknown owner - E:\Program\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe (file missing)
O23 - Service: iPod-tjänst (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 Activescan.txt   2.49KB   145 downloads