Internet Settings have been hijacked by spyware (RESOLVED)

[Fwenny]

My problem:
Recently, Ive downloaded a game from http://click.vnn.bz/, its called Chicken Invaders 3, played it a bit, etc etc, deleted it, (the only way to do so was just to click "delete" on the folder since it was extracted), everything went fine, but then I found out something.

If I try to enter a site it takes me to http://click.vnn.bz/ and saying that it is "checking information for the (enter site name here)".
For example, if I type in sendspace.com and press enter, it takes me to
http://clickdotvnn.bz/?hide=1&url=sendspace.com
or if I enter google.com it takes me to
http://clickdotvnn.bz/?hide=1&url=google.com
so everytime I enter a site in the adress bar, it takes me to that site, and I need to click "If this is safe link, click here to go to (enter site name here)",
plus it also bring up a pop up, but it is less conserning.
All this really annoys me, I dont know how to delete it, I guess the extraction installed something on my computer..
Im using winwods XP and IE 7, I just want to enter sites directrly with out any "checking".

P.S
1.Forgot to say, also, when I restart my windows, as it comes up, and the programs start to load, that site opens up, and I didnt even touch the IE button..

2. I found out that if I start the link with http://
it doesnt redirect to that site, and enters normally, maybe it'll help.

Here is my log, hope I did it correct cause Im new to this all:

Logfile of HijackThis v1.99.1
Scan saved at 16:47:39, on 22/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\Programs\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Programs\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [bezeq] C:\Program Files\wow250\wow.exe 1
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NoAdware4] "D:\Programs\NoAdware4\NoAdware4.exe" :Min:
O4 - HKCU\..\Run: [SB S&D] D:\Programs\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Fraps] D:\PROGRAMS\FRAPS\FRAPS.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Download with GetRight - D:\Programs\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - D:\Programs\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programs\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programs\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {235462AD-BDD2-4534-BB6A-82C19AE1F2FF} (GamesCampus.GameRun) - http://www.gamescampus.com/xiah/luncher/Gamecampus.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/reso...scbase8460.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame.com/KALogoutComponent.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://194.90.198.103/activex/AMC.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...43/mcfscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.0.0812.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.0.0812.00.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Im new to this so I hope I did everything correct, if something needs to be done diffrently please tell.
I did not touch anything.. Just clicked "Do a system scan and save a logfile", I did it while my computer was in "Safe Mode".

Last thing, here is an image of that site when I typed in google.com, just for the example of how it looks, who knows, maybe it'll help:
http://img147.imageshack.us/img147/2246/untitled3af.jpg

This isnt serious or something, aint big deal, but it can be really annoying.. Hope ya can resolve this, got help in this forum for other stuff some time ago, so I know that people here are good with those stuff.
Thank you.

[Fwenny]

Bump.

[Fwenny]

Bump.

[Fwenny]

Bump.

[Geekgirl]

Hello and Welcome to TSF

You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply.


Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.


Download and install Spybot S&D . Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation.



Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

• Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
• Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on See report then click Save report

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan




Download and install CleanUp! but do not run it yet.




Go to My Computer >Tools >View >Folder Options tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.


For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).



Download and install AVG Anti-Spyware 7.5
(This is Ewido 4.0 renamed. If you already have Ewido installed, please update to AVG Anti-Spyware which has a special "clean driver" for removing persistent malware)
1. After download, double click on the file to launch the install process.
2. Choose a language, click "OK" and then click "Next".
3. Read the "License Agreement" and click "I Agree".
4. Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
5. After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
6. The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
7. Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
8. Go to Start > Run and type: services.msc

• Press "OK".
• Click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard.
• When you find the guard service, double-click on it.
• In the Properties Window > General Tab that opens, click the "Stop" button.
• From the drop-down menu next to "Startup Type", click on "Manual".
• Now click "Apply", then "OK" and close the Services window.

9. Select the "Update" button and click "Start update". Wait until you see the "Update succesfull message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here.
Exit AVG Anti-Spyware when done - DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with AVG Anti-Spyware as follows:
1. Launch AVG Anti-Spyware, click on the "Scanner" button and choose the "Settings" tab.

• Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
• Under "How to Scan?", "Possibly unwanted software", and What to Scan?" leave all the default settings.
• Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".

2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.
4. When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.

IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button?

5. Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
6. Exit AVG Anti-Spyware when done

Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so may hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can can continue to use as an on-demand scanner or you may purchase a license to use the full version.





Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

Please remember to close all other windows, including browsers then click Fix checked.


