Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Missing Wallpaper; Only sidebar & desktop icons/shortcuts are disp

Started by dressydoll , May 21 2008 05:46 AM

  • This topic is locked This topic is locked

#1
dressydoll
Posted 21 May 2008 - 05:46 AM

dressydoll

    Member

  • Member
  • PipPip
  • 12 posts
I had deleted the 'privacy_danger' folder in WINDOWS, but it said that 'CANNOT FIND FILE privacy_danger/index.htm. blah blah' and got a white screen desktop. I followed the steps in 'BEFORE POSTING A HIJACKTHIS LOG'. And what I got was just a sidebar 'FILE & FOLDER TASK' in Internet Explorer. Below is my HIJACKTHIS LOG.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:21 PM, on 5/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\VistaDrive\VistaDrive.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: qtvglped - {65C76A0A-B5A4-4170-8F62-947A0145677C} - C:\WINDOWS\qtvglped.dll (file missing)
O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 4948 bytes

What I got?
Posted Image

Edited by dressydoll, 23 May 2008 - 03:33 PM.

  • 0

Advertisements

#2
sage5
Posted 21 May 2008 - 06:47 AM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi dressydoll,

Welcome to Geeks to Go!
My name is sage5, and I will be helping you with this problem.

Please download the following & save to your Desktop:
Deckard's System Scanner
OTMoveIt2 by OldTimer.


Run HijackThis.
  • Click the Do a system scan only button.
  • Check the boxes for the all the entries listed below:
O3 - Toolbar: qtvglped - {65C76A0A-B5A4-4170-8F62-947A0145677C} - C:\WINDOWS\qtvglped.dll (file missing)
O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O24 - Desktop Component 0: Privacy Protection - (no file)
  • Now close all windows other than HijackThis and click Fix Checked.
  • Close HijackThis.


Run Deckard's System Scanner:
  • Close all other windows before proceeding.
  • Double click on the dss.exe file on your Desktop and follow the prompts.
  • Scans will run, and 2 text files will open in Notepad.
  • Close both of the text files.
These files are C:\Deckard\System Scanner\main.txt & extra.txt.
I will need you to copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of
  • main.txt
  • extra.txt
in your next reply.


Cheers,

sage5
  • 0

#3
dressydoll
Posted 22 May 2008 - 06:24 AM

dressydoll

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi Sage.

Here's your request.

main.txt
Deckard's System Scanner v20071014.68
Run by Owner on 2008-05-22 08:10:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

CreateFirstRunRp is disabled or missing; attempting to fix...success.
Failed to create restore point; unknown error code 0x00000001


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 223 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:51 AM, on 5/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 4529 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080522-074911-211 O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
backup-20080522-074911-289 O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
backup-20080522-074911-371 O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
backup-20080522-074911-410 O24 - Desktop Component 0: Privacy Protection - (no file)
backup-20080522-074911-509 O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exe
backup-20080522-074911-557 O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
backup-20080522-074911-841 O3 - Toolbar: qtvglped - {65C76A0A-B5A4-4170-8F62-947A0145677C} - C:\WINDOWS\qtvglped.dll (file missing)
backup-20080522-074911-944 O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

-- File Associations -----------------------------------------------------------

.js - jsfile - DefaultIcon - unable to read value
.js - jsfile - shell\open\command - unable to read value
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*
.vbs - vbsfile - DefaultIcon - unable to read value
.vbs - vbsfile - shell\open\command - unable to read value
.vbs - vbsfile - shell\edit\command - unable to read value


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-04-22 and 2008-05-22 -----------------------------

2008-05-21 18:36:21 0 d-------- C:\Program Files\Panda Security
2008-05-21 18:36:18 1829 --a------ C:\WINDOWS\mozver.dat
2008-05-21 17:56:59 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2008-05-21 17:38:06 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-21 17:37:44 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-21 17:37:44 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-05-21 17:37:07 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-21 17:21:56 0 d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-05-21 17:21:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-21 17:21:26 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-21 17:20:48 0 d-------- C:\Program Files\Common Files\Download Manager
2008-05-21 17:04:35 0 d-------- C:\Program Files\Trend Micro
2008-05-19 11:14:31 0 d-------- C:\Documents and Settings\Guest\Application Data\WinRAR
2008-05-12 00:26:06 0 d-------- C:\Documents and Settings\Guest\Application Data\Mozilla
2008-05-11 23:25:32 18088 --a------ C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-05-09 11:25:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-05-09 11:11:19 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-05-09 11:05:07 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-09 06:47:19 0 d-------- C:\Documents and Settings\Owner\Application Data\Vso
2008-05-09 06:46:18 0 d-------- C:\Program Files\VSO
2008-05-09 05:10:05 0 d-------- C:\Program Files\twhirl
2008-04-25 08:34:14 0 d-------- C:\Program Files\CoreFTP
2008-04-24 21:40:46 0 d-------- C:\Documents and Settings\Guest\C
2008-04-23 23:32:40 0 d-------- C:\Documents and Settings\Owner\Application Data\WinRAR
2008-04-23 22:15:19 0 d-------- C:\Documents and Settings\Guest\Application Data\Yahoo!
2008-04-23 18:08:19 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla


-- Find3M Report ---------------------------------------------------------------

2008-05-21 22:45:57 0 d-------- C:\Documents and Settings\Owner\Application Data\CoreFTP
2008-05-21 22:32:14 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-21 22:31:34 0 d-------- C:\Program Files\Common Files\InstallShield
2008-05-21 22:00:00 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-05-21 17:37:07 0 d-------- C:\Program Files\Common Files
2008-05-20 20:17:03 0 dr-h----- C:\Documents and Settings\Owner\Application Data\yahoo!
2008-05-20 20:16:33 0 d-------- C:\Program Files\Yahoo!
2008-04-21 20:02:08 0 d-------- C:\Documents and Settings\Owner\Application Data\Opera
2008-04-21 03:08:24 0 d-------- C:\Documents and Settings\Owner\Application Data\Help
2008-04-17 23:30:48 0 d-------- C:\Documents and Settings\Owner\Application Data\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.1
2008-04-17 23:28:26 0 d-------- C:\Program Files\Common Files\Adobe AIR
2008-04-17 14:08:42 0 -rahs---- C:\MSDOS.SYS
2008-04-17 14:08:42 0 -rahs---- C:\IO.SYS
2008-04-17 14:08:42 0 --a------ C:\CONFIG.SYS
2008-04-17 14:08:42 0 --a------ C:\AUTOEXEC.BAT
2008-04-17 14:05:03 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-17 14:04:16 0 d-------- C:\Program Files\Online Services
2008-04-17 14:03:27 0 d-------- C:\Program Files\Windows Media Connect 2
2008-04-17 14:03:18 0 d-------- C:\Program Files\Foxit
2008-04-17 14:03:06 0 d-------- C:\Program Files\MSN Gaming Zone
2008-04-17 14:02:53 0 d-------- C:\Program Files\Windows NT
2008-04-17 09:55:10 0 d-------- C:\Program Files\Common Files\ODBC
2008-04-17 09:55:04 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-04-17 09:54:34 62 --ahs---- C:\Documents and Settings\Owner\Application Data\desktop.ini
2008-04-17 04:03:51 0 d-------- C:\Program Files\Java
2008-04-17 03:35:22 0 d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2008-04-17 03:27:35 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-04-17 03:21:46 0 d-------- C:\Program Files\Kaspersky Lab
2008-04-17 03:16:31 0 d-------- C:\Program Files\VIA
2008-04-17 02:52:30 121853 --a------ C:\DMKeygen_packed.exe
2008-04-17 02:52:22 0 d-------- C:\Program Files\Driver Magician
2008-04-17 02:49:33 0 d--

extra.txt
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 1.70GHz
Percentage of Memory in Use: 64%
Physical Memory (total/avail): 222.48 MiB / 79.6 MiB
Pagefile Memory (total/avail): 545.64 MiB / 262.33 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1913 MiB

C: is Fixed (NTFS) - 9.49 GiB total, 5.51 GiB free.

\\.\PHYSICALDRIVE0 - SAMSUNG SV1022D - 9.5 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 9.49 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is disabled.

Unable to create WMI object.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=22NDSTRE-CEFA6F
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\22NDSTRE-CEFA6F
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\Program Files\ImageConverter Plus;C:\Program Files\Common Files\Adobe\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0103
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=22NDSTRE-CEFA6F
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

Adobe AIR --> MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Core FTP LE 2.1 --> C:\PROGRA~1\CoreFTP\UNWISE.EXE C:\PROGRA~1\CoreFTP\INSTALL.LOG
CPL All-in-One --> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\CPLBonus.inf,CPLuninstall
Driver Magician 3.27 --> "C:\Program Files\Driver Magician\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Kaspersky Anti-Virus 6.0 --> MsiExec.exe /I{75193929-9A52-4CA4-98DE-8C7296940920}
Kaspersky Anti-Virus 6.0 --> MsiExec.exe /I{75193929-9A52-4CA4-98DE-8C7296940920}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe

Btw, can I now delete the Deckard file folder?
  • 0

#4
sage5
Posted 22 May 2008 - 06:26 AM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
The Main.txt seems to have got cut off at:

2008-04-17 02:52:22 0 d-------- C:\Program Files\Driver Magician
2008-04-17 02:49:33 0 d--


Please double check that it all got posted

The Extra .txt file got cut off at

Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe


Can you send me the rest of those files please?

