Free Malware Removal Forum

[cyberhippie]

Hi, Im having some problems, trying to help out a friend with her computer..

using ad aware pro, norton coperate.

these two tools find the problems but cant clean it...
popups like no other, w/ missing nail.exe....
I understand that is the aurora nasty.

I do have a question.. can this stuff get spread through a network to other machines, and can they effect the router? (firmware or traffic that never use and internal machine..

I have delt with a domain hack in the past, so Im not completley clueless.
I noticed that these kind of infestations are unique as far as how the file are so I could use some help anylizing this log...

Thanks a million

[cyberhippie]

Logfile of HijackThis v1.99.1
Scan saved at 2:42:21 AM, on 9/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\QW5uYQAA\command.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\jgbasvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ps1.exe
C:\WINDOWS\xrlfdll.EXE
C:\WINDOWS\xrlfenc.EXE
C:\DOCUME~1\MACDAD~1\LOCALS~1\Temp\See04152005.exe
C:\WINDOWS\System32\cluio600.exe
C:\WINDOWS\System32\vidctrl\vidctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ooatww.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Anna\LOCALS~1\Temp\Rar$EX01.377\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/m ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.ieplugin.com/q.cgi?q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\System32\vbrundll.dll
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\System32\pkshljhe.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: FlashEnhancer Ext - {5EDB03AF-0341-4e96-9E9B-3171522E4BAF} - c:\Program Files\Fla\fla.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsi47.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: FlashTEnhancer Ext - {D7E588AB-A5D9-4422-B313-22A3470F9700} - c:\Program Files\Ftk\ftk.dll
O2 - BHO: PEDEV_IEListener Class - {E1412445-4FF8-410e-8D24-F2CF86B171A4} - C:\Program Files\PeDevice\PeDev.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PS1] C:\WINDOWS\System32\ps1.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitevmj32.exe
O4 - HKLM\..\Run: [Sysnet] C:\WINDOWS\System32\snuninst.exe
O4 - HKLM\..\Run: [xrlfdll] C:\WINDOWS\xrlfdll.EXE
O4 - HKLM\..\Run: [xrlfenc] C:\WINDOWS\xrlfenc.EXE
O4 - HKLM\..\Run: [regsync] C:\WINDOWS\System32\regsync.exe
O4 - HKLM\..\Run: [Visual Element FX5] C:\DOCUME~1\MACDAD~1\LOCALS~1\Temp\See04152005.exe
O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [r32j32U] cluio600.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [01OL6T3h5] C:\WINDOWS\cumca.exe
O4 - HKLM\..\Run: [ibyx] C:\WINDOWS\ibyx.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [aqpglb] c:\windows\system32\nvhrsef.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [FlaCPY] "C:\Program Files\Common Files\Java\flacpy.exe"
O4 - HKLM\..\Run: [01OL6T3h$æÆõö/ØG%)C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\cumca.exe
O4 - HKLM\..\Run: [01OL6T3h$æÆßfÃ

[askey127]

cyberhippie,

This log is in the running for a spot in the "Most Spyware/Adware/Malware Hall of Fame".
Right up front, It is not a certainty that this machine can be cleaned, given the number of infections and the unpatched OS.
Trying to fix it without patching the OS would be mostly a waste of my time and yours, since the resident infections would draw new ones faster than we could fix them.
I will recommend here running Ewido, then immediately updating the OS to Service Pack 1a. (NOT SP2)
If the OS update cannot be done for any reason, we will not be able to assist further.
-----------------------------------------------------------
Please download, install, and update the free trial version of Ewido trojan scanner: from here : http://www.ewido.net/en/download/
* Install ewido security suite
* When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
* Launch ewido, there should be an icon on your desktop. Double-click it.
* The program will now go to the main screen
* On the left hand side of the main screen click update.
* Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can also use the download link http://www.ewido.net/en/download/ to manually update ewido.
-----------------------------------------------------------
Start Your Computer in Safe Mode.
Reboot into Safe Mode by hitting the F8 key repeatedly as the machine boots, until a menu shows up. Choose Safe Mode from the list.
In some systems, this may be the F5 key, so try that if F8 doesn't work.
Extra instructions are here if you need them.
-----------------------------------------------------------
Close all open windows/programs/folders. Have NOTHING else open while ewido performs its scan!
Now Run Ewido
* Click on scanner
* Click on Settings
* Under "How to scan" all boxes should be selected
* Under "Possibly unwanted software" all boxes should be selected
* Under "What to scan" select scan every file
* Click OK
* Click on Complete system scan
* Let the program scan the machine
* If ewido finds anything, it will pop up a notification.
* Let it fix whatever it finds
Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
* Click Save report
* Save the report to your desktop
* Exit ewido
-----------------------------------------------------------
ReBoot the machine. Do NOT browse the internet.
-----------------------------------------------------------
Update Your Windows XP.
You are currently using an unpatched version of Windows XP.
Before attempting to remove malware, it is CRITICAL that you update to Service Pack 1a.
Get SP1a here : http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx
You should also get SP2, but NOT NOW, rather only after your machine is clean.
After updating your Windows to SP1a, post a new HijackThis log please, per below.
-----------------------------------------------------------
Post a New HJT Log
Reboot your computer. Start HijackThis. Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply. Please do not use Word Wrap when you paste in the reply.
Please also post the Ewido log in your reply.

askey127

[cyberhippie]

Ok.. some interesting results!

I installed the scanner that you recomended, (I had it on hand cause I new I would need it) and the updates..

restarted into safe mode......................... no video, the boot failed! (never heard of it no reference on a google search)
changed display resolution, uninstalled the scanner, tried to boot to safemode again. Failed!
booted normaly, reinstalled the scanner, ran the scan, 182 infected files, removed them all, rebooted into safe mode : had the same problem... (safemode dosent work) then re-ran the sp1a install, both times said that the xp key had ben compromized and the machine was running pirated software. (I have had the same problem with a domain hack 8 months ago: bi-product of the infestation)(this is the major reason I didnt update the os as of yet.. these things have an efficant way of corrupting the download or redirecting of the update. this I know.)

so, I think Im screwed, unless someone knows anything about failing safe mode boots!
there is considerably less malicous activity since I scanned with Ewido.
This is a good sign.. but isnt permanent.
Sorry I wasn't able to follow you instrunction to the letter... though I tried...

Where do I go from here?

need some majic.......

I had a good laugh about the hall of fame (shame) nomination!

by the way.. this is a friends machine..

the first time I scanned this machine w/ adaware pro, it returned 860 pieces of spy/adware, so Im not supprised, rather amazed...

hopefully this is better....

thanks for the help!


Logfile of HijackThis v1.99.1
Scan saved at 3:57:16 PM, on 9/14/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\QW5uYQAA\command.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\DOCUME~1\MACDAD~1\LOCALS~1\Temp\See04152005.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\kuxrdyw.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe
C:\Program Files\Ahead\nero\nero.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Anna\LOCALS~1\Temp\Rar$EX00.226\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/m ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.ieplugin.com/q.cgi?q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\System32\vbrundll.dll (file missing)
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\System32\pkshljhe.dll (file missing)
O2 - BHO: FlashEnhancer Ext - {5EDB03AF-0341-4e96-9E9B-3171522E4BAF} - c:\Program Files\Fla\fla.dll (file missing)
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsi47.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: FlashTEnhancer Ext - {D7E588AB-A5D9-4422-B313-22A3470F9700} - c:\Program Files\Ftk\ftk.dll (file missing)
O2 - BHO: PEDEV_IEListener Class - {E1412445-4FF8-410e-8D24-F2CF86B171A4} - C:\Program Files\PeDevice\PeDev.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitevmj32.exe
O4 - HKLM\..\Run: [Sysnet] C:\WINDOWS\System32\snuninst.exe
O4 - HKLM\..\Run: [Visual Element FX5] C:\DOCUME~1\MACDAD~1\LOCALS~1\Temp\See04152005.exe
O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [01OL6T3h5] C:\WINDOWS\cumca.exe
O4 - HKLM\..\Run: [ibyx] C:\WINDOWS\ibyx.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [aqpglb] c:\windows\system32\nvhrsef.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [FlaCPY] "C:\Program Files\Common Files\Java\flacpy.exe"
O4 - HKLM\..\Run: [01OL6T3h$æÆõö/ØG%)C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\cumca.exe
O4 - HKLM\..\Run: [01OL6T3h$æÆßfÃ

[askey127]

cyberhippie,

I can give you some (a lot of) things you can do here, then I will have to say I can't help further.
In the present circumstance, the chance of fixing this machine is zero.
If the system CD exists, XP probably should be be re-installed to allow critical updates.

Meanwhile, this sequence is my best shot.
You will NOT be able to remove Searchmiracle/Elite Toolbar without Safe Mode, and some of the files below may not delete in Normal Mode either.
Re-infections are likely before you even get these removed.
-----------------------------------------------------------
Set Your Computer to Show All Files
Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. In addition, if you have Windows XP, go to Start, Search. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.
-----------------------------------------------------------
Move HijackThis into its own folder. It is now in a temporary folder whose contents may get deleted. This would destroy the backups made by HiJackThis.
To make a new permanent folder: Go to My Computer, doubleclick C:
- Click File, New, Folder
- type in HJT
You now have a new folder at C:\HJT\. Copy all the HijackThis files from your present location into the new folder.
-----------------------------------------------------------
Use Add/Remove Programs In Control Panel
From Start,Settings,Control Panel or Start,Control Panel, click Add/Remove Programs.
Highlight the following entries, one by one, if they exist, and choose Remove :
NewDotNet
Sysnet
IST Toolbar
IST Svc
Bargain Buddy
Cashback
Cashback Buddy
Bullseye Network
Bullseye Networks
Surf Sidekick
Surf SideKick 2
Surf SideKick 3
Media Access
Internet Optimizer
Wild Tangent
WinTools
Win AD Tools
180Search
180Search Assistant
IEPlugin
FlashTEnhancer
FlashTtoolbar
Booked Space
Flash Enhancer
Broadcast PC
PeDevice

Take extra care in answering any questions posed by any uninstaller. Some questions may be worded to deceive you into choosing to keep the program.
After any uninstall, reboot if requested.
-----------------------------------------------------------
Remove log items with HighjackThis. Start HijackThis. If the opening screen shows, choose None of the above, just start the program.
Click Scan. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)
[b][color=red]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <http://searchmiracle.com/sp.php>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = <http://search.ieplugin.com/search.htm>
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = <http://www.websearch.com/ie.aspx?tb_id=50245>
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = <http://search.ieplugin.com/q.cgi?q=%s>
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: FlashTEnhancer Ext - {D7E588AB-A5D9-4422-B313-22A3470F9700} - c:\Program Files\Ftk\ftk.dll (file missing)
O2 - BHO: PEDEV_IEListener Class - {E1412445-4FF8-410e-8D24-F2CF86B171A4} - C:\Program Files\PeDevice\PeDev.dll
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitevmj32.exe
O4 - HKLM\..\Run: [Sysnet] C:\WINDOWS\System32\snuninst.exe
O4 - HKLM\..\Run: [Visual Element FX5] C:\DOCUME~1\MACDAD~1\LOCALS~1\Temp\See04152005.exe
O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [01OL6T3h5] C:\WINDOWS\cumca.exe
O4 - HKLM\..\Run: [ibyx] C:\WINDOWS\ibyx.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [aqpglb] c:\windows\system32\nvhrsef.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [01OL6T3h$æÆõö/ØG%)C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\cumca.exe
O4 - HKLM\..\Run: [01OL6T3h$æÆßfÃ

[askey127]

cyberhippie,
There's also a good chance you have a Bube infection. Don't know whether you can fix it, but info on how the removal is done is in our public library here :
http://forum.malwareremoval.com/viewtopic.php?t=232

askey127

[NonSuch]

Whilst we appreciate that you may be busy, it has been 10 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.