Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

taskbar(explorer)dissappears then reappears along with icons


  • Please log in to reply

#1
Lancer_fabre

Lancer_fabre

    New Member

  • Member
  • Pip
  • 2 posts
hello, my tasbar and icons dissapear as soon as i turn on my hp computer and no matter how many virus scans i do i still get pop ups in any browser i use say something spyware related and telling to download a anti spyware tool.
I've tried looking at everything myself but im at a loss the worse thing ive found myself is a trojan downloader that comes back. but this is my hijackthis log and thanks for any and all help recieved.Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:21 PM, on 11/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\udsi.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Process Lasso\processgovernor.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\mgrs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\Elijah\LOCALS~1\Temp\16win.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\xloader10181.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\Explorer.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KYE_UDSI] "C:\Program Files\USB Storage RW\udsi.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ProcessGovernor] C:\Program Files\Process Lasso\processgovernor.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: findfast.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1185394887859
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1185397513109
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB4BD76B-447B-47A5-8A40-8FC2CF03EE82}: NameServer = 85.255.115.2,85.255.112.117
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.2 85.255.112.117
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.2 85.255.112.117
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.115.2 85.255.112.117
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.2 85.255.112.117
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

--
End of file - 7484 bytes
  • 0

Advertisements


#2
waterfalls

waterfalls

    In Memoriam

  • Retired Staff
  • 94 posts
Hi -

Your system is terribly infected. Do NOT do any online transactions such as purchases, online banking, etc. until we have finished. You also need to change your passwords at sensitive websites from a computer that you know is not infected.

The first thing you need to do is to install an anti-virus program. Surfing the Net without any protection will result in your system becoming infected. I suggest that you install Avira AntiVir which is a good FREE Anti-Virus program.
Never install more than one Anti-Virus scanner on your system! Having more than one AV installed will likely cause your system to become unstable and seriously decrease the reliable detection of any malware.
After installing the AV program, have it perform a complete scan, and let it delete everything it finds.

Please do the following in the order stated.

• Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%, typically C:\SDFix
Note: You will need to print or copy these instructions because you will be working in Safe Mode without an Internet connection.
- Reboot into SAFE MODE
To get into the Windows XP Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times. Choose Safe Mode from the menu that will appear and press Enter.
  • In Safe Mode, choose your usual account
  • Open the extracted SDFix folder and double-click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt in your next reply.

• Start HijackThis, click System Scan Only and place a checkmark next to the following items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 - Global Startup: autorun.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB4BD76B-447B-47A5-8A40-8FC2CF03EE82}: NameServer = 85.255.115.2,85.255.112.117
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.2 85.255.112.117
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.2 85.255.112.117
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.115.2 85.255.112.117
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.2 85.255.112.117
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll


Close ALL browsers and open windows/programs except HijackThis and click 'Fix checked'.

Reboot your computer.

• Download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://download.blee.../Fixwareout.exe

- Save it to your Desktop and run it. Click Next, then Install
- Make sure "Run fixit" is checked and click Finish
- The fix will begin; follow the prompts.
- You will be asked to reboot your computer; please do so.
- Your system may take longer than usual to load; this is normal.
- Once the Desktop loads, please post the text that will open (report.txt) in your next reply.

• You have an outdated version of Java which, because of security reasons, needs to be updated.
Update Java by doing the following:
- Download the latest version of Java Runtime Environment (JRE) 6u3 from HERE and save it to your Desktop.
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel > Add/Remove Programs and remove ALL older versions of Java by checking any item, one at a time, with Java Runtime Environment (JRE or J2SE) in the name. It should have this icon Posted Image next to it.
- For each item that you check, click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove ALL of the Java versions.
- REBOOT your computer once ALL Java components are removed.
- Then from your Desktop, double-click on the newly-downloaded Java file to install the newest version.

• Download ComboFix from here and save it to the Desktop.

1. Double-click on combofix.exe and follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new HijackThis log.

Note: Do not mouse-click ComboFix's window while it is running. That may cause your system to stall/hang.