*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

• Empty Recycle Bins
• Delete Cookies
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.




Reboot your System in normal mode.

Please post a fresh Hijack This log and submit the AVG Anti-Spyware log report in your next response so that we can check if your system is clean.

[Fwenny]

Dont know how much of a problem is that, but thought I'd report if anything goes wrong.

The Panda anti virus scan wont complete, it opens the windows, I click scan my computer, it gets to like half of cheking, so Im sure its ok and I leave the computer and go to do my stuff, when I return the window is gone like some one closed it, so it closes it self and wont complete, what I know is that it found a spyware, but I couldnt really threat it since I cant complete the scan.

Im not continuing the fixing till I get a message.

[Geekgirl]

Are you scanning in Safe Mode?
If you still cannot run the scan in Safe Mode proceed with the instructions. Did Spybot find anything?
What is your homepage set to? (Open IE, click Tools/Internet Options)

Your HJT log puzzles me also, you are not showing an anit-virus program in the running processes. Did you scan in normal mode?

Also did you disable Spybot S&D TeaTimer?

[Fwenny]

Im having trouble understanding you..

Quote:

Are you scanning in Safe Mode?

You mean my computer has to be in SM to scan? But how if in SM there is no internet?

Quote:

Did Spybot find anything?

Diffrent little things, no red stuff or so..

Quote:

What is your homepage set to?

about:blank, nothing in other words.

Quote:

Did you scan in normal mode?

If you mean did I scan my computer with my own anti-virus? Yes I did, and nothing came up at all.

Quote:

Also did you disable Spybot S&D TeaTimer?

No I haven't, I didnt think it can interfer with the scan. (The Panda one that is..)

[Geekgirl]

Quote:

You mean my computer has to be in SM to scan? But how if in SM there is no internet?

Chose Safe Mode w/ Networking

Quote:

If you mean did I scan my computer with my own anti-virus? Yes I did, and nothing came up at all.

No, I am asking how what mode you were in when you created the HJT log

Quote:

No I haven't, I didnt think it can interfer with the scan. (The Panda one that is..)

Its always best to disable Tea Timer when preforming scans


Continue with the Cleanup instructions and follow through till the end

[Fwenny]

I'l start all over and skip the Panda anti-virus thing.

The HJT was created in SM, since thats what I had to do..

[Geekgirl]

Create the HJT log in normal mode next time you post it

[Fwenny]

Ok here what I got..

AVG LOG:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 21:34:49 02/02/2007

+ Scan result:



C:\System Volume Information\_restore{9B08D49B-AE7F-4FD9-9CD9-892EFAE21C30}\RP53\A0033065.exe -> Dropper.Small : Cleaned with backup (quarantined).


::Report end



HJT LOG:
Logfile of HijackThis v1.99.1
Scan saved at 21:53:51, on 02/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Programs\NoAdware4\NoAdware4.exe
D:\Programs\Spybot - Search & Destroy\TeaTimer.exe
D:\PROGRAMS\FRAPS\FRAPS.EXE
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\Programs\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Programs\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [bezeq] C:\Program Files\wow250\wow.exe 1
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NoAdware4] "D:\Programs\NoAdware4\NoAdware4.exe" :Min:
O4 - HKCU\..\Run: [SB S&D] D:\Programs\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Fraps] D:\PROGRAMS\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [Windows Registry Repair Pro] D:\Programs\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Download with GetRight - D:\Programs\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - D:\Programs\GetRight\GRbrowse.htm
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {235462AD-BDD2-4534-BB6A-82C19AE1F2FF} (GamesCampus.GameRun) - http://www.gamescampus.com/xiah/luncher/Gamecampus.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/reso...scbase8460.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame.com/KALogoutComponent.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://194.90.198.103/activex/AMC.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...43/mcfscan.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.0.0812.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.0.0812.00.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe



Another thing, the CWShredder found something called CWS.Msconfig, maybe its because Ive used the msconfig command in the Run.. option to delete some StartUp entries, here is the log, maybe itll be useful:

**** Run Keys ****

RUN: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
RUN: [nwiz] nwiz.exe /install
RUN: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
RUN: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
RUN: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
RUN: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
RUN: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
RUN: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
RUN: [bezeq] C:\Program Files\wow250\wow.exe 1
RUN: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
RUN: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
RUN: [NoAdware4] "D:\Programs\NoAdware4\NoAdware4.exe" :Min:
RUN: [SB S&D] D:\Programs\Spybot - Search & Destroy\TeaTimer.exe
RUN: [Fraps] D:\PROGRAMS\FRAPS\FRAPS.EXE
RUN: [Windows Registry Repair Pro] D:\Programs\Windows Registry Repair Pro\RegistryRepairPro.exe 4


**** Browser Helper Objects ****

BHO: [Adobe PDF Reader Link Helper] C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
BHO: [IE to GetRight Helper] D:\Programs\GetRight\xx2gr.dll
BHO: [] D:\Programs\SPYBOT~1\SDHelper.dll
BHO: [SSVHelper Class] C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll


**** IE Toolbars ****



**** IE Extensions ****



**** Hosts File Entries ****



**** IE Settings ****

Default Page: http://go.microsoft.com/fwlink/?LinkId=69157
Default Search: http://go.microsoft.com/fwlink/?LinkId=54896
Local Page: \blank.htm
Search Page: http://www.msn.com/access/allinone.asp


**** IE Context Menu (Right click) ****

IEContext: [&יצא ל- Microsoft Excel] res://C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
IEContext: [Download with GetRight] D:\Programs\GetRight\GRdownload.htm
IEContext: [Open with GetRight Browser] D:\Programs\GetRight\GRbrowse.htm


**** Layered Service Providers ****

LSP: MSAFD Tcpip [TCP/IP]
LSP: MSAFD Tcpip [UDP/IP]
LSP: RSVP UDP Service Provider
LSP: RSVP TCP Service Provider
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4E3D78DC-E8F9-4CE7-8DB5-A0D66DF051ED}] SEQPACKET 6
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4E3D78DC-E8F9-4CE7-8DB5-A0D66DF051ED}] DATAGRAM 6
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A9ACAAB8-484F-4B50-941F-E1E23ADCB0A0}] SEQPACKET 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A9ACAAB8-484F-4B50-941F-E1E23ADCB0A0}] DATAGRAM 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6CE20047-3983-408B-83E1-7501D91A4B27}] SEQPACKET 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6CE20047-3983-408B-83E1-7501D91A4B27}] DATAGRAM 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4A43A3AE-01B6-4328-AD1B-0B5EAAE52F3E}] SEQPACKET 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4A43A3AE-01B6-4328-AD1B-0B5EAAE52F3E}] DATAGRAM 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{119613B1-381E-48E1-BCD4-B4F33124EF67}] SEQPACKET 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{119613B1-381E-48E1-BCD4-B4F33124EF67}] DATAGRAM 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{07E453B0-0548-4703-9606-CBEDEDFD33A2}] SEQPACKET 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{07E453B0-0548-4703-9606-CBEDEDFD33A2}] DATAGRAM 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0145944B-387D-4E87-943A-D923FBDE828B}] SEQPACKET 5
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0145944B-387D-4E87-943A-D923FBDE828B}] DATAGRAM 5


