Task Manager Not Appearing [RESOLVED]

Hi there and sorry for the delay

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose "Yes" at the Warning prompt.
• Expand the "Tools" menu.
• Click "Resident".
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• In the File menu click "Exit" to exit Spybot Search & Destroy.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O4 - HKLM\..\Run: [Updater] C:\WINDOWS\system32\updater\explorer.exe
O23 - Service: Abel - Unknown owner - C:\WINDOWS\system32\spool\drivers\Abel.exe (file missing)


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

@echo off
sc stop Abel
sc delete Abel
exit

Next you will need to create the batch fix to do that copy and paste ALL of the above in the quote box to a notepad file.
Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.bat

This will create a batch file

Then run fix.bat by double clicking you may see a black box appear this is normal

NEXT

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  C:\WINDOWS\system32\updater\explorer.exe
  C:\WINDOWS\system32\spool\drivers\Abel.exe 
  C:\DOCUMENTS AND SETTINGS\Jack\LOCAL SETTINGS\Temp\ir_ext_temp_6\autorun.exe

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

FINALLY

Download ComboFix from Here or Here to your Desktop.

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Logs required : Combofix and OTMoveit

OK. SERIOUS PROBLEMS!

Basically whilst following Essexboy's instructions to the letter I ran into serious problems. Like, really serious problems. Unless it's just me over-worrying. But I don't think so.

I disabled TeaTimer, then opened and ran a scan on HTJ.

I unchecked 3 of the 4 boxes, the fourth one (Abel) did not appear because a few days ago Comodo BOClean removed it as apparently it was a trojan horse (although task manager still did not appear).

I fixed the 3 checked boxes apparently successfully.

Then I did that thing with the fix.bat file - Although Abel had gone, I still wanted to be on the safe side so I did this thing anyway. The black box popped up for half a second, and during that time I could just make out something about "Process not found" or something like that.

With that all out of the way, the problems started to begin.

I downloaded OTMoveIt and copied and pasted the stuff in the box. I clicked the "MoveIT!" button and it moved stuff. Although I don't know where.

Everything appeared to be alright. However, I then went on to download ComboFix...

This is when the annoying problems started happening. I downloaded it from both download locations - one location just downloaded a plain exe which was apparently "Not a valid Win32 application" (the first link). So I downloaded from the second link, BleepingComputer. That downloaded just fine into my "Pending downloads" folder which is set for my Firefox. I know it said download to desktop, so I re-downloaded it to the Desktop this time.

I double-clicked to run on the Desktop. A little box at the point of my mouse with a loading bar appeared, it loaded for a few seconds then a little blue window popped up. But suddenly a dialog appeared saying "You cannot rename ComboFix to ComboFix" or something. I was kind of thinking What the...? So I downloaded it again to retry. and again the message popped up. I was confused so I renamed combofix.exe just to combo.exe to test, and that time it said "You cannot rename ComboFix to Combo". Ooherr.

So I looked all over google and it told me that the error could most likely be fixed with a restart. So I restart my computer. This is when everything went wrong!

On startup after the restart, it got to the Windows Logo with the scrolley blue bar - it scrolled over once and then gave me that dreaded message about "We apologise for the inconvienience but windows cannot start correctly." I had the options to start in safe mode (with networking, with command prompt), to start with Last Good Configuration, or Start normally.

I thought this might just be a one-off so I started normally. But the same thing happened again. I tried once more, and the same thing happened AGAIN.

So I chose Last Good configuration. But AGAIN! it happened!

I went into plain old safe mode (no networking, no command prompt) and looked around in there. I was really worried by then.

So I tried running ComboFix from inside SafeMode. All of a sudden, it worked and stopped giving me the error. So I ran the scan. it took about 8 minutes to scan and 6 to generate the log (attached at the bottom of this post).

I saved the log and then restarted, hoping ComboFix had fixed whatever problem was stopping Windows from restarting.

I restart, but AGAIN the black screen came up. I was rather peeed off.

I went back into safe mode, and tried to log onto geeks to go for help, but of course I couldn't since the wireless adapter driver wasn't running.

Instead, in safe mode, I went into OTMoveIt and clicked to Restore. This put back the files I had moved where they were originally. I then rebooted and it got to the scrolley windows logo screen.