• Post back with:
- the log from SDFix (Report.txt)
- the log from FixWareout (report.txt)
- the log from ComboFix (ComboFix.txt)
- and a new HijackThis log.
  • 0

#3
Lancer_fabre

Lancer_fabre

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:16 AM, on 11/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\udsi.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Process Lasso\processgovernor.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {21162930-077E-488C-A184-63B5570FC5F1} - C:\WINDOWS\system32\mlljg.dll (file missing)
O2 - BHO: (no name) - {2439BF68-E21E-4EDE-AB6F-F56069671621} - C:\Program Files\Windows NT\vigyretu4444.dll
O2 - BHO: (no name) - {32B0031B-5C0A-4956-A598-EE48BAF42957} - C:\Program Files\Windows NT\vigyretu555077.dll
O2 - BHO: &Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: (no name) - {6E275BBF-FD2A-4FDC-B6E1-2A7BC71B7640} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {C1F881F4-15EC-4252-9045-82E7A58B7E57} - C:\Program Files\Windows NT\vigyretu83122.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KYE_UDSI] "C:\Program Files\USB Storage RW\udsi.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ProcessGovernor] C:\Program Files\Process Lasso\processgovernor.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1185394887859
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1185397513109
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.2 85.255.112.117
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

--
End of file - 8633 bytes
ComboFix 07-11-19.3 - Elijah 2007-11-24 10:34:56.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.167 [GMT -8:00]
Running from: C:\Documents and Settings\Elijah\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\Owner\Application Data\DriveCleaner Free
C:\Documents and Settings\Owner\Application Data\DriveCleaner Free\Logs\update.log
C:\Documents and Settings\Owner\Application Data\MANTEC~1
C:\Documents and Settings\Owner\Application Data\RACLE~1
C:\Documents and Settings\Owner\Application Data\searchtoolbarcorp
C:\Documents and Settings\Owner\Application Data\searchtoolbarcorp\Toolbar Vision\PageHistory.txt
C:\Documents and Settings\Owner\Application Data\searchtoolbarcorp\Toolbar Vision\WebHistory.txt
C:\Documents and Settings\Owner\Application Data\TSKS~1
C:\Documents and Settings\Owner\err.log
C:\Documents and Settings\Owner\My Documents\SCURIT~1
C:\Documents and Settings\Owner\My Documents\SCURIT~1\s?curity\
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Sharele\Application Data\Starware
C:\Documents and Settings\Sharele\Application Data\Starware\BrowserSearch\BrowserSearch.xml
C:\Documents and Settings\Sharele\Application Data\Starware\BrowserSearch\BrowserSearch.xml.backup
C:\Documents and Settings\Sharele\Application Data\Starware\ErrorSearch\ErrorSearchOptions.xml
C:\Documents and Settings\Sharele\Application Data\Starware\ErrorSearch\ErrorSearchOptions.xml.backup
C:\Documents and Settings\Sharele\Application Data\Starware\Games\GamesOptions.xml
C:\Documents and Settings\Sharele\Application Data\Starware\Games\GamesOptions.xml.backup
C:\Documents and Settings\Sharele\Application Data\Starware\Layouts\PreferencesLayout.xml
C:\Documents and Settings\Sharele\Application Data\Starware\Layouts\PreferencesLayout.xml.backup
C:\Documents and Settings\Sharele\Application Data\Starware\Layouts\ToolbarLayout.xml
C:\Documents and Settings\Sharele\Application Data\Starware\Layouts\ToolbarLayout.xml.backup
C:\Documents and Settings\Sharele\Application Data\Starware\Manager\ManagerOptions.xml
C:\Documents and Settings\Sharele\Application Data\Starware\Manager\ManagerOptions.xml.backup
C:\Documents and Settings\Sharele\Application Data\Starware\Movies\MoviesOptions.xml
C:\Documents and Settings\Sharele\Application Data\Starware\Movies\MoviesOptions.xml.backup
C:\Documents and Settings\Sharele\Application Data\Starware\Reference\ReferenceOptions.xml
C:\Documents and Settings\Sharele\Application Data\Starware\Reference\ReferenceOptions.xml.backup
C:\Documents and Settings\Sharele\Application Data\Starware\RelatedSearch\RelatedSearchOptions.xml
C:\Documents and Settings\Sharele\Application Data\Starware\RelatedSearch\RelatedSearchOptions.xml.backup