Cheers,

sage5

Edited by sage5, 22 May 2008 - 06:33 AM.

  • 0

#5
dressydoll
Posted 22 May 2008 - 06:31 AM

dressydoll

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I don't know what happened but the file here of EXTRA.txt was really ended at the texts you've quoted.

What should I do?
  • 0

#6
sage5
Posted 22 May 2008 - 06:34 AM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Did the scan get interrupted at all?
  • 0

#7
dressydoll
Posted 22 May 2008 - 06:36 AM

dressydoll

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I don't think so because the scan was completed and closed automatically after it was done.
  • 0

#8
sage5
Posted 22 May 2008 - 06:40 AM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
OK, we will continue on.

Please download the following & save to your Desktop:
ComboFix


Fix File Associations:
  • Go to Start > Run and type or paste "%userprofile%\desktop\dss.exe" /daft
  • Click on the Scan button.
  • Place a checkmark next to all the entries that appear in red
  • Click the Fix button.
  • Re-scan and save the logfile. This will default to daft.txt
  • Save it to your C:\ drive, I'll need that log later.
If everything is ok again, it should display the "all associations ok message"




Run ComboFix:
  • Double click combofix.exe and follow the prompts.
  • When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply
Log file will be C:\Combofix.txt

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


Cheers,

sage5

Edited by sage5, 22 May 2008 - 06:40 AM.

  • 0

#9
dressydoll
Posted 22 May 2008 - 07:22 AM

dressydoll

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Here's the combofix.txt

ComboFix 08-05-21.2 - Owner 2008-05-22 8:50:12.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\CMMGR32.EXE

.
((((((((((((((((((((((((( Files Created from 2008-04-22 to 2008-05-22 )))))))))))))))))))))))))))))))
.

2008-05-22 08:48 . 2008-05-22 09:01 <DIR> d-------- C:\QooBox
2008-05-22 08:48 . 2008-05-22 09:07 <DIR> d-------- C:\ComboFix
2008-05-22 08:19 . 2008-05-22 08:19 <DIR> d-------- C:\Deckard
2008-05-22 08:19 . 2008-05-22 08:19 <DIR> d-------- C:\Deckard
2008-05-21 21:58 . 2008-05-21 20:24 3 --a------ C:\WINDOWS\Twain001.Mtx
2008-05-21 21:58 . 2008-05-21 21:58 0 --a------ C:\WINDOWS\Twunk003.MTX
2008-05-21 21:58 . 2008-05-21 21:58 0 --a------ C:\WINDOWS\Twunk002.MTX
2008-05-21 18:36 . 2008-05-21 18:38 <DIR> d-------- C:\Program Files\Panda Security
2008-05-21 18:36 . 2008-05-21 18:36 1,829 --a------ C:\WINDOWS\mozver.dat
2008-05-21 17:38 . 2008-05-21 17:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-21 17:37 . 2008-05-21 18:29 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-21 17:37 . 2008-05-21 17:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-21 17:37 . 2008-05-21 17:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-05-21 17:21 . 2008-05-21 17:21 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-21 17:21 . 2008-05-21 17:21 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-05-21 17:21 . 2008-05-21 17:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-21 17:21 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-21 17:21 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-21 17:20 . 2008-05-21 17:20 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-21 17:04 . 2008-05-21 17:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-20 21:40 . 2008-05-20 21:41 588,948 --a------ C:\WINDOWS\Tec21.jpg
2008-05-19 23:58 . 2007-03-07 19:51 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-05-19 23:58 . 2007-03-07 19:51 43,528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-05-19 23:58 . 2007-03-07 19:51 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-05-19 23:58 . 2007-03-07 19:51 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-05-11 23:25 . 2008-05-11 23:25 18,088 --a------ C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-05-09 11:25 . 2008-05-09 11:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-05-09 11:11 . 2008-05-09 11:11 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-05-09 11:05 . 2008-05-21 21:53 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-05-09 06:47 . 2008-05-19 22:50 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Vso
2008-05-09 06:46 . 2008-05-09 06:46 <DIR> d-------- C:\Program Files\VSO
2008-05-09 05:10 . 2008-05-09 05:10 <DIR> d-------- C:\Program Files\twhirl
2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\Program Files\CoreFTP
2008-04-24 21:40 . 2008-04-24 21:40 <DIR> d-------- C:\Documents and Settings\Guest\C
2008-04-23 17:14 . 2004-04-19 17:53 1,706,800 --a------ C:\WINDOWS\system32\gdiplus.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-22 11:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-22 05:46 275,744 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-22 05:46 22,004 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-22 05:46 159,248 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-22 05:46 11,872,032 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-22 02:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\CoreFTP
2008-05-22 02:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-22 02:31 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-21 00:17 --------- d--h--r C:\Documents and Settings\Owner\Application Data\yahoo!
2008-05-21 00:16 --------- d-----w C:\Program Files\Yahoo!
2008-05-21 00:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-24 02:15 --------- d-----w C:\Documents and Settings\Guest\Application Data\Yahoo!
2008-04-20 02:36 96,645 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-04-20 02:36 87,941 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-04-18 03:30 --------- d-----w C:\Documents and Settings\Owner\Application Data\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.1
2008-04-18 03:28 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-04-17 18:03 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-17 18:03 --------- d-----w C:\Program Files\Foxit
2008-04-17 12:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-17 08:03 --------- d-----w C:\Program Files\Java
2008-04-17 07:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-04-17 07:27 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-17 07:21 --------- d-----w C:\Program Files\Kaspersky Lab
2008-04-17 07:16 --------- d-----w C:\Program Files\VIA
2008-04-17 06:52 121,853 ----a-w C:\DMKeygen_packed.exe
2008-04-17 06:52 --------- d-----w C:\Program Files\Driver Magician
2008-04-17 06:49 --------- d-----w C:\Program Files\Common Files\Java
.