It stayed on that screen for about 15 minutes. I persevered with it because my CPU indicator light was flashing so I knew it must be doing something. After 15 minutes though, I got onto the Logon screen! Yay!

I logged on and here I am now. Thankfully, the Task Manager now appears on Ctrl+Alt+Del - so my problem is solved, thank god!

However I am still confused as to what it was that I was moving.

So I have a couple of questions:

• What is C:\WINDOWS\system32\updater\explorer.exe??
• And what is C:\DOCUMENTS AND SETTINGS\Jack\LOCAL SETTINGS\Temp\ir_ext_temp_6\autorun.exe?

[/list]
Those were the things you told me to move with OTMoveit. So what are they, and what are they meant to do?

Thank you,

~ Jack


BELOW: LOGFILE OF ComboFix WHEN RUN UNDER SAFE MODE:

ComboFix 08-02.02.2 - Jack 2008-02-02 11:41:43.1 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\Jack\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\Cache

.
((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-02-02 10:39 . 2008-02-02 10:39 <DIR> d-------- C:\_OTMoveIt
2008-01-31 17:00 . 2008-01-31 17:00 <DIR> d-------- C:\Program Files\AVIConverter
2008-01-31 16:47 . 2008-02-02 09:31 64,512 --ah----- C:\Documents and Settings\Jack\Application Data\dach100.dll
2008-01-30 20:48 . 2008-01-30 20:48 <DIR> d-------- C:\Program Files\Dachshund Software
2008-01-30 20:48 . 2008-02-02 09:31 278 --ah----- C:\WINDOWS\winshell.dat
2008-01-30 20:22 . 2002-05-28 17:31 61,440 --a------ C:\WINDOWS\Desktop Dreamscapes.scr
2008-01-30 20:13 . 2008-01-30 20:13 <DIR> d-------- C:\Program Files\Super X Studios
2008-01-30 19:16 . 2008-01-30 19:16 <DIR> d-------- C:\Program Files\Selteco
2008-01-30 18:35 . 2008-01-30 18:35 <DIR> d-------- C:\Program Files\Lonely Cat Games
2008-01-28 17:48 . 2008-01-31 19:05 <DIR> d-------- C:\Documents and Settings\Jack\Application Data\Winamp
2008-01-27 20:59 . 2008-01-28 07:43 <DIR> d-------- C:\Program Files\Unlocker
2008-01-27 20:19 . 2008-02-01 20:17 <DIR> d-------- C:\Program Files\particleIllusion_3
2008-01-27 11:32 . 2008-01-28 17:48 <DIR> d-------- C:\Program Files\Winamp
2008-01-27 11:32 . 2007-03-07 23:51 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-01-27 11:32 . 2007-03-07 23:51 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-01-27 11:32 . 2007-03-07 23:51 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-01-27 11:26 . 2008-01-27 11:26 <DIR> d-------- C:\VAIO
2008-01-27 09:14 . 2008-01-27 09:14 <DIR> d-------- C:\Documents and Settings\Jack\Application Data\Bitdefender
2008-01-26 22:02 . 2007-11-12 16:27 87,952 --a------ C:\WINDOWS\system32\drivers\bdfndisf.sys
2008-01-26 21:56 . 2008-01-27 12:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-01-26 21:19 . 2008-01-26 21:22 883 --a------ C:\WINDOWS\ARPR.INI
2008-01-26 21:14 . 2008-01-26 21:14 <DIR> d-------- C:\Program Files\Intelore
2008-01-26 21:11 . 2000-05-16 10:40 83,968 --a------ C:\WINDOWS\UnGins.exe
2008-01-26 17:41 . 2008-02-02 11:06 121 --a------ C:\WINDOWS\bdagent.INI
2008-01-26 17:25 . 2008-01-26 17:25 <DIR> d-------- C:\Program Files\BitDefender
2008-01-26 17:23 . 2008-01-27 09:12 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-01-25 22:15 . 2008-01-28 17:26 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-01-25 22:14 . 2008-01-28 18:18 <DIR> d-------- C:\Program Files\Norton Internet Security
2008-01-25 22:13 . 2008-01-25 22:16 10,652 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-01-25 22:13 . 2008-01-25 22:16 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-01-25 20:58 . 2008-01-25 20:58 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2008-01-24 20:03 . 1996-08-26 01:12 345,600 -ra------ C:\WINDOWS\system32\QTIM32.DLL
2008-01-22 20:42 . 2008-01-22 20:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-14 20:35 . 2008-01-14 20:35 <DIR> d-------- C:\Program Files\Avanquest update
2008-01-14 20:34 . 2004-08-03 23:08 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2008-01-14 20:34 . 2004-08-03 23:08 25,600 --a--c--- C:\WINDOWS\system32\dllcache\usbser.sys
2008-01-14 20:34 . 2003-12-26 07:22 24,192 -ra------ C:\WINDOWS\system32\drivers\OLD416.tmp
2008-01-14 20:33 . 2008-01-14 20:34 <DIR> d-------- C:\Program Files\Motorola Phone Tools
2008-01-14 20:33 . 2008-01-14 20:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-01-14 20:33 . 2008-01-14 20:33 92,064 --a------ C:\Documents and Settings\Jack\mqdmmdm.sys