C:\Documents and Settings\Sharele\Application Data\Starware\Screensavers\ScreensaversOptions.xml
C:\Documents and Settings\Sharele\Application Data\Starware\Screensavers\ScreensaversOptions.xml.backup
C:\Documents and Settings\Sharele\Application Data\Starware\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
C:\Documents and Settings\Sharele\Application Data\Starware\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
C:\Documents and Settings\Sharele\Application Data\Starware\SearchAssistPlus\SearchAssistPlusOptions.xml
C:\Documents and Settings\Sharele\Application Data\Starware\SearchAssistPlus\SearchAssistPlusOptions.xml.backup
C:\Documents and Settings\Sharele\Application Data\Starware\SearchMatch\SearchMatchOptions.xml
C:\Documents and Settings\Sharele\Application Data\Starware\SearchMatch\SearchMatchOptions.xml.backup
C:\Documents and Settings\Sharele\Application Data\Starware\Toolbar\TBProductsOptions.xml
C:\Documents and Settings\Sharele\Application Data\Starware\Toolbar\TBProductsOptions.xml.backup
C:\Documents and Settings\Sharele\Application Data\Starware\ToolbarLogo\ToolbarLogoOptions.xml
C:\Documents and Settings\Sharele\Application Data\Starware\ToolbarLogo\ToolbarLogoOptions.xml.backup
C:\Documents and Settings\Sharele\Application Data\Starware\ToolbarSearch\ToolbarSearchOptions.xml
C:\Documents and Settings\Sharele\Application Data\Starware\ToolbarSearch\ToolbarSearchOptions.xml.backup
C:\Documents and Settings\Sharele\Application Data\Starware\TravelSearch\TravelSearchOptions.xml
C:\Documents and Settings\Sharele\Application Data\Starware\TravelSearch\TravelSearchOptions.xml.backup
C:\Documents and Settings\Sharele\Application Data\Starware\Weather\AlertArchive.xml
C:\Documents and Settings\Sharele\Application Data\Starware\Weather\WeatherOptions.xml
C:\Documents and Settings\Sharele\Application Data\Starware\Weather\WeatherOptions.xml.backup
C:\Program Files\Common Files\{34576~1
C:\Program Files\Common Files\drivecleaner free
C:\Program Files\Common Files\ymante~1
C:\Program Files\crosof~1.net
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\icroso~1.net
C:\Program Files\mcroso~1
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
C:\Program Files\MyWebSearch\bar\Cache\000A84B0
C:\Program Files\MyWebSearch\bar\Cache\000A882A
C:\Program Files\MyWebSearch\bar\Cache\000A93D3.bin
C:\Program Files\MyWebSearch\bar\Cache\000A94BD.bin
C:\Program Files\MyWebSearch\bar\Cache\000A9598.bin
C:\Program Files\MyWebSearch\bar\Cache\000A96A1.bin
C:\Program Files\MyWebSearch\bar\Cache\000F6374.bin
C:\Program Files\MyWebSearch\bar\Cache\000F67B9.bin
C:\Program Files\MyWebSearch\bar\Cache\000F9CE3.bin
C:\Program Files\MyWebSearch\bar\Cache\000FA61A.bin
C:\Program Files\MyWebSearch\bar\Cache\000FA975.bin
C:\Program Files\MyWebSearch\bar\Cache\000FAD6D.bin
C:\Program Files\MyWebSearch\bar\Cache\000FAFBF.bin
C:\Program Files\MyWebSearch\bar\Cache\000FB1E2.bin
C:\Program Files\MyWebSearch\bar\Cache\0300C646.bin
C:\Program Files\MyWebSearch\bar\Cache\0300C83A.bin
C:\Program Files\MyWebSearch\bar\Cache\0300CD4B.bin
C:\Program Files\MyWebSearch\bar\Cache\05DF4C2D
C:\Program Files\MyWebSearch\bar\Cache\101C9668
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search
C:\Program Files\MyWebSearch\bar\Settings\prevcfg.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.htm
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
C:\Program Files\oin search
C:\Program Files\oin search\Uninstall.exe
C:\Program Files\outlook
C:\Program Files\ucleaner_setup.exe
C:\Program Files\Ultimate Cleaner
C:\Program Files\ystem~1
C:\temp\tn3
C:\temp\tn3\Legend of Zelda, The - Ocarina of Time (U) (V1.2) [!].z64
C:\UGA6P
C:\WINDOWS\asembl~1
C:\WINDOWS\asembl~1\a?sembly\
C:\WINDOWS\IA
C:\WINDOWS\mantec~1
C:\WINDOWS\system32\_000103_.tmp.dll
C:\WINDOWS\system32\a1
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\g2
C:\WINDOWS\system32\g2\bemwdll3.exe
C:\WINDOWS\system32\i2
C:\WINDOWS\system32\i2\mper83122.exe
C:\WINDOWS\system32\icroso~1
C:\WINDOWS\system32\n8
C:\WINDOWS\system32\n8\ensts2dll.exe
C:\WINDOWS\system32\sstem~1
C:\WINDOWS\system32\tsks~1
C:\WINDOWS\wnsxs~1
C:\WINDOWS\ystem3~1
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FMTR