**** Blocked Control Panel Items ****

BLOCKED: [ncpa.cpl] No
BLOCKED: [odbccp32.cpl] No


**** Downloaded Program Files ****

{00000055-9980-0010-8000-00AA00389B71} [http://codecs.microsoft.com/codecs/i386/fhg.CAB]
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} [http://www.apple.com/qtactivex/qtplugin.cab]
{05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} [http://download.microsoft.com/downlo...GAControl.cab] C:\WINDOWS\system32\OGACheckControl.DLL
{0A5FD7C5-A45C-49FC-ADB5-9952547D5715} [http://www.creative.com/su/ocx/15026/CTSUEng.cab]
{166B1BCA-3F9C-11CF-8075-444553540000} [http://download.macromedia.com/pub/s...rector/sw.cab]
{235462AD-BDD2-4534-BB6A-82C19AE1F2FF} [http://www.gamescampus.com/xiah/luncher/Gamecampus.CAB] C:\WINDOWS\system32\OLEPRO32.DLL C:\WINDOWS\system32\ASYCFILT.DLL C:\WINDOWS\system32\STDOLE2.TLB C:\WINDOWS\system32\COMCAT.DLL C:\WINDOWS\system32\VB6KO.DLL C:\WINDOWS\system32\MSVBVM60.DLL C:\WINDOWS\system32\MSPRPKO.DLL C:\WINDOWS\system32\msstkprp.dll C:\WINDOWS\system32\INETKO.DLL D:\Programs\Kerish Doctor 2006\MSINET.OCX C:\WINDOWS\Downloaded Program Files\Gamecampus.ocx
{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} [http://security.symantec.com/sscv6/S...n/AvSniff.cab]
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} [http://download.bitdefender.com/reso...n8/oscan8.cab]
{5ED80217-570B-4DA9-BF44-BE107C0EC166} [http://cdn.scan.safety.live.com/reso...cbase8460.cab]
{644E432F-49D3-41A1-8DD5-E099162EEEC5} [http://security.symantec.com/sscv6/S...bin/cabsa.cab]
{69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} [http://www.acclaim.com/cabs/acclaim_v4.cab]
{7B297BFD-85E4-4092-B2AF-16A91B2EA103} [http://www3.ca.com/securityadvisor/v...o/webscan.cab]
{8E0D4DE5-3180-4024-A327-4DFAD1796A8D} [http://messenger.zone.msn.com/binary....cab31267.cab]
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} [http://acs.pandasoftware.com/actives...ee/asinst.cab]
{9D190AE6-C81E-4039-8061-978EBAD10073} [http://support.f-secure.com/ols/fscax.cab]
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [http://java.sun.com/update/1.5.0/jin...dows-i586.cab]
{D27CDB6E-AE6D-11CF-96B8-444553540000} [http://fpdownload.macromedia.com/get...t/swflash.cab]
{D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} [http://www.gamengame.com/KALogoutComponent.cab]
{DE625294-70E6-45ED-B895-CFFA13AEB044} [http://194.90.198.103/activex/AMC.cab]
{EF791A6B-FC12-4C68-99EF-FB9E207A39E6
{F6ACF75C-C32C-447B-9BEF-46B766368D29


**** Windows Services ****

[Alerter] %SystemRoot%\system32\svchost.exe -k LocalService
[ALG] %SystemRoot%\System32\alg.exe
[AppMgmt] %SystemRoot%\system32\svchost.exe -k netsvcs
[aspnet_state] %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
[AudioSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[AVG Anti-Spyware Guard] C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
[AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r
[BITS] %SystemRoot%\system32\svchost.exe -k netsvcs
[Browser] %SystemRoot%\system32\svchost.exe -k netsvcs
[CiSvc] %SystemRoot%\system32\cisvc.exe
[ClipSrv] %SystemRoot%\system32\clipsrv.exe
[clr_optimization_v2.0.50727_32] C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
[COMSysApp] C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
[CryptSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[DcomLaunch] %SystemRoot%\system32\svchost -k DcomLaunch
[Dhcp] %SystemRoot%\system32\svchost.exe -k netsvcs
[dmadmin] %SystemRoot%\System32\dmadmin.exe /com
[dmserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[Dnscache] %SystemRoot%\system32\svchost.exe -k NetworkService
[ERSvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[Eventlog] %SystemRoot%\system32\services.exe
[EventSystem] C:\WINDOWS\system32\svchost.exe -k netsvcs
[FastUserSwitchingCompatibility] %SystemRoot%\System32\svchost.exe -k netsvcs
[FontCache3.0.0.0] C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
[helpsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[HidServ] %SystemRoot%\System32\svchost.exe -k netsvcs
[HTTPFilter] %SystemRoot%\System32\svchost.exe -k HTTPFilter
[idsvc] "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
[ImapiService] C:\WINDOWS\system32\imapi.exe
[iPod Service] "C:\Program Files\iPod\bin\iPodService.exe"
[lanmanserver] %SystemRoot%\system32\svchost.exe -k netsvcs
[lanmanworkstation] %SystemRoot%\system32\svchost.exe -k netsvcs
[LmHosts] %SystemRoot%\system32\svchost.exe -k LocalService
[Messenger] %SystemRoot%\system32\svchost.exe -k netsvcs
[mnmsrvc] C:\WINDOWS\system32\mnmsrvc.exe
[MSDTC] C:\WINDOWS\system32\msdtc.exe
[MSIServer] C:\WINDOWS\system32\msiexec.exe /V
[NetDDE] %SystemRoot%\system32\netdde.exe
[NetDDEdsdm] %SystemRoot%\system32\netdde.exe
[Netlogon] %SystemRoot%\system32\lsass.exe
[Netman] %SystemRoot%\System32\svchost.exe -k netsvcs
[NetTcpPortSharing] "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
[Nla] %SystemRoot%\system32\svchost.exe -k netsvcs
[NtLmSsp] %SystemRoot%\system32\lsass.exe
[NtmsSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[NVSvc] %SystemRoot%\system32\nvsvc32.exe
[ose] "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
[PlugPlay] %SystemRoot%\system32\services.exe
[PolicyAgent] %SystemRoot%\system32\lsass.exe
[ProtectedStorage] %SystemRoot%\system32\lsass.exe
[RasAuto] %SystemRoot%\system32\svchost.exe -k netsvcs
[RasMan] %SystemRoot%\system32\svchost.exe -k netsvcs
[RDSessMgr] C:\WINDOWS\system32\sessmgr.exe
[RemoteAccess] %SystemRoot%\system32\svchost.exe -k netsvcs
[RemoteRegistry] %SystemRoot%\system32\svchost.exe -k LocalService
[RpcLocator] %SystemRoot%\system32\locator.exe
[RpcSs] %SystemRoot%\system32\svchost -k rpcss
[RSVP] %SystemRoot%\system32\rsvp.exe
[SamSs] %SystemRoot%\system32\lsass.exe
[SCardSvr] %SystemRoot%\System32\SCardSvr.exe
[Schedule] %SystemRoot%\System32\svchost.exe -k netsvcs
[seclogon] %SystemRoot%\System32\svchost.exe -k netsvcs
[SENS] %SystemRoot%\system32\svchost.exe -k netsvcs
[SharedAccess] %SystemRoot%\system32\svchost.exe -k netsvcs
[ShellHWDetection] %SystemRoot%\System32\svchost.exe -k netsvcs
[Spooler] %SystemRoot%\system32\spoolsv.exe
[srservice] %SystemRoot%\system32\svchost.exe -k netsvcs
[SSDPSRV] %SystemRoot%\system32\svchost.exe -k LocalService
[stisvc] %SystemRoot%\system32\svchost.exe -k imgsvc
[SwPrv] C:\WINDOWS\system32\dllhost.exe /Processid:{EE760D27-F32A-485F-8F72-EA59F55617A4}
[SysmonLog] %SystemRoot%\system32\smlogsvc.exe
[TapiSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[TermService] %SystemRoot%\System32\svchost -k DComLaunch
[Themes] %SystemRoot%\System32\svchost.exe -k netsvcs
[TlntSvr] C:\WINDOWS\system32\tlntsvr.exe
[TrkWks] %SystemRoot%\system32\svchost.exe -k netsvcs
[upnphost] %SystemRoot%\system32\svchost.exe -k LocalService
[UPS] %SystemRoot%\System32\ups.exe
[usnsvc] C:\WINDOWS\system32\svchost.exe -k usnsvc
[usprserv] %SystemRoot%\System32\svchost.exe -k netsvcs
[VSS] %SystemRoot%\System32\vssvc.exe
[W32Time] %SystemRoot%\System32\svchost.exe -k netsvcs
[WebClient] %SystemRoot%\system32\svchost.exe -k LocalService
[winmgmt] %systemroot%\system32\svchost.exe -k netsvcs
[WmdmPmSN] %SystemRoot%\System32\svchost.exe -k netsvcs
[Wmi] %SystemRoot%\System32\svchost.exe -k netsvcs
[WmiApSrv] C:\WINDOWS\system32\wbem\wmiapsrv.exe
[wscsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[wuauserv] %systemroot%\system32\svchost.exe -k netsvcs
[WudfSvc] %SystemRoot%\system32\svchost.exe -k WudfServiceGroup
[WZCSVC] %SystemRoot%\System32\svchost.exe -k netsvcs
[xmlprov] %SystemRoot%\System32\svchost.exe -k netsvcs


**** Custom IE Search Items ****

SEARCH: [SearchAssistant] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
SEARCH: [CustomizeSearch] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


**** Complete IE Options ****

IEOPT: [NoUpdateCheck]
IEOPT: [NoJITSetup]
IEOPT: [Disable Script Debugger] yes
IEOPT: [Show_ChannelBand] No
IEOPT: [Anchor Underline] yes
IEOPT: [Cache_Update_Frequency] Once_Per_Session
IEOPT: [Display Inline Images] yes
IEOPT: [Do404Search]
IEOPT: [Save_Session_History_On_Exit] no
IEOPT: [Show_FullURL] no
IEOPT: [Show_StatusBar] yes
IEOPT: [Show_ToolBar] yes
IEOPT: [Show_URLinStatusBar] yes
IEOPT: [Show_URLToolBar] yes
IEOPT: [Start Page] about:blank
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [Search Page] http://www.msn.com/access/allinone.asp
IEOPT: [FullScreen] no
IEOPT: [Window_Placement] ,
IEOPT: [StatusBarOther]
IEOPT: [NotifyDownloadComplete] no
IEOPT: [Use FormSuggest] no
IEOPT: [AddToFavoritesExpanded]
IEOPT: [Use Search Asst] no
IEOPT: [Expand Alt Text] no
IEOPT: [Move System Caret] no
IEOPT: [NscSingleExpand]
IEOPT: [DisableScriptDebuggerIE] yes
IEOPT: [Error Dlg Displayed On Every Error] no
IEOPT: [NoWebJITSetup]
IEOPT: [Page_Transitions]
IEOPT: [FavIntelliMenus] no
IEOPT: [Enable Browser Extensions] yes
IEOPT: [UseThemes]
IEOPT: [Force Offscreen Composition]
IEOPT: [AllowWindowReuse]
IEOPT: [Friendly http errors] yes
IEOPT: [ShowGoButton] yes
IEOPT: [SmoothScroll]
IEOPT: [Enable AutoImageResize] yes
IEOPT: [Enable_MyPics_Hoverbar] yes
IEOPT: [Play_Animations] yes
IEOPT: [Play_Background_Sounds] yes
IEOPT: [Display Inline Videos] yes
IEOPT: [Show image placeholders]
IEOPT: [Print_Background] no
IEOPT: [AutoSearch]
IEOPT: [LastCheckedHi]
IEOPT: [FormSuggest Passwords] yes
IEOPT: [FormSuggest PW Ask] yes
IEOPT: [StatusBarWeb]
IEOPT: [HistoryViewType]
IEOPT: [HistoryTopNSitesView]
IEOPT: [XMLHTTP]
IEOPT: [UseClearType] yes
IEOPT: [CompatibilityFlags]
IEOPT: [SearchMigrated]
IEOPT: [RunOnceHasShown]
IEOPT: [RunOnceComplete]
IEOPT: [AutoHide] yes
IEOPT: [AlwaysShowMenus]
IEOPT: [Local Page] \blank.htm
IEOPT: [Error Dlg Details Pane Open] yes
IEOPT: [Default_Page_URL] http://go.microsoft.com/fwlink/?LinkId=69157
IEOPT: [Default_Search_URL] http://go.microsoft.com/fwlink/?LinkId=54896
IEOPT: [Search Page] http://www.msn.com/access/allinone.asp
IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk]
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Anchor_Visitation_Horizon]
IEOPT: [Use_Async_DNS] yes
IEOPT: [Placeholder_Width]
IEOPT: [Placeholder_Height]
IEOPT: [Start Page] http://go.microsoft.com/fwlink/?LinkId=69157
IEOPT: [CompanyName] Microsoft Corporation
IEOPT: [Custom_Key] MICROSO
IEOPT: [Wizard_Version] 6.0.2600.0000
IEOPT: [FullScreen] no
IEOPT: [Default_Secondary_Page_URL]
IEOPT: [Extensions Off Page] about:NoAdd-ons
IEOPT: [Security Risk Page] about:SecurityRisk
IEOPT: [Check_Associations] yes
IEOPT: [Local Page] %SystemRoot%\system32\blank.htm

[Geekgirl]

Close ALL programs down, leaving only HijackThis running.
Place a check against the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm


Click Start/Run and type in regedit
Navigate to this key [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefi xes] folder, if you see "default"="http://click.vnn.bz/?hide=1&url=" delete it.

Reboot and reply back on how your system is running

[Fwenny]

When ya say place a check and all those stuff, you mean close everything, run HJT, do a scan, find the line, click Fix checked, and only then go and do regedit?

[Geekgirl]

Are you still getting redirected to click.vnn ?
If so then do the regedit step

[Fwenny]

Well, it did work, this site aint coming up not in windows start up and not in typing an adress, looks like fixed, thanks alot!
Any last thing I should know? Cause it looks everything is alright now.

[Geekgirl]

Just a few things to look over, glad it is resolved


Reset Hidden Files
To reset your hidden and system files:

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

System Restore
To turn off System Restore click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

To turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

This will create a new Restore Point.


IMPORTANT!!!
Please ensure that Windows is patched against the WMF exploit. This is a dangerous vulnerability that opens the door to multiple infections; and the likely reason you are now infected. Visit Window's Update to get the KB912919 patch.



To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial Anti-Spyware Tutorial and use the tools provided.

[Fwenny]

System restore point made and windows patched, I'l go over and read the tutorial now, thanks alot, you really helped out.

[Geekgirl]

Your welcome, I will now move this to the Resolved forum