2008-01-14 20:33 . 2008-01-14 20:33 79,328 --a------ C:\Documents and Settings\Jack\mqdmserd.sys
2008-01-14 20:33 . 2008-01-14 20:33 66,656 --a------ C:\Documents and Settings\Jack\mqdmbus.sys
2008-01-14 20:33 . 2008-01-14 20:33 25,600 --a------ C:\Documents and Settings\Jack\usbsermptxp.sys
2008-01-14 20:33 . 2008-01-14 20:33 22,768 --a------ C:\Documents and Settings\Jack\usbsermpt.sys
2008-01-14 20:33 . 2008-01-14 20:33 9,232 --a------ C:\Documents and Settings\Jack\mqdmmdfl.sys
2008-01-14 20:33 . 2008-01-14 20:33 6,208 --a------ C:\Documents and Settings\Jack\mqdmcmnt.sys
2008-01-14 20:33 . 2008-01-14 20:33 5,936 --a------ C:\Documents and Settings\Jack\mqdmwhnt.sys
2008-01-14 20:33 . 2008-01-14 20:33 4,048 --a------ C:\Documents and Settings\Jack\mqdmcr.sys
2008-01-13 12:14 . 2008-01-18 20:34 <DIR> d-------- C:\Program Files\Slime Online
2008-01-12 21:49 . 2008-01-12 21:52 <DIR> d-------- C:\Program Files\Microsoft DirectMusic Producer
2008-01-12 21:49 . 2008-01-13 16:58 3,566 --a------ C:\WINDOWS\DMUSProd.INI
2008-01-10 18:44 . 2008-01-10 19:14 <DIR> d-------- C:\Program Files\Allegro Sprite Editor
2008-01-07 21:50 . 1998-06-23 23:00 198,456 --a------ C:\WINDOWS\system32\MCI32.OCX
2008-01-07 21:50 . 1996-12-10 23:00 46,080 --a------ C:\WINDOWS\system32\MCIWNDX.OCX
2008-01-07 21:46 . 2008-01-15 20:51 <DIR> d-------- C:\Program Files\Cosmigo
2008-01-07 21:43 . 2008-01-23 18:58 <DIR> d-------- C:\Program Files\DarkFaction
2008-01-07 19:02 . 2008-01-07 19:02 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-01-06 21:52 . 2008-01-06 21:52 <DIR> d-------- C:\Program Files\createinstall free
2008-01-06 21:37 . 2008-01-06 21:37 <DIR> d-------- C:\Program Files\FPSPack
2008-01-06 21:37 . 2008-01-06 21:37 730,557 --a------ C:\WINDOWS\FPSPack Uninstaller.exe
2008-01-06 20:00 . 2008-01-06 20:11 <DIR> d-------- C:\Program Files\Microsoft Student
2008-01-06 19:58 . 2008-01-06 19:58 <DIR> d-------- C:\Program Files\Learning Essentials
2008-01-03 20:09 . 2008-01-03 20:10 <DIR> d-------- C:\Program Files\Acoustica Mixcraft 4
2008-01-02 17:55 . 2008-01-02 17:58 <DIR> d-------- C:\RealityFactory
2008-01-02 17:20 . 2008-01-02 17:20 146 --a------ C:\WINDOWS\W2W.ini
2008-01-02 17:11 . 2008-01-02 17:15 <DIR> d-------- C:\Program Files\GStudio6
2008-01-02 12:18 . 2008-01-02 12:18 <DIR> d-------- C:\Program Files\Darkfoil Creations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 11:06 --------- d-----w C:\Program Files\FlashGet
2008-02-02 09:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-02 09:28 --------- d-----w C:\Program Files\LogMeIn
2008-02-01 20:33 --------- d-----w C:\Documents and Settings\Jack\Application Data\gtk-2.0
2008-02-01 19:08 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-01-31 20:08 --------- d-----w C:\Documents and Settings\Jack\Application Data\OpenOffice.org2
2008-01-31 18:25 --------- d-----w C:\Program Files\Incomplete
2008-01-31 17:18 --------- d-----w C:\Program Files\LimeWire
2008-01-31 16:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-01-28 18:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-28 18:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-24 20:05 --------- d-----w C:\Documents and Settings\Jack\Application Data\Ashampoo
2008-01-24 20:04 --------- d-----w C:\Program Files\Ashampoo
2008-01-23 17:57 --------- d-----w C:\Program Files\MediaMonkey
2008-01-22 21:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\{AB3EC276-D261-4943-A921-1CC1C6799AED}
2008-01-15 21:13 --------- d-----w C:\Program Files\CoffeeCup Software
2008-01-13 10:07 --------- d-----w C:\Program Files\TileSetMaker
2008-01-13 10:06 796,672 ----a-w C:\WINDOWS\GPInstall.exe
2008-01-12 17:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\YoYoGames
2008-01-06 11:45 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-01-03 20:10 --------- d-----w C:\Program Files\Acoustica Shared Effects
2008-01-02 12:37 --------- d-----w C:\Program Files\Entity Workshop V2
2008-01-01 22:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\BOC425
2008-01-01 19:55 --------- d-----w C:\Program Files\data_crow
2008-01-01 19:41 --------- d-----w C:\Program Files\TouchStoneSoftware
2008-01-01 19:39 --------- d-----w C:\Program Files\YouTube Downloader
2008-01-01 19:35 --------- d-----w C:\Program Files\FreeMind
2008-01-01 19:30 --------- d-----w C:\Documents and Settings\Jack\Application Data\UpdateStar
2008-01-01 19:29 --------- d-----w C:\Program Files\Comodo
2008-01-01 19:24 --------- d-----w C:\Documents and Settings\Jack\Application Data\QuickFind
2008-01-01 19:23 --------- d-----w C:\Program Files\QuickFind
2008-01-01 19:21 --------- d-----w C:\Program Files\Quick StartUp
2008-01-01 19:18 --------- d-----w C:\Program Files\InstantTimeZone
2008-01-01 19:17 --------- d-----w C:\Program Files\Innovative Solutions
2008-01-01 19:14 --------- d-----w C:\Program Files\Flexense
2008-01-01 19:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Flexense
2008-01-01 19:09 --------- d-----w C:\Program Files\Local Website Archive
2008-01-01 19:09 --------- d-----w C:\Documents and Settings\Jack\Application Data\aignes
2008-01-01 19:05 --------- d-----w C:\Program Files\Restoration
2008-01-01 18:55 55 ----a-w C:\Program Files\Profile Picture GeniusPPG.url
2008-01-01 18:55 --------- d-----w C:\Program Files\Profile Picture Genius
2008-01-01 18:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-01 18:44 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-01 18:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\ashampoo
2008-01-01 16:32 --------- d-----w C:\Program Files\Lavasoft
2008-01-01 16:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-01 16:30 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-01 16:11 --------- d-----w C:\Program Files\Trillian
2008-01-01 16:10 --------- d-----w C:\Program Files\SpiderZ Freeware
2008-01-01 16:05 --------- d-----w C:\Program Files\Pivot Stickfigure Animator
2008-01-01 16:04 --------- d-----w C:\Program Files\netbeans-5.5.1
2008-01-01 16:01 --------- d-----w C:\Program Files\GTDesktop
2008-01-01 15:59 --------- d-----w C:\Documents and Settings\Jack\Application Data\Earthsim
2008-01-01 15:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Earthsim
2007-12-24 10:03 --------- d-----w C:\Documents and Settings\Jack\Application Data\dvdcss
2007-12-24 09:58 --------- d-----w C:\Program Files\Xilisoft
2007-12-23 16:52 --------- d-----w C:\Program Files\eRightSoft
2007-12-21 12:39 --------- d-----w C:\Program Files\SETool Lite
2007-12-19 19:49 --------- d-----w C:\Program Files\Veoh Networks
2007-12-16 22:04 91 ----a-w C:\Documents and Settings\Jack\Application Data\ftpfile.dat
2007-12-11 20:28 83,288 ----a-w C:\WINDOWS\system32\LMIRfsClientNP.dll
2007-12-11 20:28 21,496 ----a-w C:\WINDOWS\system32\LMIport.dll
2007-12-11 20:28 10,040 ----a-w C:\WINDOWS\system32\lmimirr2.dll
2007-12-11 19:59 6,656 ----a-w C:\WINDOWS\system32\haspvdd.dll
2007-12-11 19:59 47,616 ----a-w C:\WINDOWS\system32\drivers\Haspnt.sys
2007-12-11 19:58 --------- d-----w C:\Program Files\GLOBEtrotter Software Inc
2007-12-11 19:55 --------- d-----w C:\Program Files\Autodesk
2007-12-11 19:52 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2007-12-11 19:52 --------- d-----w C:\Program Files\Common Files\Alias Shared
2007-12-11 19:44 --------- d-----w C:\Program Files\PowerISO
2007-12-11 17:05 --------- d-----w C:\Program Files\Phoenix Game Protection Advanced v20
2007-12-09 14:02 --------- d-----w C:\Program Files\FPI Maker
2007-12-08 15:23 --------- d-----w C:\Program Files\GIMP-2.0
2007-12-08 12:37 --------- d-----w C:\Program Files\Airslide Games
2007-12-07 19:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-12-06 18:39 87,352 ----a-w C:\WINDOWS\system32\LMIinit.dll
2007-12-06 18:39 23,736 ----a-w C:\WINDOWS\system32\lmimirr.dll
2007-11-27 16:46 77,824 ----a-w C:\WINDOWS\system32\xcomm.dll
2007-11-24 20:06 53,880 ----a-w C:\Documents and Settings\Jack\Application Data\GDIPFONTCACHEV1.DAT
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-04 11:06 1,015,296 ----a-w C:\WINDOWS\system32\logonuiX.exe
2007-04-17 09:28 2,512 ----a-w C:\Documents and Settings\Jack\Application Data\wklnhst.dat
2007-01-14 11:15 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-01-01 10:13 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2007-06-13 10:23 197,648 --sh--r C:\WINDOWS\system32\schost.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF}
{E0E899AB-F487-11D5-8D29-0050BA6940E3}
{D0943516-5076-4020-A3B5-AEFAF26AB263}
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}
{381FFDE8-2394-4F90-B10D-FC6124A40F8C}

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CLASSES_ROOT\clsid\{381ffde8-2394-4f90-b10d-fc6124a40f8c}]
[HKEY_CLASSES_ROOT\BitDefender Toolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [ ]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 12:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 13:01 67584]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 16:30 45632]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 21:42 212992]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35 90112]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09 63712]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-15 17:00 196608]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 15:46 61440]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2007-11-16 16:37 319488]
"BOC-425"="C:\PROGRA~1\Comodo\CBOClean\BOC425.exe" [2007-08-08 19:49 338432]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [ ]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 22:54 37376]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 21:24:38 1134592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-12-06 18:39 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 15:13 49152 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll 2001-12-20 22:34 24576 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
--a------ 2005-07-08 15:01 1953887 C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccSetMgr"=2 (0x2)
"CLTNetCnService"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Symantec Core LC"=3 (0x3)
"LiveUpdate Notice"=2 (0x2)
"LiveUpdate"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Abel"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"PWRISOVM.EXE"=C:\Program Files\PowerISO\PWRISOVM.EXE
"MagUninstall"="C:\Program Files\Ashampoo\Ashampoo Magical UnInstall\MagicalUnInstall.exe"
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"BOC-425"=C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe"
"QuickFind"=C:\Program Files\QuickFind\QuickFind.exe /s

R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]
S1 bdftdif;bdftdif;C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys [2007-11-12 16:28]
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-04-17 13:00]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-05 10:55]
S2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2006-03-15 12:00]
S3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2007-11-12 16:27]
S3 bdfsfltr;bdfsfltr;C:\WINDOWS\system32\drivers\bdfsfltr.sys [2007-08-02 16:03]
S3 BDSelfPr;BDSelfPr;C:\Program Files\BitDefender\BitDefender 2008\bdselfpr.sys [2008-01-27 09:32]
S3 FXDRV;FXDRV;D:\Fxdrv.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-06-29 00:01]
S3 scan;BitDefender Threat Scanner;C:\WINDOWS\System32\svchost.exe [2006-03-15 12:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2007-12-20 09:45:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-28 20:00:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Jack.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
"2008-01-23 18:08:03 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-08-06 14:50:09 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-12-01 09:12:59 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 11:49:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-02 11:59:27
.
2008-01-12 17:24:00 --- E O F ---

LOGFILE OF HIJACKTHIS:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:21:42, on 02/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\WINDOWS\Integrator.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Super X Studios\Desktop Dreamscapes\DesktopDreamscapes.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Java\jre1.6.0_02\bin\javaw.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityrespo...er/fix_homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll (file missing)
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll (file missing)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe (User 'Default user')
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Search - ?p=ZNxuk101YYGB
O8 - Extra context menu item: Add to Local Website Archive - C:\Documents and Settings\Jack\Application Data\aignes\Local Website Archive\config\iearc.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Add to Local Website Archive - {46F69F1E-044B-4ED8-8CFB-DDE47078444E} - C:\Program Files\Local Website Archive\wsarc_add.exe (HKCU)
O9 - Extra button: Start Local Website Archive - {79D7F15A-543C-4F40-ACA5-794107C84E0A} - C:\Program Files\Local Website Archive\wsarc.exe (HKCU)
O9 - Extra button: Start Local Website Archive - {96F9491C-9E03-488E-9100-32AB2C87AECB} - C:\Program Files\Local Website Archive\wsarc.exe (HKCU)
O9 - Extra button: Add to Local Website Archive - {C0F7CFFD-04A8-494B-A63E-EF7047F04B5B} - C:\Program Files\Local Website Archive\wsarc_add.exe (HKCU)
O9 - Extra button: (no name) - {C5B9C6F9-9350-4C0F-A1C9-62F3C6AB22B6} - C:\Program Files\Local Website Archive\wsarc_add.exe (HKCU)
O9 - Extra 'Tools' menuitem: Add to Local Website Archive - {C5B9C6F9-9350-4C0F-A1C9-62F3C6AB22B6} - C:\Program Files\Local Website Archive\wsarc_add.exe (HKCU)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.mess.../Medialogic.CAB
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds...ransferCtrl.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory....ap/PhtPkMSN.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game12.zylom....gamesplayer.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab57176.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - http://messenger.zon...er.cab56986.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
O24 - Desktop Component 1: (no name) - http://www.ciphersof...forum/index.php

--
End of file - 13570 bytes

C:\WINDOWS\system32\updater\explorer.exe A variant of the IRCBot family of worms and IRC backdoor Trojans
C:\DOCUMENTS AND SETTINGS\Jack\LOCAL SETTINGS\Temp\ir_ext_temp_6\autorun.exe Same
"Not a valid Win32 application" That is usually generated by the bagle worm

C:\WINDOWS\Explorer.EXE This is the legitimate explorer

I will need to do a deeper look as there is more here than what I am seeing, there must be a low level driver calling the fake explorer

We will now do a deep search of your processes and files

Download avz4.zip from here

• Unzip it to your desktop to a folder named avz4
• Double click on AVZ.exe to run it.
• Run an update by clicking the Auto Update button on the Right of the Log window:
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• Start AVZ.
  
• Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Investigation" check box.
• Click on the “Execute selected scripts”.
• Automatic scanning, healing and system check will be executed.
• A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
• It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
• All applications will work properly after the system restart.

When restarted

• Start AVZ.
  
• Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Investigation" check box.
• Click on the "Execute selected scripts".
• A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both zip files to your next post

OK. I've done what you said without any difficulties.

Attached are virusinfo_syscure.zip and virusinfo_syscheck.zip. I hope I've got the right ones...?

C:\WINDOWS\system32\updater\explorer.exe A variant of the IRCBot family of worms and IRC backdoor Trojans
C:\DOCUMENTS AND SETTINGS\Jack\LOCAL SETTINGS\Temp\ir_ext_temp_6\autorun.exe Same
"Not a valid Win32 application" That is usually generated by the bagle worm

The above files you mentioned are still on my system though after I had to restore them just to be able to start up properly (see my last post). And a quick google told me that the Bagle worm stopped working in 2004? Still, you're the expert... I'll trust what you say

Thanks,

~ Jack

Edited by Jack W-H, 02 February 2008 - 03:09 PM.

google told me that the Bagle worm stopped working in 2004?

Wierd that as I am working two on the Avast forum at the moment. And I cleared my bosses computer of it on Tuesday

Analysing now

Yes, several websites said that the Bagel worm was programmed to de-activate on Jan 28 2004 (Bagel.A) or February 25 04 (Bagel.B). So I'm just wondering whether a third strain has come out?

Anyway, thanks for taking your time to help me out.

Yes there is a new strain and it is a pig as it disables most of my tools

Whoops. That doesn't sound too good.

Do you think that these problems I have might be what's causing my computer to hang for up to 20 minutes at least once per hour? I made a thread about it but some moderator locked it which was a tad annoying.

OK this is becoming a mystery (must admit I like them)

Your AVZ scan came up clean for drivers and rootkits. So I would like you to submit some files for analysis for me, yep you can guess the ones.

Whilst you are doing that I will do more research to see what I can come up with

Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
  
  
  • C:\WINDOWS\system32\updater\explorer.exe
• Click on the submit button
  
• Then repeat for C:\DOCUMENTS AND SETTINGS\Jack\LOCAL SETTINGS\Temp\ir_ext_temp_6\autorun.exe
  
• Please post the results in your next reply.

OK Essexboy - here's the results from the online scanner for C:\Windows\system32\updater\explorer.exe:

File: explorer.exe
Status:
INFECTED/MALWARE (Note: file is encrypted with a password. Some scanners try to detect these files - thereby exploring boundaries of false positives - instead of the malware inside them, which they cannot access due to the fact the password cannot be guessed. Other scanners detect the actual malware when the file is being decrypted)
MD5: 2519df50405afcde47302c80708c6afc
Packers detected:
-
Bit9 reports: Not analyzed yet (more info)
Scanner results
Scan taken on 03 Feb 2008 09:59:44 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found suspicious file (encrypted program in archive)
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


And here are the results for C:\DOCUMENTS AND SETTINGS\Jack\LOCAL SETTINGS\Temp\ir_ext_temp_6\autorun.exe:


File: autorun.exe
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 54d49f269942df19b02a83c88d961b7e
Packers detected:
-
Bit9 reports: Not analyzed yet (more info)
Scanner results
Scan taken on 03 Feb 2008 10:11:56 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


OK... now that's really mysterious now...

Any further ideas as to what's making my computer hang?

OK... now that's really mysterious now...

Any further ideas as to what's making my computer hang?

Possibly it appears to me that the fake explorer has set itself as your shell, thereby if it is deleted your system cannot find the shell file. So I will need to find out where in the registry this change is occuring so that I can reset it to the correct value.

There are three ways for me to do this one is by a registry search another is to use silent runners or finally to use a deep scan .. I will go for the easiest options first and then progress from there. This may take a while as I have never come across this before, and I want to move cautiosly

Download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

• Close ALL OTHER PROGRAMS.
• Open the WinPFind35u folder and double-click on WinPFind35U.exe to start the program.
• Under Additional Scans click the checkboxes in front of the following items to select them:
  
  • Reg - BotCheck
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and attach the log. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

OK, I'll do that now.

One thing I have noticed though is, I went to C:\Windows\system32\updater folder and right-clicked the fake explorer.exe program and clicked options.

Then I clicked the "Version tab"

Inside there, it says:

Comments: Created with AutoPlay Media Studio 6.0 (www.indigorose.com)
Internal name: ams60_launch

Anyway, i'll leave you with that thought whilst I go and run this scan.

OK now you have me as that is a legitimate company - back to the research Just love mysteries

Sorry - something went a bit wrong. In this post the log file is attached (twice for some weird reason, but both attachments are the same ones).

Sorry for the confusion, but the logfile is here.

~ Jack

P.s. you know I just kept default settings on that program? so it didn't scan drivers etc...

Edited by Jack W-H, 03 February 2008 - 08:04 AM.