((((((((((((((((((((((((( Files Created from 2007-10-24 to 2007-11-24 )))))))))))))))))))))))))))))))
.

2007-11-24 09:50 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-24 09:48 <DIR> d----c--- C:\Documents and Settings\Elijah\.SunDownloadManager
2007-11-24 08:45 <DIR> d-------- C:\Program Files\Avira
2007-11-24 08:45 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Avira
2007-11-23 23:24 <DIR> d----c--- C:\VundoFix Backups
2007-11-23 23:22 5,387 --a------ C:\WINDOWS\system32\jupdate-1.6.0_03-b05.log
2007-11-23 22:46 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-23 22:39 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-23 19:49 <DIR> d-------- C:\Program Files\CCleaner
2007-11-23 17:49 <DIR> d----c--- C:\Documents and Settings\Elijah\WINDOWS
2007-11-23 17:49 <DIR> d----c--- C:\Documents and Settings\Elijah\Application Data\Symantec
2007-11-23 17:49 <DIR> d----c--- C:\Documents and Settings\Elijah\Application Data\Sonic
2007-11-23 17:49 <DIR> d----c--- C:\Documents and Settings\Elijah\Application Data\Share-to-Web Upload Folder
2007-11-23 17:49 <DIR> d----c--- C:\Documents and Settings\Elijah\Application Data\SampleView
2007-11-23 17:49 <DIR> d----c--- C:\Documents and Settings\Elijah\Application Data\InterTrust
2007-11-23 17:49 <DIR> d----c--- C:\Documents and Settings\Elijah\Application Data\interMute
2007-11-23 17:36 <DIR> d-------- C:\Program Files\Registrar Registry Manager
2007-11-23 17:36 38,960 --a------ C:\WINDOWS\system32\rrMon.sys
2007-11-23 17:31 <DIR> d-------- C:\Program Files\Process Lasso
2007-11-23 14:55 340,064 --a------ C:\WINDOWS\system32\mlljg.VIR
2007-11-23 14:55 6,968 --ahs---- C:\WINDOWS\system32\gjllm.ini
2007-11-23 14:55 6,854 --ahs---- C:\WINDOWS\system32\gjllm.ini2
2007-11-23 14:43 6 --a------ C:\WINDOWS\system32\reboot.txt
2007-11-23 13:41 6,795 --ahs---- C:\WINDOWS\system32\rrqss.ini
2007-11-23 13:41 317 --ahs---- C:\WINDOWS\system32\rrqss.ini2
2007-11-23 11:56 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-23 11:56 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-23 11:53 6,605 --ahs---- C:\WINDOWS\system32\orqss.ini
2007-11-23 11:53 317 --ahs---- C:\WINDOWS\system32\orqss.ini2
2007-11-17 14:52 433,996 --ahs---- C:\WINDOWS\system32\rqstv.ini
2007-11-17 14:52 317 --ahs---- C:\WINDOWS\system32\rqstv.ini2
2007-11-16 20:30 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-16 20:29 4,286 --a------ C:\WINDOWS\system32\everybodybets.32x32.4.ico
2007-11-12 02:53 <DIR> d-------- C:\Program Files\1964