------- Sigcheck -------

2007-05-03 07:37 360704 a11391be25035570ae4b8970920f2c74 C:\WINDOWS\system32\drivers\tcpip.sys

2007-05-02 01:13 1422336 d66456c66d07a423f2e48c2526ae260c C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 02:00 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-21 18:29 1510640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 19:22 577536 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"VTTimer"="VTTimer.exe" [2005-03-08 03:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2007-03-09 19:50 200768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-21 18:29 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-05-21 18:29 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, digest.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa46d186-109f-11dd-9741-0016ec22ecdc}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Desktop.exe
\Shell\Explore\Command - Desktop.exe
\Shell\Open\Command - Desktop.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa46d18d-109f-11dd-9741-0016ec22ecdc}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Desktop.exe
\Shell\Explore\Command - Desktop.exe
\Shell\Open\Command - Desktop.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{adc9a916-0c6c-11dd-9730-0016ec22ecdc}]
\Shell\AutoRun\command - E:\
\Shell\explore\Command - WScript.exe .\__.vbs
\Shell\open\Command - WScript.exe .\__.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c10cccd2-0c5a-11dd-9730-0016ec22ecdc}]
\Shell\AutoRun\command - SilentSoftech.exe
\Shell\explore\command - SilentSoftech.exe
\Shell\open\command - SilentSoftech.exe
\Shell\var1\command - SilentSoftech.exe

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-22 09:06:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-22 9:12:08
ComboFix-quarantined-files.txt 2008-05-22 13:11:27

Pre-Run: 5,880,741,888 bytes free
Post-Run: 5,830,983,680 bytes free

152

What should I do with HIKACKTHIS? A system scan only? Or with a logfile?

Edited by dressydoll, 22 May 2008 - 07:23 AM.

  • 0

#10
sage5
Posted 22 May 2008 - 07:35 AM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Create a fresh log file with it & paste it back here as well.
  • 0

Advertisements

#11
dressydoll
Posted 22 May 2008 - 07:40 AM

dressydoll

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:18 AM, on 5/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 4298 bytes
  • 0

#12
sage5
Posted 23 May 2008 - 06:11 AM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi dressydoll,

Create a CombFix Script:
  • Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.
  • Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\emptyregdb.dat
C:\DMKeygen_packed.exe

Folder::
C:\WINDOWS\VistaDrive
C:\Documents and Settings\Owner\Application Data\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.1

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa46d18d-109f-11dd-9741-0016ec22ecdc}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{adc9a916-0c6c-11dd-9730-0016ec22ecdc}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c10cccd2-0c5a-11dd-9730-0016ec22ecdc}]


  • Save the above as CFScript.txt
  • Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
    Posted Image
  • After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Cheers,

sage5
  • 0

#13
dressydoll
Posted 23 May 2008 - 11:44 AM

dressydoll

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Combofix

ComboFix 08-05-21.2 - Owner 2008-05-23 13:11:07.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\DMKeygen_packed.exe
C:\WINDOWS\system32\emptyregdb.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DMKeygen_packed.exe
C:\Documents and Settings\Owner\Application Data\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.1
C:\Documents and Settings\Owner\Application Data\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.1\Local Store\accounts.xml
C:\Documents and Settings\Owner\Application Data\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.1\Local Store\twhirl.log
C:\Documents and Settings\Owner\Application Data\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.1\Local Store\update.air
C:\WINDOWS\system32\emptyregdb.dat
C:\WINDOWS\VistaDrive
C:\WINDOWS\VistaDrive\0.ico
C:\WINDOWS\VistaDrive\100.ico
C:\WINDOWS\VistaDrive\16.ico
C:\WINDOWS\VistaDrive\17.ico
C:\WINDOWS\VistaDrive\25.ico
C:\WINDOWS\VistaDrive\33.ico
C:\WINDOWS\VistaDrive\41.ico
C:\WINDOWS\VistaDrive\42.ico
C:\WINDOWS\VistaDrive\50.ico
C:\WINDOWS\VistaDrive\58.ico
C:\WINDOWS\VistaDrive\67.ico
C:\WINDOWS\VistaDrive\75.ico
C:\WINDOWS\VistaDrive\8.ico
C:\WINDOWS\VistaDrive\83.ico
C:\WINDOWS\VistaDrive\92.ico
C:\WINDOWS\VistaDrive\99.ico
C:\WINDOWS\VistaDrive\s100.ico
C:\WINDOWS\VistaDrive\s16.ico
C:\WINDOWS\VistaDrive\s17.ico
C:\WINDOWS\VistaDrive\s25.ico
C:\WINDOWS\VistaDrive\s33.ico
C:\WINDOWS\VistaDrive\s41.ico
C:\WINDOWS\VistaDrive\s42.ico
C:\WINDOWS\VistaDrive\s50.ico
C:\WINDOWS\VistaDrive\s58.ico
C:\WINDOWS\VistaDrive\s67.ico
C:\WINDOWS\VistaDrive\s75.ico
C:\WINDOWS\VistaDrive\s8.ico
C:\WINDOWS\VistaDrive\s83.ico
C:\WINDOWS\VistaDrive\s92.ico
C:\WINDOWS\VistaDrive\s99.ico
C:\WINDOWS\VistaDrive\vistadrive.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 )))))))))))))))))))))))))))))))
.

2008-05-22 09:14 . 2008-05-22 09:14 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-05-22 09:14 . 2008-05-22 09:14 <DIR> d-------- C:\WINDOWS\system32\restore
2008-05-22 09:14 . 2008-05-22 09:14 <DIR> d-------- C:\WINDOWS\system32\oobe
2008-05-22 09:14 . 2008-05-22 09:14 <DIR> d-------- C:\WINDOWS\srchasst
2008-05-22 09:14 . 2008-05-22 09:14 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-05-22 08:19 . 2008-05-22 08:19 <DIR> d-------- C:\Deckard
2008-05-21 21:58 . 2008-05-21 20:24 3 --a------ C:\WINDOWS\Twain001.Mtx
2008-05-21 21:58 . 2008-05-21 21:58 0 --a------ C:\WINDOWS\Twunk003.MTX
2008-05-21 21:58 . 2008-05-21 21:58 0 --a------ C:\WINDOWS\Twunk002.MTX
2008-05-21 18:36 . 2008-05-21 18:38 <DIR> d-------- C:\Program Files\Panda Security
2008-05-21 18:36 . 2008-05-21 18:36 1,829 --a------ C:\WINDOWS\mozver.dat
2008-05-21 17:38 . 2008-05-21 17:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-21 17:37 . 2008-05-21 18:29 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-21 17:37 . 2008-05-21 17:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-21 17:37 . 2008-05-21 17:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-05-21 17:21 . 2008-05-21 17:21 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-21 17:21 . 2008-05-21 17:21 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-05-21 17:21 . 2008-05-21 17:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-21 17:21 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-21 17:21 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-21 17:20 . 2008-05-21 17:20 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-21 17:04 . 2008-05-21 17:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-20 21:40 . 2008-05-20 21:41 588,948 --a------ C:\WINDOWS\Tec21.jpg
2008-05-19 23:58 . 2007-03-07 19:51 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-05-19 23:58 . 2007-03-07 19:51 43,528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-05-19 23:58 . 2007-03-07 19:51 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-05-19 23:58 . 2007-03-07 19:51 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-05-11 23:25 . 2008-05-11 23:25 18,088 --a------ C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-05-09 11:25 . 2008-05-09 11:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-05-09 11:11 . 2008-05-09 11:11 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-05-09 11:05 . 2008-05-21 21:53 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-05-09 06:47 . 2008-05-19 22:50 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Vso
2008-05-09 06:46 . 2008-05-09 06:46 <DIR> d-------- C:\Program Files\VSO
2008-05-09 05:10 . 2008-05-09 05:10 <DIR> d-------- C:\Program Files\twhirl
2008-04-25 08:34 . 2008-04-25 08:34 <DIR> d-------- C:\Program Files\CoreFTP
2008-04-24 21:40 . 2008-04-24 21:40 <DIR> d-------- C:\Documents and Settings\Guest\C
2008-04-23 22:15 . 2008-04-23 22:15 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Yahoo!
2008-04-23 17:14 . 2004-04-19 17:53 1,706,800 --a------ C:\WINDOWS\system32\gdiplus.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-23 17:29 275,744 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-23 17:29 22,484 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-23 17:29 164,192 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-23 17:29 11,972,384 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-23 17:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-22 02:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\CoreFTP
2008-05-22 02:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-22 02:31 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-21 00:17 --------- d--h--r C:\Documents and Settings\Owner\Application Data\yahoo!
2008-05-21 00:16 --------- d-----w C:\Program Files\Yahoo!
2008-05-21 00:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-20 02:36 96,645 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-04-20 02:36 87,941 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-04-18 03:28 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-04-17 18:03 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-17 18:03 --------- d-----w C:\Program Files\Foxit
2008-04-17 12:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-17 08:03 --------- d-----w C:\Program Files\Java
2008-04-17 07:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-04-17 07:27 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-17 07:21 --------- d-----w C:\Program Files\Kaspersky Lab
2008-04-17 07:16 --------- d-----w C:\Program Files\VIA
2008-04-17 06:52 --------- d-----w C:\Program Files\Driver Magician
2008-04-17 06:49 --------- d-----w C:\Program Files\Common Files\Java
.

------- Sigcheck -------

2007-05-03 07:37 360704 a11391be25035570ae4b8970920f2c74 C:\WINDOWS\system32\drivers\tcpip.sys

2007-05-02 01:13 1422336 d66456c66d07a423f2e48c2526ae260c C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((( snapshot@2008-05-22_ 9.09.58.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-22 06:49:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-23 17:30:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 02:00 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-21 18:29 1510640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 19:22 577536 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"VTTimer"="VTTimer.exe" [2005-03-08 03:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2007-03-09 19:50 200768]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-21 18:29 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-05-21 18:29 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, digest.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa46d186-109f-11dd-9741-0016ec22ecdc}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Desktop.exe
\Shell\Explore\Command - Desktop.exe
\Shell\Open\Command - Desktop.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-23 13:31:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-05-23 13:41:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-23 17:40:31
ComboFix2.txt 2008-05-22 13:12:12

Pre-Run: 5,833,953,280 bytes free
Post-Run: 5,871,206,400 bytes free

188

Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:43:53 PM, on 5/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 4099 bytes
  • 0

#14
sage5
Posted 25 May 2008 - 06:42 AM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi dressydoll,

Export a Registry Key:
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the code box to Notepad.
Save it to your desktop, make sure the file type is All File and name it Export.bat

@echo off
regedit.exe /e C:\export.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components"
exit
Double click Export.bat A window will open and close. This is normal.

Please paste the text from C:\export.txt
  • 0

#15
dressydoll
Posted 26 May 2008 - 03:19 AM

dressydoll

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Sage5, here's what I got.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"=""
"SubscribedURL"=""
"FriendlyName"="Privacy Protection"
"Flags"=dword:00002002
"Position"=hex:2c,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,e2,02,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000002
"OriginalStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,f4,01,00,00,f4,01,\
00,00,02,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,f4,01,00,00,f4,01,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,80,00,00,00,01,00,00,00,00,02,00,00,c8,01,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:00000001
"OriginalStateInfo"=hex:18,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c8,01,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c8,01,\
00,00,01,00,00,00
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP