Missing Wallpaper; Only sidebar & desktop icons/shortcuts are disp

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Virus, Spyware and Trojan Removal

2 Pages

1 2 >

Missing Wallpaper; Only sidebar & desktop icons/shortcuts are disp, I once had that PRIVACY DANGER wallpaper, I followed the steps in '

Options

dressydoll View Member Profile	May 21 2008, 05:46 AM Post #1
Member Posts: 12 From: Cavite OS: XP SP2	I had deleted the 'privacy_danger' folder in WINDOWS, but it said that 'CANNOT FIND FILE privacy_danger/index.htm. blah blah' and got a white screen desktop. I followed the steps in 'BEFORE POSTING A HIJACKTHIS LOG'. And what I got was just a sidebar 'FILE & FOLDER TASK' in Internet Explorer. Below is my HIJACKTHIS LOG. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:44:21 PM, on 5/21/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\VistaDrive\VistaDrive.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\system32\VTTimer.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O3 - Toolbar: qtvglped - {65C76A0A-B5A4-4170-8F62-947A0145677C} - C:\WINDOWS\qtvglped.dll (file missing) O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O13 - Gopher Prefix: O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe O24 - Desktop Component 0: Privacy Protection - (no file) -- End of file - 4948 bytes What I got? This post has been edited by dressydoll: May 23 2008, 03:33 PM

sage5 View Member Profile	May 21 2008, 06:47 AM Post #2
RIP 10/2009 Posts: 2,646 From: NE Victoria, Australia OS: WinXp SP3	Hi dressydoll, Welcome to Geeks to Go! My name is sage5, and I will be helping you with this problem. Please download the following & save to your Desktop: Deckard's System Scanner OTMoveIt2 by OldTimer. Run HijackThis. Click the Do a system scan only button. Check the boxes for the all the entries listed below: O3 - Toolbar: qtvglped - {65C76A0A-B5A4-4170-8F62-947A0145677C} - C:\WINDOWS\qtvglped.dll (file missing) O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exe O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user') O24 - Desktop Component 0: Privacy Protection - (no file) Now close all windows other than HijackThis and click Fix Checked. Close HijackThis. Run Deckard's System Scanner: Close all other windows before proceeding. Double click on the dss.exe file on your Desktop and follow the prompts. Scans will run, and 2 text files will open in Notepad. Close both of the text files. These files are C:\Deckard\System Scanner\main.txt & extra.txt. I will need you to copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt extra.txt in your next reply. Cheers, sage5

dressydoll View Member Profile	May 22 2008, 06:24 AM Post #3
Member Posts: 12 From: Cavite OS: XP SP2	Hi Sage. Here's your request. main.txt Deckard's System Scanner v20071014.68 Run by Owner on 2008-05-22 08:10:41 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- CreateFirstRunRp is disabled or missing; attempting to fix...success. Failed to create restore point; unknown error code 0x00000001 Backed up registry hives. Performed disk cleanup. Total Physical Memory: 223 MiB (512 MiB recommended). -- HijackThis (run as Owner.exe) ----------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:11:51 AM, on 5/22/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\system32\VTTimer.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Documents and Settings\Owner\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O13 - Gopher Prefix: O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe O24 - Desktop Component 0: Privacy Protection - (no file) -- End of file - 4529 bytes -- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) ----------- backup-20080522-074911-211 O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user') backup-20080522-074911-289 O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE') backup-20080522-074911-371 O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE') backup-20080522-074911-410 O24 - Desktop Component 0: Privacy Protection - (no file) backup-20080522-074911-509 O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exe backup-20080522-074911-557 O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE') backup-20080522-074911-841 O3 - Toolbar: qtvglped - {65C76A0A-B5A4-4170-8F62-947A0145677C} - C:\WINDOWS\qtvglped.dll (file missing) backup-20080522-074911-944 O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM') -- File Associations ----------------------------------------------------------- .js - jsfile - DefaultIcon - unable to read value .js - jsfile - shell\open\command - unable to read value .reg - regfile - shell\open\command - regedit.exe "%1" %* .scr - scrfile - shell\open\command - "%1" %* .vbs - vbsfile - DefaultIcon - unable to read value .vbs - vbsfile - shell\open\command - unable to read value .vbs - vbsfile - shell\edit\command - unable to read value -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware> -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- All services whitelisted. -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Files created between 2008-04-22 and 2008-05-22 ----------------------------- 2008-05-21 18:36:21 0 d-------- C:\Program Files\Panda Security 2008-05-21 18:36:18 1829 --a------ C:\WINDOWS\mozver.dat 2008-05-21 17:56:59 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE 2008-05-21 17:38:06 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-05-21 17:37:44 0 d-------- C:\Program Files\SUPERAntiSpyware 2008-05-21 17:37:44 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com 2008-05-21 17:37:07 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-05-21 17:21:56 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes 2008-05-21 17:21:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-05-21 17:21:26 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-05-21 17:20:48 0 d-------- C:\Program Files\Common Files\Download Manager 2008-05-21 17:04:35 0 d-------- C:\Program Files\Trend Micro 2008-05-19 11:14:31 0 d-------- C:\Documents and Settings\Guest\Application Data\WinRAR 2008-05-12 00:26:06 0 d-------- C:\Documents and Settings\Guest\Application Data\Mozilla 2008-05-11 23:25:32 18088 --a------ C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT 2008-05-09 11:25:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems 2008-05-09 11:11:19 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared 2008-05-09 11:05:07 0 d-------- C:\Program Files\Common Files\Adobe 2008-05-09 06:47:19 0 d-------- C:\Documents and Settings\Owner\Application Data\Vso 2008-05-09 06:46:18 0 d-------- C:\Program Files\VSO 2008-05-09 05:10:05 0 d-------- C:\Program Files\twhirl 2008-04-25 08:34:14 0 d-------- C:\Program Files\CoreFTP 2008-04-24 21:40:46 0 d-------- C:\Documents and Settings\Guest\C 2008-04-23 23:32:40 0 d-------- C:\Documents and Settings\Owner\Application Data\WinRAR 2008-04-23 22:15:19 0 d-------- C:\Documents and Settings\Guest\Application Data\Yahoo! 2008-04-23 18:08:19 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla -- Find3M Report --------------------------------------------------------------- 2008-05-21 22:45:57 0 d-------- C:\Documents and Settings\Owner\Application Data\CoreFTP 2008-05-21 22:32:14 0 d--h----- C:\Program Files\InstallShield Installation Information 2008-05-21 22:31:34 0 d-------- C:\Program Files\Common Files\InstallShield 2008-05-21 22:00:00 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe 2008-05-21 17:37:07 0 d-------- C:\Program Files\Common Files 2008-05-20 20:17:03 0 dr-h----- C:\Documents and Settings\Owner\Application Data\yahoo! 2008-05-20 20:16:33 0 d-------- C:\Program Files\Yahoo! 2008-04-21 20:02:08 0 d-------- C:\Documents and Settings\Owner\Application Data\Opera 2008-04-21 03:08:24 0 d-------- C:\Documents and Settings\Owner\Application Data\Help 2008-04-17 23:30:48 0 d-------- C:\Documents and Settings\Owner\Application Data\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.1 2008-04-17 23:28:26 0 d-------- C:\Program Files\Common Files\Adobe AIR 2008-04-17 14:08:42 0 -rahs---- C:\MSDOS.SYS 2008-04-17 14:08:42 0 -rahs---- C:\IO.SYS 2008-04-17 14:08:42 0 --a------ C:\CONFIG.SYS 2008-04-17 14:08:42 0 --a------ C:\AUTOEXEC.BAT 2008-04-17 14:05:03 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat 2008-04-17 14:04:16 0 d-------- C:\Program Files\Online Services 2008-04-17 14:03:27 0 d-------- C:\Program Files\Windows Media Connect 2 2008-04-17 14:03:18 0 d-------- C:\Program Files\Foxit 2008-04-17 14:03:06 0 d-------- C:\Program Files\MSN Gaming Zone 2008-04-17 14:02:53 0 d-------- C:\Program Files\Windows NT 2008-04-17 09:55:10 0 d-------- C:\Program Files\Common Files\ODBC 2008-04-17 09:55:04 0 d-------- C:\Program Files\Common Files\SpeechEngines 2008-04-17 09:54:34 62 --ahs---- C:\Documents and Settings\Owner\Application Data\desktop.ini 2008-04-17 04:03:51 0 d-------- C:\Program Files\Java 2008-04-17 03:35:22 0 d-------- C:\Documents and Settings\Owner\Application Data\Macromedia 2008-04-17 03:27:35 0 d-------- C:\Program Files\Microsoft ActiveSync 2008-04-17 03:21:46 0 d-------- C:\Program Files\Kaspersky Lab 2008-04-17 03:16:31 0 d-------- C:\Program Files\VIA 2008-04-17 02:52:30 121853 --a------ C:\DMKeygen_packed.exe 2008-04-17 02:52:22 0 d-------- C:\Program Files\Driver Magician 2008-04-17 02:49:33 0 d-- extra.txt Deckard's System Scanner v20071014.68 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Professional (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: Intel® Pentium® 4 CPU 1.70GHz Percentage of Memory in Use: 64% Physical Memory (total/avail): 222.48 MiB / 79.6 MiB Pagefile Memory (total/avail): 545.64 MiB / 262.33 MiB Virtual Memory (total/avail): 2047.88 MiB / 1913 MiB C: is Fixed (NTFS) - 9.49 GiB total, 5.51 GiB free. \\.\PHYSICALDRIVE0 - SAMSUNG SV1022D - 9.5 GiB - 1 partition \PARTITION0 (bootable) - Installable File System - 9.49 GiB - C: -- Security Center ------------------------------------------------------------- AUOptions is set to notify before install. Windows Internal Firewall is disabled. Unable to create WMI object. -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\Owner\Application Data CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=22NDSTRE-CEFA6F ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\Owner LOGONSERVER=\\22NDSTRE-CEFA6F NUMBER_OF_PROCESSORS=1 OS=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS;C:\Program Files\ImageConverter Plus;C:\Program Files\Common Files\Adobe\AGL PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 3, GenuineIntel PROCESSOR_LEVEL=15 PROCESSOR_REVISION=0103 ProgramFiles=C:\Program Files PROMPT=$P$G SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp USERDOMAIN=22NDSTRE-CEFA6F USERNAME=Owner USERPROFILE=C:\Documents and Settings\Owner windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- Owner (admin) Guest (guest) -- Add/Remove Programs --------------------------------------------------------- Adobe AIR --> MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F} Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103} Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39} Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001} Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D} Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001} Core FTP LE 2.1 --> C:\PROGRA~1\CoreFTP\UNWISE.EXE C:\PROGRA~1\CoreFTP\INSTALL.LOG CPL All-in-One --> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\CPLBonus.inf,CPLuninstall Driver Magician 3.27 --> "C:\Program Files\Driver Magician\unins000.exe" HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060} Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050} Kaspersky Anti-Virus 6.0 --> MsiExec.exe /I{75193929-9A52-4CA4-98DE-8C7296940920} Kaspersky Anti-Virus 6.0 --> MsiExec.exe /I{75193929-9A52-4CA4-98DE-8C7296940920} Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe" Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9} Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d} Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7} Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe Btw, can I now delete the Deckard file folder?