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-24 17:50 --------- d-----w C:\Program Files\Java
2007-11-24 16:32 --------- d-----w C:\Program Files\Google
2007-11-24 04:18 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-24 04:18 --------- d---a-w C:\Program Files\Common Files\Symantec Shared
2007-11-24 02:35 12,288 ----a-w C:\WINDOWS\mgrs.VIR
2007-11-24 00:45 --------- d---a-w C:\Program Files\Symantec
2007-11-23 22:39 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-23 21:35 --------- dc----w C:\Documents and Settings\All Users\Application Data\TimeHoldNounThunk
2007-11-23 21:35 --------- d-----w C:\Program Files\Common Files\ommf
2007-11-23 21:35 --------- d-----w C:\Documents and Settings\Owner\Application Data\Exit film
2007-11-12 21:14 --------- d-----w C:\Program Files\Project64 1.6
2007-09-30 00:10 --------- d-----w C:\Program Files\EndlessOnline
2006-08-18 23:26 103,088 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2006-08-04 01:53 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2003-08-13 17:04 32 --sha-w C:\WINDOWS\{6F6DB96B-C584-4A6C-A94F-5C1E2E0494FE}.dat
2007-05-27 03:02 1,491,173 --sha-w C:\WINDOWS\system32\accdd.ini2
2005-07-14 18:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
2007-01-26 04:28 56 --sh--r C:\WINDOWS\system32\B16DC7F304.sys
2007-07-24 06:12 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-04-28 23:00 1,401,163 --sha-w C:\WINDOWS\system32\kmllm.bak1
2007-04-27 23:00 1,399,333 --sha-w C:\WINDOWS\system32\kmllm.bak2
2007-04-29 06:53 1,463,140 --sha-w C:\WINDOWS\system32\kmllm.ini2
2007-05-25 03:09 643 --sha-w C:\WINDOWS\system32\wvubtbfn.ini2
2003-08-13 17:04 32 --sha-w C:\WINDOWS\system32\{2FB0919A-1265-4D4C-AB74-3F4CDFFF972C}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21162930-077E-488C-A184-63B5570FC5F1}]
C:\WINDOWS\system32\mlljg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2439BF68-E21E-4EDE-AB6F-F56069671621}]
2007-08-02 05:43 282624 --a------ C:\Program Files\Windows NT\vigyretu4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32B0031B-5C0A-4956-A598-EE48BAF42957}]
2007-08-02 05:43 282624 --a------ C:\Program Files\Windows NT\vigyretu555077.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E275BBF-FD2A-4FDC-B6E1-2A7BC71B7640}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1F881F4-15EC-4252-9045-82E7A58B7E57}]
2007-08-02 05:43 282624 --a------ C:\Program Files\Windows NT\vigyretu83122.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-03-03 22:44 C:\WINDOWS\system32\nview.dll]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-11-23 23:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 22:04]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-03-11 23:24]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 23:11]
"KYE_UDSI"="C:\Program Files\USB Storage RW\udsi.exe" [2003-02-22 03:30]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-22 13:27]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 23:42]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-12 01:02]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 14:01]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-04-10 05:36]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 03:42]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2003-03-03 22:44 C:\WINDOWS\system32\nwiz.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 21:57]
"VTPreset"="VTPreset.exe" [2004-02-24 19:17 C:\WINDOWS\system32\VTPreset.exe]
"ddoctorv2"="C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2007-04-19 13:21]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 12:47 C:\WINDOWS\ALCXMNTR.EXE]
"ProcessGovernor"="C:\Program Files\Process Lasso\processgovernor.exe" [2006-02-25 16:33]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-11-24 08:48]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
AutoTBar.exe [2002-08-21 22:48:26]
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 13:11:14]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2002-09-21 01:20:02]
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [2003-04-10 06:04:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 09:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= c:\windows\system32\ldcore.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-24 19:00:00 C:\WINDOWS\Tasks\AB4214C191B98AFD.job"
- c:\docume~1\owner\applic~1\exitfi~1\else bend idle.exe
"2007-11-24 18:04:06 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-11-12 06:00:00 C:\WINDOWS\Tasks\SmartDefrag.job"
- C:\Program Files\IObit\IObit SmartDefrag\schedule.exeA
"2007-07-25 20:20:56 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-24 10:58:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-24 11:01:09 - machine was rebooted
.
--- E O F ---
Username "Elijah" - 11/24/2007 9:59:33 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.115.2 85.255.112.117" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{DB4BD76B-447B-47A5-8A40-8FC2CF03EE82}
"nameserver"="85.255.115.2,85.255.112.117" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{67411ACD-F722-47C1-B76A-8B39717AF81B}
"DhcpNameServer"="85.255.115.2,85.255.112.117" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....


