Smitfraud888toolbar - yada yada yada

[Cueshark]

Hi guys,

I came here a year or so ago and you sorted me out good and proper....Thanks again for that.

This time is tragic ;<

I got a new pc, really nice one...11602 on 3dmark06 ;O -

Then I get Smitpants888toolbar.

I think it was when I downloaded a codec pack that I shouldn't have - I don't know really.

Please if you can, start me from scratch and help me defeat this malware :(

Thanks in advance,

Cueshark

[Cueshark]

A Hijack This Log would help.

:(

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 20:12:38, on 07/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spyware Nuker\swnxt.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Intes KeyChange\KeyChange.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://accountservices.passport.net...gXPWizCredOnly
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {85608CBA-006A-451F-A561-0AF2E69F69E3} - C:\WINDOWS\system32\ygpadbai.dll
O2 - BHO: (no name) - {92A444D2-F945-4dd9-89A1-896A6C2D8D22} - C:\WINDOWS\system32\foamfayx.dll
O2 - BHO: (no name) - {B95DA896-A501-4A62-BA91-27B6B650A5E0} - C:\WINDOWS\system32\jkkji.dll
O2 - BHO: (no name) - {CFDE1CF9-75B3-4B1E-B9A7-B5FB88A171E6} - C:\WINDOWS\system32\pmnolmj.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\fxseyich.dll",realset
O4 - HKLM\..\Run: [SWN2] C:\Program Files\Spyware Nuker\swnxt.exe /h
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [BPS Remover] C:\Program Files\BPS Remover\SpyRem.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Intes KeyChange.lnk = C:\Program Files\Intes KeyChange\KeyChange.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{AFB492C1-9919-4CCB-BA2B-1BBF645DBF9D}: NameServer = 192.168.0.1
O20 - Winlogon Notify: jkkji - C:\WINDOWS\system32\jkkji.dll
O20 - Winlogon Notify: pmnolmj - C:\WINDOWS\SYSTEM32\pmnolmj.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[forhockey]

Hi Cueshark.

You may wish to Subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription.

---------------------------------------------------------------------------------------------

The cleaning process is not instant. Please follow through to the end until I tell you your machine is clean.
The absence of symptoms does not mean that everything is clean.

---------------------------------------------------------------------------------------------

Please save these instructions to Notepad as the internet will not be available to you at certain points of the removal process.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below.
Make sure to work through all the Steps in the exact order in which they are listed below.
If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

---------------------------------------------------------------------------------------------

Download combofix from here

**Save it directly to your desktop**

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

A log will be produced that will ultimately be named C:\ComboFix.txt I'll need that in your next reply.

---------------------------------------------------------------------------------------------

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
5. Please attach extra.txt to your post.

To attach a file to a new post, simply

1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
2. copy and paste the following into the "Upload File from your Computer" box:

   C:\Deckard\System Scanner\extra.txt
   

3. Click Upload.

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
• check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

---------------------------------------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
C:\Deckard\System Scanner\main.txt
C:\Deckard\System Scanner\extra.txt - Attached please

[Cueshark]

Thank very much for helping me.

I hope using the emulated hijack this will be adequate for you. Let me know if not and I'll open the ports on my firewall if you tell me what they are.

Cheers,

Cue.

ComboFix 07-06-09.1 - C:\Documents and Settings\Owner\Desktop\ComboFix.exe
"Owner" - 2007-06-08 21:07:48 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\fxseyich.dll
C:\WINDOWS\system32\ygpadbai.dll
C:\WINDOWS\system32\ijkkj.bak1
C:\WINDOWS\system32\ijkkj.bak2
C:\WINDOWS\system32\ijkkj.ini
C:\WINDOWS\system32\hciyesxf.ini
C:\WINDOWS\system32\ijkkj.bak1
C:\WINDOWS\system32\ijkkj.bak2
C:\WINDOWS\system32\ijkkj.ini
C:\WINDOWS\system32\jkkji.dll
C:\WINDOWS\system32\pmnolmj.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((( Files Created from 2007-05-08 to 2007-06-08 )))))))))))))))))))))))))))))))


2007-06-08 21:07 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-08 05:27 58,420 --a------ C:\WINDOWS\system32\knuihksd.dll
2007-06-07 19:54 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-06-07 19:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2007-06-07 19:52 82,432 --a------ C:\WINDOWS\system32\msxml4r.dll
2007-06-07 19:52 20,016 --a------ C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-06-07 19:52 1,233,920 --a------ C:\WINDOWS\system32\msxml4.dll
2007-06-07 19:48 223,128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2007-06-07 19:48 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-06-07 19:43 96,256 --a------ C:\WINDOWS\system32\drivers\sptd1165.sys
2007-06-07 19:43 642,560 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-06-07 05:22 55,316 --a------ C:\WINDOWS\system32\foamfayx.dll
2007-06-06 23:02 <DIR> d--h----- C:\WINDOWS\PIF
2007-06-06 05:23 14,868 --a------ C:\WINDOWS\system32\bltpljta.exe
2007-06-06 01:25 <DIR> d-------- C:\Program Files\BPS Remover
2007-06-06 01:19 67,645 --a------ C:\WINDOWS\system32\drivers\pshook11.sys
2007-06-06 01:19 <DIR> d-------- C:\Program Files\Spyware Nuker
2007-06-06 01:19 <DIR> d-------- C:\Program Files\INAC
2007-06-06 01:17 512,688 --a------ C:\WINDOWS\system32\XceedCry.dll
2007-06-06 01:17 423,784 --a------ C:\WINDOWS\system32\XceedBkp.dll
2007-06-06 01:17 118,784 --a------ C:\WINDOWS\system32\msstdfmt.dll
2007-06-06 01:17 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2007-06-05 12:52 <DIR> d-------- C:\Program Files\HyCam2
2007-06-05 03:37 <DIR> d---s---- C:\DOCUME~1\Owner\UserData
2007-06-03 19:47 108,144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-06-03 19:44 <DIR> d-------- C:\temp
2007-06-03 19:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Media Center Programs
2007-06-03 19:05 <DIR> d-------- C:\Program Files\THQ
2007-06-03 18:57 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\InstallShield
2007-06-03 18:47 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-03 18:47 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Lavasoft
2007-06-03 17:56 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\uTorrent
2007-06-03 17:55 <DIR> d-------- C:\Program Files\uTorrent
2007-06-03 17:47 <DIR> d-------- C:\Program Files\MagicISO
2007-06-02 19:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-02 18:51 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Media Player Classic
2007-06-02 18:50 <DIR> d-------- C:\Program Files\Combined Community Codec Pack
2007-06-02 16:16 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\vlc
2007-06-02 16:12 <DIR> d-------- C:\Program Files\VideoLAN
2007-06-02 16:09 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-06-02 16:08 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-06-02 16:08 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-06-02 15:40 <DIR> d-------- C:\Program Files\directx
2007-06-02 15:39 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2007-06-02 15:37 <DIR> d-------- C:\Program Files\Intes KeyChange
2007-06-02 15:36 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-06-02 15:36 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-06-02 15:36 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-06-02 15:36 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-06-02 15:36 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-06-02 15:36 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2007-06-02 15:36 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-06-02 15:36 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-06-02 15:36 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-06-02 15:36 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-06-02 15:36 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-06-02 15:36 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-06-02 15:36 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-06-02 15:36 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-06-02 15:36 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-06-02 15:08 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\teamspeak2
2007-06-02 15:07 <DIR> d-------- C:\Program Files\Teamspeak2_RC2
2007-06-02 14:48 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-06-02 14:48 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-06-02 14:48 <DIR> d-------- C:\WINDOWS\nview
2007-06-01 00:59 <DIR> d-------- C:\Fraps
2007-05-31 23:36 737,280 --a------ C:\WINDOWS\iun6002.exe
2007-05-31 23:19 <DIR> d-------- C:\Program Files\Ringz Studio
2007-05-31 20:25 <DIR> d-------- C:\Program Files\Steam
2007-05-31 19:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\NVIDIA
2007-05-31 19:16 <DIR> d-------- C:\WINDOWS\NV23322580.TMP
2007-05-31 19:13 <DIR> d-------- C:\WINDOWS\NV9281364.TMP
2007-05-31 19:02 <DIR> d-------- C:\WINDOWS\NV9361368.TMP
2007-05-31 18:54 <DIR> d-------- C:\WINDOWS\NV9281360.TMP
2007-05-31 02:11 <DIR> d-------- C:\Program Files\Citrus Alarm Clock
2007-05-31 01:47 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2007-05-31 01:47 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2007-05-31 01:47 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2007-05-31 01:47 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2007-05-31 01:47 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2007-05-31 01:47 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2007-05-31 01:46 <DIR> d-------- C:\Program Files\Ò½ï¢Ö›¶‡
2007-05-31 00:56 <DIR> d-------- C:\Program Files\mIRC
2007-05-31 00:50 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-05-31 00:50 <DIR> d-------- C:\DOCUME~1\Owner\Contacts
2007-05-31 00:48 <DIR> d-------- C:\Program Files\MSN Messenger
2007-05-31 00:41 <DIR> d-------- C:\WINDOWS\NV1516936.TMP
2007-05-31 00:40 <DIR> d-------- C:\NVIDIA
2007-05-31 00:37 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-31 00:36 63,488 --a------ C:\WINDOWS\system32\unam4ie.exe
2007-05-31 00:36 4,608 --a------ C:\WINDOWS\system32\w95inf32.dll
2007-05-31 00:36 38,160 --a------ C:\WINDOWS\system32\LMRTREND.dll
2007-05-31 00:36 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-05-31 00:36 2,272 --a------ C:\WINDOWS\system32\w95inf16.dll
2007-05-31 00:36 194,320 --a------ C:\WINDOWS\system32\qcut.dll
2007-05-31 00:36 182,032 --a------ C:\WINDOWS\system32\dxtmsft3.dll
2007-05-31 00:36 10,240 --a------ C:\WINDOWS\system32\vidx16.dll
2007-05-31 00:36 <DIR> d-------- C:\Team17
2007-05-31 00:36 <DIR> d-------- C:\DOCUME~1\Owner\WINDOWS
2007-05-31 00:29 <DIR> d--hs---- C:\RECYCLER


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-03 18:00:20 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-31 00:46:25 -------- d-----w C:\Program Files\Ê¢´óÍøÂç
2007-05-30 23:14:57 -------- d-----w C:\Program Files\Messenger
2007-04-20 05:05:00 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-04-20 05:05:00 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-04-20 05:05:00 8,429,568 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-04-20 05:05:00 745,472 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-04-20 05:05:00 6,739,168 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-04-20 05:05:00 6,668,288 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-04-20 05:05:00 6,217,728 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-04-20 05:05:00 5,439,488 ----a-w C:\WINDOWS\system32\nvdispsr.dll
2007-04-20 05:05:00 5,434,880 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-04-20 05:05:00 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-04-20 05:05:00 458,752 ----a-w C:\WINDOWS\system32\nvmccssr.dll
2007-04-20 05:05:00 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-04-20 05:05:00 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-04-20 05:05:00 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-04-20 05:05:00 37,888 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-04-20 05:05:00 37,888 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-04-20 05:05:00 344,064 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-04-20 05:05:00 335,872 ----a-w C:\WINDOWS\system32\nvwrses.dll
2007-04-20 05:05:00 335,872 ----a-w C:\WINDOWS\system32\nvwrsel.dll
2007-04-20 05:05:00 327,680 ----a-w C:\WINDOWS\system32\nvwrsfr.dll
2007-04-20 05:05:00 327,680 ----a-w C:\WINDOWS\system32\nvwrsesm.dll
2007-04-20 05:05:00 327,680 ----a-w C:\WINDOWS\system32\nvrshe.dll
2007-04-20 05:05:00 327,680 ----a-w C:\WINDOWS\system32\nvrsar.dll
2007-04-20 05:05:00 323,584 ----a-w C:\WINDOWS\system32\nvwrspt.dll
2007-04-20 05:05:00 323,584 ----a-w C:\WINDOWS\system32\nvwrsit.dll
2007-04-20 05:05:00 319,488 ----a-w C:\WINDOWS\system32\nvwrsptb.dll
2007-04-20 05:05:00 319,488 ----a-w C:\WINDOWS\system32\nvwrsnl.dll
2007-04-20 05:05:00 315,392 ----a-w C:\WINDOWS\system32\nvwrsru.dll
2007-04-20 05:05:00 315,392 ----a-w C:\WINDOWS\system32\nvwrshu.dll
2007-04-20 05:05:00 311,296 ----a-w C:\WINDOWS\system32\nvwrsde.dll
2007-04-20 05:05:00 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-04-20 05:05:00 303,104 ----a-w C:\WINDOWS\system32\nvwrstr.dll
2007-04-20 05:05:00 303,104 ----a-w C:\WINDOWS\system32\nvwrssl.dll
2007-04-20 05:05:00 303,104 ----a-w C:\WINDOWS\system32\nvwrsfi.dll
2007-04-20 05:05:00 3,645,440 ----a-w C:\WINDOWS\system32\nvvitvsr.dll
2007-04-20 05:05:00 3,538,944 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-04-20 05:05:00 3,289,088 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-04-20 05:05:00 3,235,840 ----a-w C:\WINDOWS\system32\nvgamesr.dll
2007-04-20 05:05:00 299,008 ----a-w C:\WINDOWS\system32\nvwrssk.dll
2007-04-20 05:05:00 299,008 ----a-w C:\WINDOWS\system32\nvwrsno.dll
2007-04-20 05:05:00 294,912 ----a-w C:\WINDOWS\system32\nvwrssv.dll
2007-04-20 05:05:00 294,912 ----a-w C:\WINDOWS\system32\nvwrspl.dll
2007-04-20 05:05:00 294,912 ----a-w C:\WINDOWS\system32\nvwrsda.dll
2007-04-20 05:05:00 286,720 ----a-w C:\WINDOWS\system32\nvwrseng.dll
2007-04-20 05:05:00 286,720 ----a-w C:\WINDOWS\system32\nvwrscs.dll
2007-04-20 05:05:00 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-04-20 05:05:00 282,624 ----a-w C:\WINDOWS\system32\nvwrsar.dll
2007-04-20 05:05:00 282,624 ----a-w C:\WINDOWS\system32\nvrsfr.dll
2007-04-20 05:05:00 282,624 ----a-w C:\WINDOWS\system32\nvrses.dll
2007-04-20 05:05:00 282,624 ----a-w C:\WINDOWS\system32\nvrsel.dll
2007-04-20 05:05:00 278,528 ----a-w C:\WINDOWS\system32\nvwrshe.dll
2007-04-20 05:05:00 278,528 ----a-w C:\WINDOWS\system32\nvrsit.dll
2007-04-20 05:05:00 274,432 ----a-w C:\WINDOWS\system32\nvrsnl.dll
2007-04-20 05:05:00 274,432 ----a-w C:\WINDOWS\system32\nvrsesm.dll
2007-04-20 05:05:00 274,432 ----a-w C:\WINDOWS\system32\nvrsde.dll
2007-04-20 05:05:00 270,336 ----a-w C:\WINDOWS\system32\nvrspt.dll
2007-04-20 05:05:00 266,240 ----a-w C:\WINDOWS\system32\nvrsru.dll
2007-04-20 05:05:00 266,240 ----a-w C:\WINDOWS\system32\nvrsptb.dll
2007-04-20 05:05:00 266,240 ----a-w C:\WINDOWS\system32\nvrsja.dll
2007-04-20 05:05:00 258,048 ----a-w C:\WINDOWS\system32\nvrssk.dll
2007-04-20 05:05:00 258,048 ----a-w C:\WINDOWS\system32\nvrsko.dll
2007-04-20 05:05:00 258,048 ----a-w C:\WINDOWS\system32\nvrshu.dll
2007-04-20 05:05:00 253,952 ----a-w C:\WINDOWS\system32\nvrstr.dll
2007-04-20 05:05:00 253,952 ----a-w C:\WINDOWS\system32\nvrssv.dll
2007-04-20 05:05:00 253,952 ----a-w C:\WINDOWS\system32\nvrssl.dll
2007-04-20 05:05:00 253,952 ----a-w C:\WINDOWS\system32\nvrspl.dll
2007-04-20 05:05:00 253,952 ----a-w C:\WINDOWS\system32\nvrsno.dll
2007-04-20 05:05:00 253,952 ----a-w C:\WINDOWS\system32\nvrsda.dll
2007-04-20 05:05:00 245,760 ----a-w C:\WINDOWS\system32\nvrsfi.dll
2007-04-20 05:05:00 245,760 ----a-w C:\WINDOWS\system32\nvrseng.dll
2007-04-20 05:05:00 245,760 ----a-w C:\WINDOWS\system32\nvrscs.dll
2007-04-20 05:05:00 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-04-20 05:05:00 225,280 ----a-w C:\WINDOWS\system32\nvrszhc.dll
2007-04-20 05:05:00 212,992 ----a-w C:\WINDOWS\system32\nvwrsja.dll
2007-04-20 05:05:00 2,854,912 ----a-w C:\WINDOWS\system32\nvmoblsr.dll
2007-04-20 05:05:00 2,387,968 ----a-w C:\WINDOWS\system32\nvwssr.dll
2007-04-20 05:05:00 2,273,280 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-04-20 05:05:00 196,608 ----a-w C:\WINDOWS\system32\nvwrsko.dll
2007-04-20 05:05:00 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-04-20 05:05:00 167,936 ----a-w C:\WINDOWS\system32\nvwrszht.dll
2007-04-20 05:05:00 163,908 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-04-20 05:05:00 163,840 ----a-w C:\WINDOWS\system32\nvwrszhc.dll
2007-04-20 05:05:00 143,360 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-04-20 05:05:00 122,880 ----a-w C:\WINDOWS\system32\nvrszht.dll
2007-04-20 05:05:00 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-04-20 05:05:00 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-04-20 05:05:00 1,474,560 ----a-w C:\WINDOWS\system32\nview.dll
2007-04-20 05:05:00 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-04-20 05:05:00 1,101,824 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-04-20 05:05:00 1,073,152 ----a-w C:\WINDOWS\system32\nvcpluir.dll
2007-04-20 05:05:00 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-04-20 05:05:00 1,018,748 ----a-w C:\WINDOWS\system32\nvucode.bin
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 21:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 21:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{E12BFF69-38A7-406e-A8EF-2738107A7831}=C:\WINDOWS\system32\knuihksd.dll [2007-06-08 05:27]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-14 07:00 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 C:\WINDOWS\SkyTel.exe]
"Alcmtr"="ALCMTR.EXE" [2005-05-03 11:43 C:\WINDOWS\Alcmtr.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-05-31 00:20]
"nwiz"="nwiz.exe" [2007-04-20 06:05 C:\WINDOWS\system32\nwiz.exe]
"SWN2"="C:\Program Files\Spyware Nuker\swnxt.exe" [2006-06-09 17:11]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 15:57]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-20 06:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="C:\Program Files\Steam\Steam.exe" [2007-05-31 20:26]
"BPS Remover"="C:\Program Files\BPS Remover\SpyRem.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABIT uGuruIII]
C:\Program Files\ABIT\uGuru\uGuru.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-08 21:12:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-08 21:13:45 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-08 21:13

--- E O F ---

*******
MAIN TXT
*******

- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
25: 2007-06-08 20:17:24 UTC - RP32 - Deckard's System Scanner Restore Point
24: 2007-06-07 18:52:02 UTC - RP31 - Installed Adobe Premiere Pro 2.0
23: 2007-06-07 02:07:24 UTC - RP30 - System Checkpoint
22: 2007-06-05 23:00:15 UTC - RP29 - Software Distribution Service 3.0
21: 2007-06-05 05:03:32 UTC - RP28 - System Checkpoint


-- First Restore Point --
1: 2007-05-30 23:00:16 UTC - RP8 - Software Distribution Service 3.0


Backed up registry hives.

Performed disk cleanup.


-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-06-08 21:18:30
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\RTHDCPL.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
C:\Program Files\Spyware Nuker\swnxt.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
C:\Program Files\Intes KeyChange\KeyChange.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://accountservices.passport.net...gXPWizCredOnly
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\knuihksd.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SWN2] C:\Program Files\Spyware Nuker\swnxt.exe /h
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [BPS Remover] C:\Program Files\BPS Remover\SpyRem.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Intes KeyChange.lnk = C:\Program Files\Intes KeyChange\KeyChange.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{AFB492C1-9919-4CCB-BA2B-1BBF645DBF9D}: NameServer = 192.168.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O23 - Service: Adobe LM Service - Adobe Systems - "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgemc.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 UGURU - c:\windows\system32\drivers\uguru.sys <Not Verified; ABIT; ABIT uGuru Micro-Processor Device Driver>

S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Files created between 2007-05-08 and 2007-06-08 -----------------------------

2007-06-08 21:12:21 0 d-------- C:\Avenger
2007-06-08 05:27:41 58420 --a------ C:\WINDOWS\system32\knuihksd.dll
2007-06-07 20:08:00 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2007-06-07 19:54:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-06-07 19:54:19 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-06-07 19:52:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-06-07 19:52:04 82432 --a------ C:\WINDOWS\system32\msxml4r.dll <Not Verified; Microsoft Corporation; Microsoft(R) MSXML 4.0 SP1>
2007-06-07 19:52:04 1233920 --a------ C:\WINDOWS\system32\msxml4.dll <Not Verified; Microsoft Corporation; Microsoft(R) MSXML 4.0 SP 2>
2007-06-07 19:48:38 223128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2007-06-07 19:48:38 0 d-------- C:\Program Files\DAEMON Tools
2007-06-07 19:43:05 96256 --a------ C:\WINDOWS\system32\drivers\sptd1165.sys
2007-06-07 19:43:05 642560 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-06-07 05:22:15 55316 --a------ C:\WINDOWS\system32\foamfayx.dll
2007-06-06 23:02:46 0 d--h----- C:\WINDOWS\PIF
2007-06-06 05:23:13 14868 --a------ C:\WINDOWS\system32\bltpljta.exe
2007-06-06 01:25:59 0 d-------- C:\Program Files\BPS Remover
2007-06-06 01:19:20 67645 --a------ C:\WINDOWS\system32\drivers\pshook11.sys <Not Verified; TrekBlue, LLC; Anti-Virus Engine>
2007-06-06 01:19:04 0 d-------- C:\Program Files\INAC
2007-06-06 01:19:02 0 d-------- C:\Program Files\Spyware Nuker
2007-06-06 01:17:44 118784 --a------ C:\WINDOWS\system32\msstdfmt.dll <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2007-06-06 01:17:43 101888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-06-05 12:52:00 0 d-------- C:\Program Files\HyCam2
2007-06-05 03:37:56 0 d---s---- C:\Documents and Settings\Owner\UserData
2007-06-03 19:44:19 0 d-------- C:\temp
2007-06-03 19:19:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Media Center Programs
2007-06-03 19:05:17 0 d-------- C:\Program Files\THQ
2007-06-03 18:57:54 0 d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2007-06-03 18:47:49 0 d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2007-06-03 18:47:41 0 d-------- C:\Program Files\Lavasoft
2007-06-03 18:11:00 0 d-------- C:\Program Files\Common Files\Adobe
2007-06-03 18:09:39 0 dr-h----- C:\$VAULT$.AVG
2007-06-03 17:56:01 0 d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2007-06-03 17:55:59 0 d-------- C:\Program Files\uTorrent
2007-06-03 17:47:22 0 d-------- C:\Program Files\MagicISO
2007-06-02 19:21:11 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-02 18:51:11 0 d-------- C:\Documents and Settings\Owner\Application Data\Media Player Classic
2007-06-02 18:50:40 0 d-------- C:\Program Files\Combined Community Codec Pack
2007-06-02 16:16:40 0 d-------- C:\Documents and Settings\Owner\Application Data\vlc
2007-06-02 16:12:56 0 d-------- C:\Program Files\VideoLAN
2007-06-02 16:09:31 0 d-------- C:\Program Files\Windows Media Connect 2
2007-06-02 16:08:53 0 d-------- C:\WINDOWS\system32\LogFiles
2007-06-02 16:08:53 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-06-02 15:40:14 0 d-------- C:\Program Files\directx
2007-06-02 15:39:55 0 d-------- C:\Program Files\NVIDIA Corporation
2007-06-02 15:37:18 0 d-------- C:\Program Files\Intes KeyChange
2007-06-02 15:36:03 0 d--h----- C:\WINDOWS\msdownld.tmp
2007-06-02 15:08:01 0 d-------- C:\Documents and Settings\Owner\Application Data\teamspeak2
2007-06-02 15:07:46 0 d-------- C:\Program Files\Teamspeak2_RC2
2007-06-02 14:48:25 0 d-------- C:\WINDOWS\nview
2007-06-01 01:08:40 0 d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2007-06-01 00:59:44 0 d-------- C:\Fraps
2007-05-31 23:36:04 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-05-31 23:19:36 0 d-------- C:\Program Files\Ringz Studio
2007-05-31 20:25:38 0 d-------- C:\Program Files\Steam
2007-05-31 19:47:26 0 d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2007-05-31 19:16:23 0 d-------- C:\WINDOWS\NV23322580.TMP
2007-05-31 19:13:18 0 d-------- C:\WINDOWS\NV9281364.TMP
2007-05-31 19:02:00 0 d-------- C:\WINDOWS\NV9361368.TMP
2007-05-31 18:54:02 0 d-------- C:\WINDOWS\NV9281360.TMP
2007-05-31 02:11:09 0 d-------- C:\Program Files\Citrus Alarm Clock
2007-05-31 01:46:25 0 d-------- C:\Program Files\Ê¢´óÍøÂç
2007-05-31 00:56:50 0 d-------- C:\Program Files\mIRC
2007-05-31 00:50:36 0 d-------- C:\Documents and Settings\Owner\Contacts
2007-05-31 00:50:24 0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-05-31 00:48:56 0 d-------- C:\Program Files\MSN Messenger
2007-05-31 00:41:19 0 d-------- C:\WINDOWS\NV1516936.TMP
2007-05-31 00:40:46 0 d-------- C:\NVIDIA
2007-05-31 00:37:17 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-31 00:37:16 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2007-05-31 00:36:31 38160 --a------ C:\WINDOWS\system32\LMRTREND.dll <Not Verified; Microsoft Corporation; Microsoft® Windows(TM) Operating System>
2007-05-31 00:36:31 182032 --a------ C:\WINDOWS\system32\dxtmsft3.dll <Not Verified; Microsoft Corporation; Microsoft® Windows(TM) Operating System>
2007-05-31 00:36:30 63488 --a------ C:\WINDOWS\system32\unam4ie.exe <Not Verified; Microsoft Corporation; DirectShow>
2007-05-31 00:36:29 4608 --a------ C:\WINDOWS\system32\w95inf32.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2007-05-31 00:36:29 2272 --a------ C:\WINDOWS\system32\w95inf16.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2007-05-31 00:36:29 10240 --a------ C:\WINDOWS\system32\vidx16.dll
2007-05-31 00:36:29 194320 --a------ C:\WINDOWS\system32\qcut.dll <Not Verified; Microsoft Corporation; DirectShow>
2007-05-31 00:36:20 0 d-------- C:\Team17
2007-05-31 00:36:11 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2007-05-31 00:36:08 0 d-------- C:\Documents and Settings\Owner\WINDOWS
2007-05-31 00:24:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-05-31 00:17:00 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2007-05-31 00:16:55 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-05-31 00:16:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-05-31 00:16:48 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-05-31 00:10:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-05-31 00:00:23 0 d-------- C:\WINDOWS\system32\PreInstall
2007-05-30 23:52:21 0 d-------- C:\WINDOWS\system32\SoftwareDistribution


-- Find3M Report ---------------------------------------------------------------

2007-06-03 19:00:20 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-05-31 00:14:57 0 d-------- C:\Program Files\Messenger
2007-04-20 06:05:00 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2007-04-20 06:05:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2007-04-20 06:05:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2007-04-20 06:05:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-04-20 06:05:00 1474560 --a------ C:\WINDOWS\system32\nview.dll
2007-04-20 06:05:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-04-20 06:05:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-04-20 06:05:00 425984 --a------ C:\WINDOWS\system32\keystone.exe


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
{E12BFF69-38A7-406e-A8EF-2738107A7831} C:\WINDOWS\system32\knuihksd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"RTHDCPL"="RTHDCPL.EXE"
"SkyTel"="SkyTel.EXE"
"Alcmtr"="ALCMTR.EXE"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"nwiz"="nwiz.exe /install"
"SWN2"="C:\\Program Files\\Spyware Nuker\\swnxt.exe /h"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Steam"="\"C:\\Program Files\\Steam\\Steam.exe\" -silent"
"BPS Remover"="C:\\Program Files\\BPS Remover\\SpyRem.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABIT uGuruIII]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="uGuru"
"hkey"="HKCU"
"command"="C:\\Program Files\\ABIT\\uGuru\\uGuru.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of Deckard's System Scanner: finished at 2007-06-08 at 21:18:59 ---------

[forhockey]

Please save these instructions to Notepad as the internet will not be available to you at certain points of the removal process.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below.
Make sure to work through all the Steps in the exact order in which they are listed below.
If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

---------------------------------------------------------------------------------------------

P2P Software

P2P - I see you have P2P software µTorrent installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

---------------------------------------------------------------------------------------------

Enter Safe Mode

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8
3. Instead of Windows loading as normal, a menu should appear
4. Use the up arrow key to highlight Safe Mode and press Enter.
5. Login with your usual account
6. Once you have logged in, a warning message will appear regarding starting windows in Safe mode, click OK and windows will load your desktop environment

Note: Some systems, this may be the F5 key, so try that if F8 doesn't work.

---------------------------------------------------------------------------------------------

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):

Spyware Nuker XT - This is a rogue ware program and we highly recommend that you uninstall it. Rogue/Suspect means that these products are of unknown, questionable, or dubious value as anti-spyware protection.

Ê¢´óDJMax

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\knuihksd.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SWN2] C:\Program Files\Spyware Nuker\swnxt.exe /h
O4 - HKCU\..\Run: [BPS Remover] C:\Program Files\BPS Remover\SpyRem.exe

Please remember to close all other windows, including browsers then click Fix checked.

---------------------------------------------------------------------------------------------

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\system32\knuihksd.dll
C:\Program Files\Spyware Nuker
C:\Program Files\BPS Remover
C:\Program Files\Ê¢´óÍøÂç


---------------------------------------------------------------------------------------------

Restart in normal mode.

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan

1. Click on located at the bottom of the page.
2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
3. Enter your e-mail address, country, and state & click "Free Online Scan" * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Run Deckard's System Scanner (dss.exe) again, and post the resulting log.

---------------------------------------------------------------------------------------------

How is your computer behaving?

---------------------------------------------------------------------------------------------

Please include the following in your next reply:

Panda Results
C:\Deckard\System Scanner\main.txt
How is system Behaving?

[Cueshark]

My computer is running better I think.

The pop ups have stopped anyways :>

Incident Status Location

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\naip4qi8.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\naip4qi8.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\naip4qi8.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\naip4qi8.default\cookies.txt[.com.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\naip4qi8.default\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\naip4qi8.default\cookies.txt[.overture.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\naip4qi8.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\naip4qi8.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\naip4qi8.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\naip4qi8.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\naip4qi8.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\naip4qi8.default\cookies.txt[www.myaffiliateprogram.com/]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@888[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cassava[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Owner\Desktop\ComboFix.exe[nircmd.exe]
Virus:Generic Trojan Not disinfected C:\Documents and Settings\Owner\My Documents\Downloads\Adobe_Photoshop.CS3.Beta.20061208.HAPPY.NEW.YEAR-ENGiNE\e-apcs37.zip[e-apcs3.rar][Crack\photoshop.cs3.beta.20061208.exe]
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Owner\My Documents\Downloads\MagicISO Maker 5.4 + Serial\Magic ISO Maker 5.4 Build 239.exe
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\fxseyich.dll.vir
Virus:Trj/Downloader.ORT Disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\ygpadbai.dll.vir
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Virus:Trj/Clicker.ACO Disinfected C:\WINDOWS\system32\bltpljta.exe
Adware:Adware/Borlander Not disinfected E:\application essentials\BaoFeng.exe[stormupd.dll]
Potentially unwanted tool:Application/NirCmd.A Not disinfected E:\IMPORTANT BACKUPS\SPYWARE REPAIR\ComboFix.exe[nircmd.exe]

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-06-09 12:13:50
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\RTHDCPL.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Intes KeyChange\KeyChange.exe
C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Owner\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://accountservices.passport.net...gXPWizCredOnly
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Intes KeyChange.lnk = C:\Program Files\Intes KeyChange\KeyChange.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{AFB492C1-9919-4CCB-BA2B-1BBF645DBF9D}: NameServer = 192.168.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O23 - Service: Adobe LM Service - Adobe Systems - "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgemc.exe


-- Files created between 2007-05-09 and 2007-06-09 -----------------------------

2007-06-09 03:04:36 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-06-09 03:04:34 0 d-------- C:\WINDOWS\LastGood
2007-06-09 02:52:42 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-06-09 02:52:42 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-06-09 02:52:42 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-06-09 02:52:42 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-06-09 02:52:42 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-06-09 02:52:42 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-06-09 02:52:42 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-06-09 02:52:42 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-06-09 02:52:42 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-06-09 02:52:42 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-06-09 02:52:42 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-06-09 02:52:41 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-06-09 02:52:41 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-06-09 02:52:41 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-06-08 21:25:12 0 d-------- C:\Program Files\MSXML 4.0
2007-06-08 21:12:21 0 d-------- C:\Avenger
2007-06-07 20:08:00 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2007-06-07 19:54:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-06-07 19:54:19 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-06-07 19:52:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-06-07 19:52:04 82432 --a------ C:\WINDOWS\system32\msxml4r.dll <Not Verified; Microsoft Corporation; Microsoft(R) MSXML 4.0 SP1>
2007-06-07 19:48:38 223128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2007-06-07 19:48:38 0 d-------- C:\Program Files\DAEMON Tools
2007-06-07 19:43:05 96256 --a------ C:\WINDOWS\system32\drivers\sptd1165.sys
2007-06-07 19:43:05 642560 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-06-06 23:02:46 0 d--h----- C:\WINDOWS\PIF
2007-06-06 01:19:20 67645 --a------ C:\WINDOWS\system32\drivers\pshook11.sys <Not Verified; TrekBlue, LLC; Anti-Virus Engine>
2007-06-06 01:19:04 0 d-------- C:\Program Files\INAC
2007-06-06 01:17:44 118784 --a------ C:\WINDOWS\system32\msstdfmt.dll <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2007-06-06 01:17:43 101888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-06-05 12:52:00 0 d-------- C:\Program Files\HyCam2
2007-06-05 03:37:56 0 d---s---- C:\Documents and Settings\Owner\UserData
2007-06-03 19:44:19 0 d-------- C:\temp
2007-06-03 19:05:17 0 d-------- C:\Program Files\THQ
2007-06-03 18:47:49 0 d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2007-06-03 18:47:41 0 d-------- C:\Program Files\Lavasoft
2007-06-03 18:11:00 0 d-------- C:\Program Files\Common Files\Adobe
2007-06-03 18:09:39 0 dr-h----- C:\$VAULT$.AVG
2007-06-03 17:56:01 0 d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2007-06-03 17:55:59 0 d-------- C:\Program Files\uTorrent
2007-06-03 17:47:22 0 d-------- C:\Program Files\MagicISO
2007-06-02 19:21:11 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-02 18:51:11 0 d-------- C:\Documents and Settings\Owner\Application Data\Media Player Classic
2007-06-02 18:50:40 0 d-------- C:\Program Files\Combined Community Codec Pack
2007-06-02 16:16:40 0 d-------- C:\Documents and Settings\Owner\Application Data\vlc
2007-06-02 16:12:56 0 d-------- C:\Program Files\VideoLAN
2007-06-02 16:09:31 0 d-------- C:\Program Files\Windows Media Connect 2
2007-06-02 16:08:53 0 d-------- C:\WINDOWS\system32\LogFiles
2007-06-02 16:08:53 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-06-02 15:40:14 0 d-------- C:\Program Files\directx
2007-06-02 15:39:55 0 d-------- C:\Program Files\NVIDIA Corporation
2007-06-02 15:37:18 0 d-------- C:\Program Files\Intes KeyChange
2007-06-02 15:36:03 0 d--h----- C:\WINDOWS\msdownld.tmp
2007-06-02 15:08:01 0 d-------- C:\Documents and Settings\Owner\Application Data\teamspeak2
2007-06-02 15:07:46 0 d-------- C:\Program Files\Teamspeak2_RC2
2007-06-02 14:48:25 0 d-------- C:\WINDOWS\nview
2007-06-01 01:08:40 0 d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2007-06-01 00:59:44 0 d-------- C:\Fraps
2007-05-31 23:36:04 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-05-31 23:19:36 0 d-------- C:\Program Files\Ringz Studio
2007-05-31 20:25:38 0 d-------- C:\Program Files\Steam
2007-05-31 19:47:26 0 d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2007-05-31 19:16:23 0 d-------- C:\WINDOWS\NV23322580.TMP
2007-05-31 19:13:18 0 d-------- C:\WINDOWS\NV9281364.TMP
2007-05-31 19:02:00 0 d-------- C:\WINDOWS\NV9361368.TMP
2007-05-31 18:54:02 0 d-------- C:\WINDOWS\NV9281360.TMP
2007-05-31 02:11:09 0 d-------- C:\Program Files\Citrus Alarm Clock
2007-05-31 01:46:25 0 d-------- C:\Program Files\Ê¢´óÍøÂç
2007-05-31 00:56:50 0 d-------- C:\Program Files\mIRC
2007-05-31 00:50:36 0 d-------- C:\Documents and Settings\Owner\Contacts
2007-05-31 00:50:24 0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-05-31 00:48:56 0 d-------- C:\Program Files\MSN Messenger
2007-05-31 00:41:19 0 d-------- C:\WINDOWS\NV1516936.TMP
2007-05-31 00:40:46 0 d-------- C:\NVIDIA
2007-05-31 00:37:17 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-31 00:37:16 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2007-05-31 00:36:31 38160 --a------ C:\WINDOWS\system32\LMRTREND.dll <Not Verified; Microsoft Corporation; Microsoft® Windows(TM) Operating System>
2007-05-31 00:36:31 182032 --a------ C:\WINDOWS\system32\dxtmsft3.dll <Not Verified; Microsoft Corporation; Microsoft® Windows(TM) Operating System>
2007-05-31 00:36:30 63488 --a------ C:\WINDOWS\system32\unam4ie.exe <Not Verified; Microsoft Corporation; DirectShow>
2007-05-31 00:36:29 4608 --a------ C:\WINDOWS\system32\w95inf32.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2007-05-31 00:36:29 2272 --a------ C:\WINDOWS\system32\w95inf16.dll <Not Verified; Microsoft Corporation; Microsoft® Plus! for Windows® 95>
2007-05-31 00:36:29 10240 --a------ C:\WINDOWS\system32\vidx16.dll
2007-05-31 00:36:29 194320 --a------ C:\WINDOWS\system32\qcut.dll <Not Verified; Microsoft Corporation; DirectShow>
2007-05-31 00:36:20 0 d-------- C:\Team17
2007-05-31 00:36:11 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2007-05-31 00:36:08 0 d-------- C:\Documents and Settings\Owner\WINDOWS
2007-05-31 00:24:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-05-31 00:17:00 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2007-05-31 00:16:55 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-05-31 00:16:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-05-31 00:16:48 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-05-31 00:10:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-05-31 00:00:23 0 d-------- C:\WINDOWS\system32\PreInstall
2007-05-30 23:52:21 0 d-------- C:\WINDOWS\system32\SoftwareDistribution


-- Find3M Report ---------------------------------------------------------------

2007-06-03 19:00:20 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-05-31 00:14:57 0 d-------- C:\Program Files\Messenger
2007-04-20 06:05:00 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2007-04-20 06:05:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2007-04-20 06:05:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2007-04-20 06:05:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-04-20 06:05:00 1474560 --a------ C:\WINDOWS\system32\nview.dll
2007-04-20 06:05:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-04-20 06:05:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-04-20 06:05:00 425984 --a------ C:\WINDOWS\system32\keystone.exe


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"RTHDCPL"="RTHDCPL.EXE"
"SkyTel"="SkyTel.EXE"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"nwiz"="nwiz.exe /install"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Steam"="\"C:\\Program Files\\Steam\\Steam.exe\" -silent"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABIT uGuruIII]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="uGuru"
"hkey"="HKCU"
"command"="C:\\Program Files\\ABIT\\uGuru\\uGuru.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command D:\autorun.exe

[Cueshark]

Smitfraud is still showing in the spybot search - I won't fix anything myself till I get the ok from you.

But the symptoms have gone....antivirus 07 pop ups have stopped and it seems ok.

[tetonbob]

Sorry for the delay....forhockey is away from the computer for a few days. We'll be looking in on his threads.

Where is Spybot finding the items? If you have already closed the application, please do this:

Run SpyBot check for problems, fix all red items, when its finished right click and choose copy results (not full report) to clipboard and paste that back here please.

---------------------------------------

Can you tell me what this folder is?

C:\Program Files\Ê¢´óÍøÂç It may not appear as those exact characters....It was created shortly after mIRC was installed.

2007-05-31 01:46:25 0 d-------- C:\Program Files\Ê¢´óÍøÂç

Here's the entry from DSS:

Ê¢´óDJMax --> C:\Program Files\Ê¢´óÍøÂç\Ê¢´óDJMax\uninst.exe

Is this just DJMax? And Windows is having difficulty translating some characters?

---------------------------------------

Clear your Firefox cookies. From the open browser, go toTools>Options>Privacy>Cookies>Clear

---------------------------------------

Delete the following:

C:\Documents and Settings\Owner\My Documents\Downloads\Adobe_Photoshop.CS3.Beta.20061208.HAPPY.NEW.YEAR-ENGiNE\e-apcs37.zip <<crack!
C:\Documents and Settings\Owner\My Documents\Downloads\MagicISO Maker 5.4 + Serial\Magic ISO Maker 5.4 Build 239.exe
E:\application essentials\BaoFeng.exe

---------------------------------------

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click smitfraudfix.exe to start the tool.
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

[Cueshark]

I should have mentioned that - Yeah it's Dj max but I don't have the Chinese language pack so windows does the best it can :P

Doing the other stuff now.

Thanks :D

[Cueshark]

SpyBot Log
*********

Microsoft.WindowsSecurityCenter.FirewallOverride: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride!=dword:0

Smitfraud-C.Toolbar888: Tracking cookie (Internet Explorer: Owner) (Cookie, fixed)


Avenue A, Inc.: Tracking cookie (Internet Explorer: Owner) (Cookie, fixed)


DoubleClick: Tracking cookie (Internet Explorer: Owner) (Cookie, fixed)


Avenue A, Inc.: Tracking cookie (Firefox: default) (Cookie, fixed)


DoubleClick: Tracking cookie (Firefox: default) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-05-31 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-06-06 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-06-06 Includes\DialerC.sbi (*)
2007-05-30 Includes\Hijackers.sbi (*)
2007-06-06 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-06-06 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-05-30 Includes\Malware.sbi
2007-06-06 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-06-06 Includes\PUPSC.sbi (*)
2007-06-06 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-06-06 Includes\SecurityC.sbi (*)
2007-06-06 Includes\Spybots.sbi (*)
2007-06-06 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-05-16 Includes\Trojans.sbi
2007-06-06 Includes\TrojansC.sbi (*)

SmitFraudFix v2.195
***************

Scan done at 2:10:19.76, 11/06/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Steam\Steam.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{AFB492C1-9919-4CCB-BA2B-1BBF645DBF9D}: NameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{AFB492C1-9919-4CCB-BA2B-1BBF645DBF9D}: NameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{AFB492C1-9919-4CCB-BA2B-1BBF645DBF9D}: NameServer=192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Thanks again.

[tetonbob]

Those items are tracking cookies.

Cookies are nothing to be worried about. They get installed on your computer everytime you visit any webpage. Now some of those are good cookies that get installed for ease of use for next time you visit the same page, but some cookies are spyware used for tracking users surfing habits.

Most of those cookies are third party cookies that can be blocked:

In Firefox go to Tools > Options > Privacy > Cookies

Click the small triangle next to cookies to expand that tab and put a check next to "for the originating website only". This will prevent third party cookies from being installed on your computer.

In IE go to Tools > Internet Options > Privacy and click on Advanced in the Privacy tab

Now put a check next to "Override automatic cookie handling"

Set first party cookies to Accept and third party cookies to Block

Also put a check to "Always allow session cookies" OK your way out.

This won't prevent all bad cookies from being installed, but will reduce the amount.

Also there is another program you can use.

Spywareblaster Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restricts the actions of potentially unwanted sites in Internet Explorer.

You can read more about cookies at the Cookie Concept

Your logs appear clean. We still have a few items to address.

Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Clear & Reset System Restore's Cache

• click Start >> Run - type SYSDM.CPL & press Enter
• select the System Restore Tab
• tick on the checkbox - "Turn off System Restore on all drives"
• click Apply
• then untick the same checkbox & click OK

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs if you don't have them already:

• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• SpywareGuard to catch and block spyware before it can execute.
  
• SPYBOT - SEARCH & DESTROY
  Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
  
• AD-AWARE
  Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
  
  
• IE-SPYAD - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Download IE-SpyAD - Extract the contents to a new folder
    From within the folder, double-click install.bat
    Select Option #2 - Install the new IE-SPYAD list.
    Then return to the main menu.
    Select option #4 - Add the old porn sites domain
  
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
  
  
  
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
  
  Here are a few very good free Antivirus products which are available:
  • AOL Active Virus Shield (powered by Kaspersky Antivirus)
  • Avast!
  • AVG
  • Avira PersonalEdition Classic
  Select one of these, or another of your choice. Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  

  See this link for a listing of some online antivirus scanners:
  
  Anti-Spyware Tutorial

• FIREWALL
  If you do not have a firewall, here are a couple of great free ones available for personal use. Using a third-party firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice:
  
  Do not install more than one firewall program because they will conflict with each other.

• Comodo Personal Firewall
• ZoneAlarm

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[Cueshark]

Thanks a lot.

One more thing.

My AVG scan detected a Generic4.YAR Trojan or something like that.

See attached.

[tetonbob]

If you're referring to the hosts file change, did you install the MVPS hosts file? If so, that finding is to be expected.

The other finding appears to be a backups folder, likely created by the use of HijackThis. That folder can also be deleted.

[Cueshark]

Ok I'll do that....

So the Generic4 Trojan it finds is actually a backup file created by Hijack this?

Phew!

I'll sort it out when I get home.

Thanks....

Spy Bot doesn't pick up any Smitfraud now so I'm very happy!

Thanks very much.

[tetonbob]

Since your screenshot doesn't show the name of the threat, I can only surmise that's what it is.

The backup dll correlates timewise with an item we removed with HijackThis, and that naming convention shown in your screenshot follows what HJT does.

You should be fine now.

Cheers!