sage5 View Member Profile	May 22 2008, 06:26 AM Post #4
RIP 10/2009 Posts: 2,646 From: NE Victoria, Australia OS: WinXp SP3	The Main.txt seems to have got cut off at: QUOTE 2008-04-17 02:52:22 0 d-------- C:\Program Files\Driver Magician 2008-04-17 02:49:33 0 d-- Please double check that it all got posted The Extra .txt file got cut off at QUOTE Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe Can you send me the rest of those files please? Cheers, sage5 This post has been edited by sage5: May 22 2008, 06:33 AM

dressydoll View Member Profile	May 22 2008, 06:31 AM Post #5
Member Posts: 12 From: Cavite OS: XP SP2	I don't know what happened but the file here of EXTRA.txt was really ended at the texts you've quoted. What should I do?

sage5 View Member Profile	May 22 2008, 06:34 AM Post #6
RIP 10/2009 Posts: 2,646 From: NE Victoria, Australia OS: WinXp SP3	Did the scan get interrupted at all?

dressydoll View Member Profile	May 22 2008, 06:36 AM Post #7
Member Posts: 12 From: Cavite OS: XP SP2	I don't think so because the scan was completed and closed automatically after it was done.

sage5 View Member Profile	May 22 2008, 06:40 AM Post #8
RIP 10/2009 Posts: 2,646 From: NE Victoria, Australia OS: WinXp SP3	OK, we will continue on. Please download the following & save to your Desktop: ComboFix Fix File Associations: Go to Start > Run and type or paste "%userprofile%\desktop\dss.exe" /daft Click on the Scan button. Place a checkmark next to all the entries that appear in red Click the Fix button. Re-scan and save the logfile. This will default to daft.txt Save it to your C:\ drive, I'll need that log later. If everything is ok again, it should display the "all associations ok message" Run ComboFix: Double click combofix.exe and follow the prompts. When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply Log file will be C:\Combofix.txt Note: Do not mouseclick combofix's window while its running. That may cause it to stall Cheers, sage5 This post has been edited by sage5: May 22 2008, 06:40 AM

dressydoll View Member Profile	May 22 2008, 07:22 AM Post #9
Member Posts: 12 From: Cavite OS: XP SP2	Here's the combofix.txt ComboFix 08-05-21.2 - Owner 2008-05-22 8:50:12.1 - NTFSx86 Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\CMMGR32.EXE . ((((((((((((((((((((((((( Files Created from 2008-04-22 to 2008-05-22 ))))))))))))))))))))))))))))))) . 2008-05-22 08:48 . 2008-05-22 09:01 <DIR> d-------- C:\QooBox 2008-05-22 08:48 . 2008-05-22 09:07 <DIR> d-------- C:\ComboFix 2008-05-22 08:19 . 2008-05-22 08:19 <DIR> d-------- C:\Deckard 2008-05-22 08:19 . 2008-05-22 08:19 <DIR> d-------- C:\Deckard 2008-05-21 21:58 . 2008-05-21 20:24 3 --a------ C:\WINDOWS\Twain001.Mtx 2008-05-21 21:58 . 2008-05-21 21:58 0 --a------ C:\WINDOWS\Twunk003.MTX 2008-05-21 21:58 . 2008-05-21 21:58 0 --a------ C:\WINDOWS\Twunk002.MTX 2008-05-21 18:36 . 2008-05-21 18:38 <DIR> d-------- C:\Program Files\Panda Security 2008-05-21 18:36 . 2008-05-21 18:36 1,829 --a------ C:\WINDOWS\mozver.dat 2008-05-21 17:38 . 2008-05-21 17:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-05-21 17:37 . 2008-05-21 18:29 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-05-21 17:37 . 2008-05-21 17:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-05-21 17:37 . 2008-05-21 17:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com 2008-05-21 17:21 . 2008-05-21 17:21 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-05-21 17:21 . 2008-05-21 17:21 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes 2008-05-21 17:21 . 2008-05-21 17:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-05-21 17:21 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-05-21 17:21 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-05-21 17:20 . 2008-05-21 17:20 <DIR> d-------- C:\Program Files\Common Files\Download Manager 2008-05-21 17:04 . 2008-05-21 17:04 <DIR> d-------- C:\Program Files\Trend Micro 2008-05-20 21:40 . 2008-05-20 21:41 588,948 --a------ C:\WINDOWS\Tec21.jpg 2008-05-19 23:58 . 2007-03-07 19:51 129,784 --------- C:\WINDOWS\system32\pxafs.dll 2008-05-19 23:58 . 2007-03-07 19:51 43,528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys 2008-05-19 23:58 . 2007-03-07 19:51 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys 2008-05-19 23:58 . 2007-03-07 19:51 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys 2008-05-11 23:25 . 2008-05-11 23:25 18,088 --a------ C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT 2008-05-09 11:25 . 2008-05-09 11:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems 2008-05-09 11:11 . 2008-05-09 11:11 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared 2008-05-09 11:05 . 2008-05-21 21:53 <DIR> d-------- C:\Program Files\Common Files\Adobe 2008-05-09 06:47 . 2008-05-19 22:50 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Vso 2008-05-09 06:46 . 2008-05-09 06:46 <DIR> d-------- C:\Program Files\VSO 2008-05-09 05:10 . 2008-05-09 05:10 <DIR> d-------- C:\Program Files\twhirl 2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\Program Files\CoreFTP 2008-04-24 21:40 . 2008-04-24 21:40 <DIR> d-------- C:\Documents and Settings\Guest\C 2008-04-23 17:14 . 2004-04-19 17:53 1,706,800 --a------ C:\WINDOWS\system32\gdiplus.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-22 11:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-05-22 05:46 275,744 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat 2008-05-22 05:46 22,004 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx 2008-05-22 05:46 159,248 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2008-05-22 05:46 11,872,032 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2008-05-22 02:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\CoreFTP 2008-05-22 02:32 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-05-22 02:31 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-05-21 00:17 --------- d--h--r C:\Documents and Settings\Owner\Application Data\yahoo! 2008-05-21 00:16 --------- d-----w C:\Program Files\Yahoo! 2008-05-21 00:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! 2008-04-24 02:15 --------- d-----w C:\Documents and Settings\Guest\Application Data\Yahoo! 2008-04-20 02:36 96,645 ----a-w C:\WINDOWS\system32\drivers\klin.dat 2008-04-20 02:36 87,941 ----a-w C:\WINDOWS\system32\drivers\klick.dat 2008-04-18 03:30 --------- d-----w C:\Documents and Settings\Owner\Application Data\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.1 2008-04-18 03:28 --------- d-----w C:\Program Files\Common Files\Adobe AIR 2008-04-17 18:03 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-04-17 18:03 --------- d-----w C:\Program Files\Foxit 2008-04-17 12:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-04-17 08:03 --------- d-----w C:\Program Files\Java 2008-04-17 07:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage 2008-04-17 07:27 --------- d-----w C:\Program Files\Microsoft ActiveSync 2008-04-17 07:21 --------- d-----w C:\Program Files\Kaspersky Lab 2008-04-17 07:16 --------- d-----w C:\Program Files\VIA 2008-04-17 06:52 121,853 ----a-w C:\DMKeygen_packed.exe 2008-04-17 06:52 --------- d-----w C:\Program Files\Driver Magician 2008-04-17 06:49 --------- d-----w C:\Program Files\Common Files\Java . ------- Sigcheck ------- 2007-05-03 07:37 360704 a11391be25035570ae4b8970920f2c74 C:\WINDOWS\system32\drivers\tcpip.sys 2007-05-02 01:13 1422336 d66456c66d07a423f2e48c2526ae260c C:\WINDOWS\explorer.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 02:00 15360] "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-21 18:29 1510640] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [2006-03-01 19:22 577536 C:\WINDOWS\SOUNDMAN.EXE] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "VTTimer"="VTTimer.exe" [2005-03-08 03:33 53248 C:\WINDOWS\system32\VTTimer.exe] "AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2007-03-09 19:50 200768] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "ShowDeskFix"="regsvr32 /s /n /i:u shell32" [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-21 18:29 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-05-21 18:29 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders schannel.dll, digest.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa46d186-109f-11dd-9741-0016ec22ecdc}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Desktop.exe \Shell\Explore\Command - Desktop.exe \Shell\Open\Command - Desktop.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa46d18d-109f-11dd-9741-0016ec22ecdc}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Desktop.exe \Shell\Explore\Command - Desktop.exe \Shell\Open\Command - Desktop.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{adc9a916-0c6c-11dd-9730-0016ec22ecdc}] \Shell\AutoRun\command - E:\ \Shell\explore\Command - WScript.exe .\__.vbs \Shell\open\Command - WScript.exe .\__.vbs [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c10cccd2-0c5a-11dd-9730-0016ec22ecdc}] \Shell\AutoRun\command - SilentSoftech.exe \Shell\explore\command - SilentSoftech.exe \Shell\open\command - SilentSoftech.exe \Shell\var1\command - SilentSoftech.exe Newly Created Service - CATCHME . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-22 09:06:02 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-05-22 9:12:08 ComboFix-quarantined-files.txt 2008-05-22 13:11:27 Pre-Run: 5,880,741,888 bytes free Post-Run: 5,830,983,680 bytes free 152 What should I do with HIKACKTHIS? A system scan only? Or with a logfile? This post has been edited by dressydoll: May 22 2008, 07:23 AM

sage5 View Member Profile	May 22 2008, 07:35 AM Post #10
RIP 10/2009 Posts: 2,646 From: NE Victoria, Australia OS: WinXp SP3	Create a fresh log file with it & paste it back here as well.

dressydoll View Member Profile	May 22 2008, 07:40 AM Post #11
Member Posts: 12 From: Cavite OS: XP SP2	Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:41:18 AM, on 5/22/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\system32\VTTimer.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O13 - Gopher Prefix: O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing) O24 - Desktop Component 0: Privacy Protection - (no file) -- End of file - 4298 bytes

sage5 View Member Profile	May 23 2008, 06:11 AM Post #12
RIP 10/2009 Posts: 2,646 From: NE Victoria, Australia OS: WinXp SP3	Hi dressydoll, Create a CombFix Script: Please open Notepad Click Start , then Run Type notepad .exe in the Run Box. Now copy/paste the entire content of the codebox below into the Notepad window: QUOTE File:: C:\WINDOWS\system32\emptyregdb.dat C:\DMKeygen_packed.exe Folder:: C:\WINDOWS\VistaDrive C:\Documents and Settings\Owner\Application Data\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.1 Registry:: [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "ShowDeskFix"=- [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa46d18d-109f-11dd-9741-0016ec22ecdc}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{adc9a916-0c6c-11dd-9730-0016ec22ecdc}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c10cccd2-0c5a-11dd-9730-0016ec22ecdc}] Save the above as CFScript.txt Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply: Combofix.txt A new HijackThis log. Cheers, sage5

dressydoll View Member Profile	May 23 2008, 11:44 AM Post #13
Member Posts: 12 From: Cavite OS: XP SP2	Combofix ComboFix 08-05-21.2 - Owner 2008-05-23 13:11:07.2 - NTFSx86 Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\DMKeygen_packed.exe C:\WINDOWS\system32\emptyregdb.dat . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\DMKeygen_packed.exe C:\Documents and Settings\Owner\Application Data\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.1 C:\Documents and Settings\Owner\Application Data\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.1\Local Store\accounts.xml C:\Documents and Settings\Owner\Application Data\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.1\Local Store\twhirl.log C:\Documents and Settings\Owner\Application Data\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.1\Local Store\update.air C:\WINDOWS\system32\emptyregdb.dat C:\WINDOWS\VistaDrive C:\WINDOWS\VistaDrive\0.ico C:\WINDOWS\VistaDrive\100.ico C:\WINDOWS\VistaDrive\16.ico C:\WINDOWS\VistaDrive\17.ico C:\WINDOWS\VistaDrive\25.ico C:\WINDOWS\VistaDrive\33.ico C:\WINDOWS\VistaDrive\41.ico C:\WINDOWS\VistaDrive\42.ico C:\WINDOWS\VistaDrive\50.ico C:\WINDOWS\VistaDrive\58.ico C:\WINDOWS\VistaDrive\67.ico C:\WINDOWS\VistaDrive\75.ico C:\WINDOWS\VistaDrive\8.ico C:\WINDOWS\VistaDrive\83.ico C:\WINDOWS\VistaDrive\92.ico C:\WINDOWS\VistaDrive\99.ico C:\WINDOWS\VistaDrive\s100.ico C:\WINDOWS\VistaDrive\s16.ico C:\WINDOWS\VistaDrive\s17.ico C:\WINDOWS\VistaDrive\s25.ico C:\WINDOWS\VistaDrive\s33.ico C:\WINDOWS\VistaDrive\s41.ico C:\WINDOWS\VistaDrive\s42.ico C:\WINDOWS\VistaDrive\s50.ico C:\WINDOWS\VistaDrive\s58.ico C:\WINDOWS\VistaDrive\s67.ico C:\WINDOWS\VistaDrive\s75.ico C:\WINDOWS\VistaDrive\s8.ico C:\WINDOWS\VistaDrive\s83.ico C:\WINDOWS\VistaDrive\s92.ico C:\WINDOWS\VistaDrive\s99.ico C:\WINDOWS\VistaDrive\vistadrive.exe . ((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 ))))))))))))))))))))))))))))))) . 2008-05-22 09:14 . 2008-05-22 09:14 <DIR> d-------- C:\WINDOWS\system32\xircom 2008-05-22 09:14 . 2008-05-22 09:14 <DIR> d-------- C:\WINDOWS\system32\restore 2008-05-22 09:14 . 2008-05-22 09:14 <DIR> d-------- C:\WINDOWS\system32\oobe 2008-05-22 09:14 . 2008-05-22 09:14 <DIR> d-------- C:\WINDOWS\srchasst 2008-05-22 09:14 . 2008-05-22 09:14 <DIR> d-------- C:\Program Files\microsoft frontpage 2008-05-22 08:19 . 2008-05-22 08:19 <DIR> d-------- C:\Deckard 2008-05-21 21:58 . 2008-05-21 20:24 3 --a------ C:\WINDOWS\Twain001.Mtx 2008-05-21 21:58 . 2008-05-21 21:58 0 --a------ C:\WINDOWS\Twunk003.MTX 2008-05-21 21:58 . 2008-05-21 21:58 0 --a------ C:\WINDOWS\Twunk002.MTX 2008-05-21 18:36 . 2008-05-21 18:38 <DIR> d-------- C:\Program Files\Panda Security 2008-05-21 18:36 . 2008-05-21 18:36 1,829 --a------ C:\WINDOWS\mozver.dat 2008-05-21 17:38 . 2008-05-21 17:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-05-21 17:37 . 2008-05-21 18:29 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-05-21 17:37 . 2008-05-21 17:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-05-21 17:37 . 2008-05-21 17:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com 2008-05-21 17:21 . 2008-05-21 17:21 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-05-21 17:21 . 2008-05-21 17:21 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes 2008-05-21 17:21 . 2008-05-21 17:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-05-21 17:21 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-05-21 17:21 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-05-21 17:20 . 2008-05-21 17:20 <DIR> d-------- C:\Program Files\Common Files\Download Manager 2008-05-21 17:04 . 2008-05-21 17:04 <DIR> d-------- C:\Program Files\Trend Micro 2008-05-20 21:40 . 2008-05-20 21:41 588,948 --a------ C:\WINDOWS\Tec21.jpg 2008-05-19 23:58 . 2007-03-07 19:51 129,784 --------- C:\WINDOWS\system32\pxafs.dll 2008-05-19 23:58 . 2007-03-07 19:51 43,528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys 2008-05-19 23:58 . 2007-03-07 19:51 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys 2008-05-19 23:58 . 2007-03-07 19:51 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys 2008-05-11 23:25 . 2008-05-11 23:25 18,088 --a------ C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT 2008-05-09 11:25 . 2008-05-09 11:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems 2008-05-09 11:11 . 2008-05-09 11:11 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared 2008-05-09 11:05 . 2008-05-21 21:53 <DIR> d-------- C:\Program Files\Common Files\Adobe 2008-05-09 06:47 . 2008-05-19 22:50 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Vso 2008-05-09 06:46 . 2008-05-09 06:46 <DIR> d-------- C:\Program Files\VSO 2008-05-09 05:10 . 2008-05-09 05:10 <DIR> d-------- C:\Program Files\twhirl 2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\Program Files\CoreFTP 2008-04-24 21:40 . 2008-04-24 21:40 <DIR> d-------- C:\Documents and Settings\Guest\C 2008-04-23 22:15 . 2008-04-23 22:15 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Yahoo! 2008-04-23 17:14 . 2004-04-19 17:53 1,706,800 --a------ C:\WINDOWS\system32\gdiplus.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-23 17:29 275,744 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat 2008-05-23 17:29 22,484 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx 2008-05-23 17:29 164,192 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2008-05-23 17:29 11,972,384 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2008-05-23 17:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-05-22 02:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\CoreFTP 2008-05-22 02:32 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-05-22 02:31 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-05-21 00:17 --------- d--h--r C:\Documents and Settings\Owner\Application Data\yahoo! 2008-05-21 00:16 --------- d-----w C:\Program Files\Yahoo! 2008-05-21 00:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! 2008-04-20 02:36 96,645 ----a-w C:\WINDOWS\system32\drivers\klin.dat 2008-04-20 02:36 87,941 ----a-w C:\WINDOWS\system32\drivers\klick.dat 2008-04-18 03:28 --------- d-----w C:\Program Files\Common Files\Adobe AIR 2008-04-17 18:03 --------- d-----w C:\Program Files\Windows Media Connect 2 2008-04-17 18:03 --------- d-----w C:\Program Files\Foxit 2008-04-17 12:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-04-17 08:03 --------- d-----w C:\Program Files\Java 2008-04-17 07:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage 2008-04-17 07:27 --------- d-----w C:\Program Files\Microsoft ActiveSync 2008-04-17 07:21 --------- d-----w C:\Program Files\Kaspersky Lab 2008-04-17 07:16 --------- d-----w C:\Program Files\VIA 2008-04-17 06:52 --------- d-----w C:\Program Files\Driver Magician 2008-04-17 06:49 --------- d-----w C:\Program Files\Common Files\Java . ------- Sigcheck ------- 2007-05-03 07:37 360704 a11391be25035570ae4b8970920f2c74 C:\WINDOWS\system32\drivers\tcpip.sys 2007-05-02 01:13 1422336 d66456c66d07a423f2e48c2526ae260c C:\WINDOWS\explorer.exe . ((((((((((((((((((((((((((((( snapshot@2008-05-22_ 9.09.58.10 ))))))))))))))))))))))))))))))))))))))))) . - 2008-05-22 06:49:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-05-23 17:30:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 02:00 15360] "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-21 18:29 1510640] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [2006-03-01 19:22 577536 C:\WINDOWS\SOUNDMAN.EXE] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "VTTimer"="VTTimer.exe" [2005-03-08 03:33 53248 C:\WINDOWS\system32\VTTimer.exe] "AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2007-03-09 19:50 200768] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-21 18:29 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-05-21 18:29 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders schannel.dll, digest.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa46d186-109f-11dd-9741-0016ec22ecdc}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Desktop.exe \Shell\Explore\Command - Desktop.exe \Shell\Open\Command - Desktop.exe . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-23 13:31:54 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe . ********************************************************************** . Completion time: 2008-05-23 13:41:43 - machine was rebooted ComboFix-quarantined-files.txt 2008-05-23 17:40:31 ComboFix2.txt 2008-05-22 13:12:12 Pre-Run: 5,833,953,280 bytes free Post-Run: 5,871,206,400 bytes free 188 Hijackthis** Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:43:53 PM, on 5/23/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\system32\VTTimer.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O13 - Gopher Prefix: O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing) O24 - Desktop Component 0: Privacy Protection - (no file) -- End of file - 4099 bytes

sage5 View Member Profile	May 25 2008, 06:42 AM Post #14
RIP 10/2009 Posts: 2,646 From: NE Victoria, Australia OS: WinXp SP3	Hi dressydoll, Export a Registry Key: Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the code box to Notepad. Save it to your desktop, make sure the file type is All File and name it Export.bat CODE @echo off regedit.exe /e C:\export.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components" exit Double click Export.bat A window will open and close. This is normal. Please paste the text from C:\export.txt

dressydoll View Member Profile	May 26 2008, 03:19 AM Post #15
Member Posts: 12 From: Cavite OS: XP SP2	Sage5, here's what I got. Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000000 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="" "SubscribedURL"="" "FriendlyName"="Privacy Protection" "Flags"=dword:00002002 "Position"=hex:2c,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,e2,02,00,00,e8,\ 03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=dword:40000002 "OriginalStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,f4,01,00,00,f4,01,\ 00,00,02,00,00,00 "RestoredStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,f4,01,00,00,f4,01,\ 00,00,01,00,00,00 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,80,00,00,00,01,00,00,00,00,02,00,00,c8,01,00,00,ea,\ 03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=dword:00000001 "OriginalStateInfo"=hex:18,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c8,01,\ 00,00,04,00,00,40 "RestoredStateInfo"=hex:18,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c8,01,\ 00,00,01,00,00,00

« Next Oldest · Virus, Spyware and Trojan Removal · Next Newest »

2 Pages

1 2 >

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Virus, Spyware and Trojan Removal Help! Taskbar & desktop icons missing	0 / 634	13th November 2007 - 03:06 AM rengganis started - last by rengganis
Virus, Spyware and Trojan Removal Missing Menu Bar & Desktop Icons [CLOSED] 123	43 / 8,799	12th December 2007 - 02:41 PM DanZaMan4251 started - last by Essexboy
Virus, Spyware and Trojan Removal project1 virus (removed?) & desktop url shortcuts problem [RESOLVE	11 / 563	4th April 2008 - 02:24 PM louuu started - last by Essexboy
Windows XP�, 2000, 2003, NT explorer.exe missing! there are no desktop icons, no start menu, e	9 / 8,421	1st August 2009 - 12:55 PM ali.g started - last by rshaffer61