C:\Program Files\Ultimate Cleaner < Found
C:\Program Files\XXXPlugin < Found
Additional tools are recommended.

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"KYE_UDSI"="\"C:\\Program Files\\USB Storage RW\\udsi.exe"
"CamMonitor"="c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\hpqcmon.exe"
"Share-to-Web Namespace Daemon"="c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"StorageGuard"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /installquiet /keeploaded /nodetect"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"VTPreset"="VTPreset.exe"
"ddoctorv2"="\"C:\\Program Files\\Comcast\\Desktop Doctor\\bin\\sprtcmd.exe\" /P ddoctorv2"
"AlcxMonitor"="ALCXMNTR.EXE"
"ProcessGovernor"="C:\\Program Files\\Process Lasso\\processgovernor.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"avgnt"="\"C:\\Program Files\\Avira\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="rundll32.exe nview.dll,nViewLoadHook"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
Username "Elijah" - 11/24/2007 9:59:33 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.115.2 85.255.112.117" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{DB4BD76B-447B-47A5-8A40-8FC2CF03EE82}
"nameserver"="85.255.115.2,85.255.112.117" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{67411ACD-F722-47C1-B76A-8B39717AF81B}
"DhcpNameServer"="85.255.115.2,85.255.112.117" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....


C:\Program Files\Ultimate Cleaner < Found
C:\Program Files\XXXPlugin < Found
Additional tools are recommended.

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"KYE_UDSI"="\"C:\\Program Files\\USB Storage RW\\udsi.exe"
"CamMonitor"="c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\hpqcmon.exe"
"Share-to-Web Namespace Daemon"="c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"StorageGuard"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /installquiet /keeploaded /nodetect"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"VTPreset"="VTPreset.exe"
"ddoctorv2"="\"C:\\Program Files\\Comcast\\Desktop Doctor\\bin\\sprtcmd.exe\" /P ddoctorv2"
"AlcxMonitor"="ALCXMNTR.EXE"
"ProcessGovernor"="C:\\Program Files\\Process Lasso\\processgovernor.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"avgnt"="\"C:\\Program Files\\Avira\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="rundll32.exe nview.dll,nViewLoadHook"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
  • 0

#4
waterfalls

waterfalls

    In Memoriam

  • Retired Staff
  • 94 posts
Hi -

I forgot that both SDFix and FixWareout generate a log called "report.txt". Since, assuming that you followed my directions, when you ran FixWareout and it generated its log entitled report.txt, it overwrote SDFix's log of the same name. Therefore, in your next reply, I need for you to confirm that you ran SDFix, and tell me to the best of your recollection what happened when you ran it.

• Check to see if you have any of the following programs installed:
- Go to Start > Control Panel > Add/Remove Programs
Bitgrabber
BitRoll
CiD Help
CiD Manager
Download Plugin for Internet Explorer
Netpumper
Zone Media

If you do, then click each program that is installed > select Remove.
In case, during uninstall, when asked for the uninstall Verification, please enter the numbers that will appear in the window
If you uninstalled any of the programs listed above, reboot your computer.

• Please download NoLop to your Desktop from one of the links below...
Link 1
Link 2
Link 3
  • First close any other programs you have running as this will require a reboot
  • Double click NoLop.exe to run it
  • Now click the button labelled "Search and Destroy"
    <<your computer will now be scanned for infected files>>
  • When scanning is finished, you will be prompted to reboot only if infected; click OK
  • Now click the "REBOOT" Button.
  • A Message should popup from NoLop. If not, double click the program again and it will finish.
--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.

• Start HijackThis, click System Scan Only and place a checkmark next to the following items:
O2 - BHO: (no name) - {21162930-077E-488C-A184-63B5570FC5F1} - C:\WINDOWS\system32\mlljg.dll
(file missing)
O2 - BHO: (no name) - {2439BF68-E21E-4EDE-AB6F-F56069671621} - C:\Program Files\Windows NT\vigyretu4444.dll
O2 - BHO: (no name) - {32B0031B-5C0A-4956-A598-EE48BAF42957} - C:\Program Files\Windows NT\vigyretu555077.dll
O2 - BHO: (no name) - {6E275BBF-FD2A-4FDC-B6E1-2A7BC71B7640} - (no file)
O2 - BHO: (no name) - {C1F881F4-15EC-4252-9045-82E7A58B7E57} - C:\Program Files\Windows NT\vigyretu83122.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.2 85.255.112.117
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll


Close ALL browsers and open windows/programs except HijackThis and click 'Fix Checked'.

• Open notepad and copy/paste the text inside the codebox below into it:
File::
C:\WINDOWS\system32\gjllm.ini
C:\WINDOWS\system32\gjllm.ini2
C:\WINDOWS\system32\rrqss.ini
C:\WINDOWS\system32\rrqss.ini2
C:\WINDOWS\system32\orqss.ini
C:\WINDOWS\system32\orqss.ini2
C:\WINDOWS\system32\rqstv.ini
C:\WINDOWS\system32\rqstv.ini2
C:\WINDOWS\system32\accdd.ini2
C:\WINDOWS\system32\kmllm.bak1
C:\WINDOWS\system32\kmllm.bak2
C:\WINDOWS\system32\kmllm.ini2
C:\WINDOWS\system32\wvubtbfn.ini2
C:\WINDOWS\system32\ldcore.dll

Folder::
C:\Program Files\XXXPlugin
C:\Documents and Settings\Elijah\Start Menu\Programs\XXXPlugin

Registry::
[-HKEY_CURRENT_USER\XXXPlugin]
[-HKEY_CURRENT_USER\Software\XXXPlugin]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XXXPlugin]

Save this as CFScript.txt
Posted Image
As in the above picture, drag CFScript.txt onto ComboFix.exe
This will cause ComboFix to produce another log
Note: Do not mouse-click combofix's window while it's running. That may cause it to stall.
Post back with the log.

• Go to Jott's Malware Scan and scan the following files:
C:\WINDOWS\system32\everybodybets.32x32.4.ico
C:\WINDOWS\{6F6DB96B-C584-4A6C-A94F-5C1E2E0494FE}.dat
C:\WINDOWS\system32\B16DC7F304.sys
C:\WINDOWS\system32\{2FB0919A-1265-4D4C-AB74-3F4CDFFF972C}.dat
When you go to the site, you will see "File to upload & scan" at the top of the page. Click "Browse" and a "File Upload" window will open.
Navigate to the first file:
C:\WINDOWS\everybodybets.32x32.4.icor
Click onto the file, click "Open" and then click "Submit"
Wait for the scan to finish. Copy the results because you will paste them in your next reply.
Repeat the steps for the next three files.
Post back in your next reply with the results from Jotti's on the four files.

You will need to print these instructions for the following step because you will be working in SAFE MODE without an Internet connection.

• Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Reboot into SAFE MODE.
To get into the Windows XP Safe Mode, restart your computer and, just before Windows starts to load, tap
the F8 key a few times. Choose Safe Mode from the menu that will appear and press Enter.
  • Double-click the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can
    use Notepad to open the DrWeb.cvs report.
• Finally, if the following folders are still present, open them and tell me what files are in each one. Do NOT click onto any of the files.
C:\Program Files\Windows NT
C:\Documents and Settings\Elijah\WINDOWS
C:\Program Files\Common Files\ommf

• Post back with the following information
- what occurred when you ran SDFix
- the results of the NoLop folder
- the resulsts of the Jotti scan
- the results of the Dr. Web CureIt scan
- the information regarding the three folders
- and a new HijackThis log.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP