[fenzodahl512]

Erm.. about the green entry.. If you haven't put anything to restrict your Internet Explorer setting, then just check them for fix

[Advertisements]

Well I really don't mess with my internet options at all, except like changing my home page and stuff like that from time to time, but I've never set any limits for my internet, so I guess it's alright for me to check the green entry then

Edited by wrecklesskane, 30 May 2008 - 05:29 PM.

[wrecklesskane]

Well I really don't mess with my internet options at all, except like changing my home page and stuff like that from time to time, but I've never set any limits for my internet, so I guess it's alright for me to check the green entry then

Edited by wrecklesskane, 30 May 2008 - 05:29 PM.

[wrecklesskane]

Ok I'm gonna do the ComboFix thing again, so stand by, I will have the logs very shortly

[wrecklesskane]

Ok here is a Combofix.txt log and a fresh HijackThis log, hope you make good us of them





ComboFix 08-05-28.4 - Administrator 05/30/2008 18:43:49.3 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.155 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\O�_EOý�I.txt
.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.

2008-05-30 18:43 . 05/30/08 06:43p 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_208.dat
2008-05-29 04:49 . 05/29/08 04:49a <DIR> d-------- C:\Deckard
2008-05-26 04:18 . 05/26/08 04:18a <DIR> d-------- C:\Program Files\Trend Micro
2008-05-26 03:47 . 05/26/08 03:47a 45 --a------ C:\WINNT\system32\RPVersion.ini
2008-05-26 03:43 . 05/26/08 03:45a <DIR> d-------- C:\Program Files\RegistryPatrol3.0
2008-05-26 03:43 . 12/17/99 10:43p 86,016 --a------ C:\WINNT\unvise32.exe
2008-05-19 00:48 . 04/29/08 01:14p 208,896 --a------ C:\WINNT\system32\ConTest.dll
2008-05-19 00:48 . 07/03/07 11:48a 20,480 --a------ C:\WINNT\system32\SysRestore.dll
2008-05-17 21:53 . 05/17/08 09:53p <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Leadertech
2008-05-05 02:45 . 02/22/08 02:33a 69,632 --a------ C:\WINNT\system32\javacpl.cpl
2008-05-05 02:44 . 05/05/08 02:45a <DIR> d-------- C:\Program Files\Java
2008-05-05 01:12 . 05/05/08 01:13a <DIR> d--h-c--- C:\WINNT\$SQLUninstallMDAC25SP3-KB927779-x86-ENU$
2008-04-28 05:43 . 04/28/08 05:43a <DIR> d-------- C:\WINNT\Sun
2008-04-28 05:16 . 04/28/08 05:16a 1,160 --a------ C:\WINNT\mozver.dat
2008-04-27 17:02 . 11/30/99 01:33a 8,976 --a------ C:\WINNT\system32\kbdjpn.dll
2008-04-27 17:02 . 11/30/99 01:33a 8,976 --a--c--- C:\WINNT\system32\dllcache\kbdjpn.dll
2008-04-27 17:02 . 11/30/99 01:33a 7,440 --a------ C:\WINNT\system32\kbd106.dll
2008-04-27 17:02 . 11/30/99 01:33a 7,440 --a--c--- C:\WINNT\system32\dllcache\kbd106.dll
2008-04-25 22:51 . 04/25/08 10:51p <DIR> d---s---- C:\Documents and Settings\Default User\UserData
2008-04-25 22:31 . 11/30/99 01:33a 8,464 --a------ C:\WINNT\system32\kbdkor.dll
2008-04-25 22:31 . 11/30/99 01:33a 8,464 --a--c--- C:\WINNT\system32\dllcache\kbdkor.dll
2008-04-25 22:31 . 11/30/99 01:33a 6,928 --a------ C:\WINNT\system32\kbd101c.dll
2008-04-25 22:31 . 11/30/99 01:33a 6,928 --a--c--- C:\WINNT\system32\dllcache\kbd101c.dll
2008-04-25 22:31 . 11/30/99 01:33a 6,416 --a------ C:\WINNT\system32\kbd103.dll
2008-04-25 22:31 . 11/30/99 01:33a 6,416 --a------ C:\WINNT\system32\kbd101b.dll
2008-04-25 22:31 . 11/30/99 01:33a 6,416 --a--c--- C:\WINNT\system32\dllcache\kbd103.dll
2008-04-25 22:31 . 11/30/99 01:33a 6,416 --a--c--- C:\WINNT\system32\dllcache\kbd101b.dll
2008-04-23 16:25 . 04/24/08 03:53a <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ErrorSmart
2008-04-23 15:36 . 04/23/08 03:36p 0 --a------ C:\WINNT\nsreg.dat
2008-04-21 01:22 . 07/30/07 07:18p 34,136 --a------ C:\WINNT\system32\wucltui.dll.mui
2008-04-21 01:22 . 07/30/07 07:19p 25,944 --a------ C:\WINNT\system32\wuaucpl.cpl.mui
2008-04-21 01:22 . 07/30/07 07:19p 25,944 --a------ C:\WINNT\system32\wuapi.dll.mui
2008-04-21 01:22 . 07/30/07 07:18p 20,312 --a------ C:\WINNT\system32\wuaueng.dll.mui
2008-04-05 21:18 . 04/05/08 09:22p <DIR> d-------- C:\WINNT\system32\Adobe
2008-04-01 23:54 . 04/01/08 11:54p <DIR> d-------- C:\Program Files\Adaptec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 03:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-21 07:10 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-02 22:11 --------- d-----w C:\Program Files\Google
2008-03-29 19:13 1 ---h--w C:\Boots.sys
2008-03-27 07:13 151,583 ----a-w C:\WINNT\system32\msjint40.dll
2008-03-27 07:06 355,104 ----a-w C:\WINNT\system32\msxbde40.dll
2008-03-27 07:05 838,432 ----a-w C:\WINNT\system32\mswdat10.dll
2008-03-27 07:05 621,344 ----a-w C:\WINNT\system32\mswstr10.dll
2008-03-27 07:05 264,992 ----a-w C:\WINNT\system32\mstext40.dll
2008-03-27 07:04 559,904 ----a-w C:\WINNT\system32\msrepl40.dll
2008-03-27 07:04 432,928 ----a-w C:\WINNT\system32\msrd2x40.dll
2008-03-27 07:04 322,336 ----a-w C:\WINNT\system32\msrd3x40.dll
2008-03-27 07:03 355,104 ----a-w C:\WINNT\system32\mspbde40.dll
2008-03-27 07:03 248,608 ----a-w C:\WINNT\system32\msjtes40.dll
2008-03-27 07:03 219,936 ----a-w C:\WINNT\system32\msltus40.dll
2008-03-27 07:02 60,192 ----a-w C:\WINNT\system32\msjter40.dll
2008-03-27 07:02 355,112 ----a-w C:\WINNT\system32\msjetoledb40.dll
2008-03-27 07:01 1,516,568 ----a-w C:\WINNT\system32\msjet40.dll
2008-03-27 07:00 518,944 ----a-w C:\WINNT\system32\msexch40.dll
2008-03-27 07:00 326,432 ----a-w C:\WINNT\system32\msexcl40.dll
2008-03-26 12:45 1,728,512 ----a-w C:\WINNT\system32\gdiplus.dll
2008-03-19 12:30 507,658 ----a-w C:\WINNT\java\Packages\GCR77R1N.ZIP
2008-03-19 09:26 1,644,080 ----a-w C:\WINNT\system32\WIN32K.SYS
2008-02-19 17:08 236,304 ----a-w C:\WINNT\system32\GDI32.DLL
2008-02-15 15:17 575,488 ----a-w C:\WINNT\system32\WININET.DLL
2008-02-15 13:24 96,528 ----a-w C:\WINNT\system32\dnsrslvr.dll
2006-12-15 13:43 271 ------w C:\Program Files\desktop.ini
2006-12-15 13:43 21,952 ------w C:\Program Files\folder.htt
2000-07-26 17:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

------- Sigcheck -------


.
((((((((((((((((((((((((((((( snapshot@Thu 05-29-2008_ 8.39.04.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 00:02:28 163,328 ----a-w C:\WINNT\ERDNT\subs\ERDNT.EXE
+ 2004-07-15 06:49:16 258,048 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW1192\_aspnet_isapi.dll
+ 2004-07-15 05:32:22 81,920 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW1192\_CORPerfMonExt.dll
+ 2004-07-15 05:24:30 282,624 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW1192\_fusion.dll
+ 2004-07-15 05:25:06 315,392 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW1192\_mscorjit.dll
+ 2004-07-15 19:29:02 2,138,112 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW1192\_mscorlib.dll
+ 2003-02-21 00:09:18 77,824 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW1192\_mscorsn.dll
+ 2004-07-15 05:26:52 2,510,848 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW1192\_mscorsvr.dll
+ 2004-07-15 05:28:34 2,502,656 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW1192\_mscorwks.dll
+ 2003-02-21 09:42:22 348,160 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW1192\_msvcr71.dll
+ 2004-07-15 05:34:50 94,208 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW1192\_PerfCounter.dll
+ 2004-07-15 06:49:16 258,048 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW768\_aspnet_isapi.dll
+ 2004-07-15 05:32:22 81,920 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW768\_CORPerfMonExt.dll
+ 2004-07-15 05:24:30 282,624 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW768\_fusion.dll
+ 2004-07-15 05:25:06 315,392 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW768\_mscorjit.dll
+ 2004-07-15 19:29:02 2,138,112 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW768\_mscorlib.dll
+ 2003-02-21 00:09:18 77,824 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW768\_mscorsn.dll
+ 2004-07-15 05:26:52 2,510,848 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW768\_mscorsvr.dll
+ 2004-07-15 05:28:34 2,502,656 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW768\_mscorwks.dll
+ 2003-02-21 09:42:22 348,160 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW768\_msvcr71.dll
+ 2004-07-15 05:34:50 94,208 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW768\_PerfCounter.dll
+ 2004-07-15 06:49:16 258,048 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW896\_aspnet_isapi.dll
+ 2004-07-15 05:32:22 81,920 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW896\_CORPerfMonExt.dll
+ 2004-07-15 05:24:30 282,624 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW896\_fusion.dll
+ 2004-07-15 05:25:06 315,392 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW896\_mscorjit.dll
+ 2004-07-15 19:29:02 2,138,112 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW896\_mscorlib.dll
+ 2003-02-21 00:09:18 77,824 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW896\_mscorsn.dll
+ 2004-07-15 05:26:52 2,510,848 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW896\_mscorsvr.dll
+ 2004-07-15 05:28:34 2,502,656 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW896\_mscorwks.dll
+ 2003-02-21 09:42:22 348,160 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW896\_msvcr71.dll
+ 2004-07-15 05:34:50 94,208 ----a-w C:\WINNT\Microsoft.NET\Framework\v1.1.4322\SHADOW896\_PerfCounter.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hotkeyz"="c:\program files\skynergy\hotkeyz\hotkeyz.exe" [11/21/06 12:05p 837632]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [04/02/08 06:11p 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 03:05p 111376 C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/08 04:25a 144784]
"Tweak UI"="TWEAKUI.CPL" [06/18/00 02:03p 106544 C:\WINNT\system32\TWEAKUI.CPL]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [04/02/08 06:11p 171448]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [06/19/03 03:05p 186640]
"FlashPlayerUpdate"="C:\WINNT\system32\Macromed\Flash\GetFlash.exe" [ ]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
O�_EOý�I.txt [2008-03-29 15:13:54 51]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Mozilla Firefox
Mozilla Firefox (Safe Mode).lnk - C:\Program Files\Mozilla Firefox\firefox.exe [2008-04-23 15:35:49 7660656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"= 0 (0x0)
"DisableChangePassword"= 0 (0x0)
"HideLogonScripts"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispCPL"= 0 (0x0)
"NoDispAppearancePage"= 0 (0x0)
"NoDispScrSavPage"= 0 (0x0)
"NoDispSettingsPage"= 0 (0x0)
"DisableLockWorkstation"= 0 (0x0)
"DisableChangePassword"= 0 (0x0)
"HideLogonScripts"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"RestrictCpl"= 0 (0x0)
"DisallowCpl"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)
"RestrictRun"= 0 (0x0)
"NoCustomizeWebView"= 0 (0x0)
"NoWinKeys"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)
"NoWebView"= 0 (0x0)
"DontShowSuperHidden"= 0 (0x0)
"NoSMConfigurePrograms"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoHelp"= 0 (0x0)
"NoCommonGroups"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoDisconnect"= 0 (0x0)
"NoNtSecurity"= 0 (0x0)
"GreyMSIAds"= 0 (0x0)
"ForceMaxRecentDocs"= 0 (0x0)
"NoFileUrl"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoExpandedNewMenu"= 0 (0x0)
"SpecifyDefaultButtons"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"EnforceShellExtensionSecurity"= 0 (0x0)
"NoLogOff"= 0 (0x0)
"NoRunasInstallPrompt"= 0 (0x0)
"PromptRunasInstallNetPath"= 1 (0x1)
"NoResolveTrack"= 0 (0x0)
"NoResolveSearch"= 0 (0x0)
"NoDevMgrUpdate"= 0 (0x0)
"ForceCopyAclwithFile"= 0 (0x0)
"StartRunNoHOMEPATH"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"RestrictCpl"= 0 (0x0)
"DisallowCpl"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)
"RestrictRun"= 0 (0x0)
"DisallowRun"= 0 (0x0)
"NoCustomizeWebView"= 0 (0x0)
"NoViewContextMenu"= 0 (0x0)
"NoWinKeys"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)
"NoWebView"= 0 (0x0)
"DontShowSuperHidden"= 0 (0x0)
"NoRun"= 0 (0x0)
"NoSMConfigurePrograms"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoHelp"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoFind"= 0 (0x0)
"ForceStartMenuLogoff"= 0 (0x0)
"StartMenuLogoff"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoDisconnect"= 0 (0x0)
"NoNtSecurity"= 0 (0x0)
"NoSetFolders"= 0 (0x0)
"GreyMSIAds"= 0 (0x0)
"ForceMaxRecentDocs"= 0 (0x0)
"NoTrayContextMenu"= 0 (0x0)
"NoActiveDesktopChanges"= 0 (0x0)
"NoFileUrl"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)
"NoExpandedNewMenu"= 0 (0x0)
"SpecifyDefaultButtons"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"EnforceShellExtensionSecurity"= 0 (0x0)
"NoClose"= 0 (0x0)
"NoLogOff"= 0 (0x0)
"NoRunasInstallPrompt"= 0 (0x0)
"PromptRunasInstallNetPath"= 1 (0x1)
"NoResolveTrack"= 0 (0x0)
"NoResolveSearch"= 0 (0x0)
"NoDevMgrUpdate"= 0 (0x0)
"ForceCopyAclwithFile"= 0 (0x0)
"StartRunNoHOMEPATH"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= C:\Documents and Settings\Administrator\My Documents\My Pictures\Alex, Jeff, Anthony, and da illest ni99a of all them Lance.jpg
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys [10/23/99 08:22a]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-27 07:30:00 C:\WINNT\Tasks\ErrorSmart Scheduled Scan.job"
- C:\Program Files\ErrorSmart\ErrorSmart.ex
- C:\Program Files\ErrorSmart
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-30 18:46:10
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 05/30/2008 18:47:20
ComboFix-quarantined-files.txt 2008-05-30 22:47:14
ComboFix2.txt 2008-05-29 21:48:05
ComboFix3.txt 2008-05-29 12:39:29

Pre-Run: 3,565,064,192 bytes free
Post-Run: 4,130,627,584 bytes free

276 --- E O F --- 2008-05-30 12:28:29









Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:52:41 PM, on 5/30/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKCU\..\Run: [Hotkeyz] "c:\program files\skynergy\hotkeyz\hotkeyz.exe /minimize"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT Startup: Õü¾ÈÓ²ÅÌ.txt (User 'Default user')
O4 - .DEFAULT User Startup: Õü¾ÈÓ²ÅÌ.txt (User 'Default user')
O4 - Global Startup: Mozilla Firefox
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: Yahoo! Chess - http://download2.gam...nts/y/ct5_x.cab
O16 - DPF: {970EF5A2-CE21-4A16-B21F-3FC9AF1F89F2} (HearMe (eSylvan) (Firewall) Voice Control) - http://techsupport.e...itor/esvcfe.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {FFA0B580-F85C-11D4-B501-00010261BA08} - http://assessment.es....com/PCInfo.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C88EEDDC-B6AE-45F8-BB34-A7F7ECE3D0CD}: NameServer = 205.171.3.65,205.171.2.65
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O24 - Desktop Component 0: (no name) - file:///C:/Documents%20and%20Settings/Administrator/My%20Documents/My%20Pictures/Goku's%20SSJ3%20Dominating%20Power.gif
O24 - Desktop Component 1: (no name) - file:///C:/Documents%20and%20Settings/Administrator/My%20Documents/My%20Pictures/Gogeta%20and%20Gotenks.jpg
O24 - Desktop Component 2: (no name) - C:\Documents and Settings\Administrator\My Documents\My Pictures\Alex, Jeff, Anthony, and da illest ni99a of all them Lance.jpg

--
End of file - 3898 bytes

[fenzodahl512]

Hello.. Thanks for the reply.. Well, lets do the following..


Please manually navigate and delete this file..

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\O�_EOý�I.txt



NEXT


Please re-open HijackThis and click on Do a system scan only. Check the boxes next to all the entries listed below.

O4 - .DEFAULT Startup: Õü¾ÈÓ²ÅÌ.txt (User 'Default user')
O4 - .DEFAULT User Startup: Õü¾ÈÓ²ÅÌ.txt (User 'Default user')

Now close all windows other than HijackThis, then click Fix checked. Close HijackThis.



NEXT


Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Please post the following logs in your next reply

1. MalwareBytes'
2. A fresh Deckard System Scanner log (after MalwareBytes' log)


Regards
fenzodahl512

[wrecklesskane]

I'm sorry but I don't know how to manually delete file, can you tell me where to go, to do that? I'm really sorry for all these questions, I know I'm a big newby still

[fenzodahl512]

Ah.. don't worry.. we'll get to that..

Using Windows Explorer, please delete the following files and folders (if present): (To get into Windows Explorer, right click the START button and select "explore.")

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\O�_EOý�I.txt
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\Õü¾ÈÓ²ÅÌ.txt


Ok, I've added another file for you to look for If you found the file, just right-click at the file and choose Delete and then click Ok when the confirmation box appears..

Then continue to the HijackThis step..

[wrecklesskane]

Dang I couldn't find these files anywhere using the Windows Explorer, there was a whole bunch of other files though, well I don't know if they were files or not, but I couldn't find these two anywhere, sorry

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\O�_EOý�I.txt
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\Õü¾ÈÓ²ÅÌ.txt

[fenzodahl512]

Let see what's inside that folder first..


Please copy (Control+C) and paste (Control+V) the following code into the Notepad.

@echo off
dir "C:\Documents and Settings\Default User\Start Menu\Programs\Startup">C:\peek.txt
start C:\peek.txt
del peek.bat

Save it in Desktop as peek.bat and in Save as type: choose All Files

A new batch file (peek.bat) will then created on your desktop. Just double-click the file. A window will open and suddenly close, this is normal.

Please locate and post the content of C:\peek.txt in your next reply

If you do not sure how to make a batch file, please visit HERE for the tutorial.

[wrecklesskane]

Volume in drive C has no label.
Volume Serial Number is 2C4B-9F59

Directory of C:\Documents and Settings\Default User\Start Menu\Programs\Startup

03/29/2008 03:13p <DIR> .
03/29/2008 03:13p <DIR> ..
03/29/2008 03:13p 51 O�_EOý�I.txt
1 File(s) 51 bytes
2 Dir(s) 4,126,695,424 bytes free

[fenzodahl512]

Erm.. Now I can see it.. OK.. Lets do the following instead..

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  [kill explorer]
  C:\Documents and Settings\Default User\Start Menu\Programs\Startup\O�_EOý�I.txt
  C:\Documents and Settings\Default User\Start Menu\Programs\Startup\Õü¾ÈÓ²ÅÌ.txt
  EmptyTemp
  purity
  [start explorer]

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



NEXT


Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.




Please post the following logs in your next reply...

1. OTMoveIt2 log
2. MalwareBytes'
3. A fresh Deckard System Scanner log (after MalwareBytes' step)


Regards
fenzodahl512

[wrecklesskane]

OTMoveIt2 log, MalwareBytes', and a fresh Deckard System Scanner log (after MalwareBytes' step)









Explorer killed successfully
File/Folder C:\Documents and Settings\Default User\Start Menu\Programs\Startup\O�_EOý�I.txt not found.
File/Folder C:\Documents and Settings\Default User\Start Menu\Programs\Startup\Õü¾ÈÓ²ÅÌ.txt not found.
< EmptyTemp >
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cookies\index.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05302008_223510

Files moved on Reboot...
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cookies\index.dat moved successfully.
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\History\History.IE5\index.dat moved successfully.
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\index.dat moved successfully.









Malwarebytes' Anti-Malware 1.14
Database version: 807

11:07:04 PM 5/30/2008
mbam-log-5-30-2008 (23-07-04).txt

Scan type: Full Scan (C:\|)
Objects scanned: 57789
Time elapsed: 14 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{28f85800-2969-4966-8894-eda174875e71} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{c95fe080-8f5d-11d2-a20b-00aa003c157a} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINNT\system32\AlxRes.dll.vir (Adware.Alexabar) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINNT\system32\AlxTB1.dll.vir (Adware.Alexabar) -> Quarantined and deleted successfully.
C:\WINNT\system32\AlxRes.dll.bak (Adware.Alexabar) -> Quarantined and deleted successfully.
C:\WINNT\system32\svch0st.dll (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.










Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-30 23:11:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 254 MiB (256 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:11 PM, on 5/30/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKCU\..\Run: [Hotkeyz] "c:\program files\skynergy\hotkeyz\hotkeyz.exe /minimize"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Mozilla Firefox
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: Yahoo! Chess - http://download2.gam...nts/y/ct5_x.cab
O16 - DPF: {970EF5A2-CE21-4A16-B21F-3FC9AF1F89F2} (HearMe (eSylvan) (Firewall) Voice Control) - http://techsupport.e...itor/esvcfe.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {FFA0B580-F85C-11D4-B501-00010261BA08} - http://assessment.es....com/PCInfo.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C88EEDDC-B6AE-45F8-BB34-A7F7ECE3D0CD}: NameServer = 205.171.3.65,205.171.2.65
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O24 - Desktop Component 0: (no name) - file:///C:/Documents%20and%20Settings/Administrator/My%20Documents/My%20Pictures/Goku's%20SSJ3%20Dominating%20Power.gif
O24 - Desktop Component 1: (no name) - file:///C:/Documents%20and%20Settings/Administrator/My%20Documents/My%20Pictures/Gogeta%20and%20Gotenks.jpg
O24 - Desktop Component 2: (no name) - C:\Documents and Settings\Administrator\My Documents\My Pictures\Alex, Jeff, Anthony, and da illest ni99a of all them Lance.jpg

--
End of file - 3702 bytes

-- Files created between 2008-04-30 and 2008-05-30 -----------------------------

2008-05-30 22:49:39 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-30 22:49:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-30 22:49:36 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-29 12:25:37 0 drahs---- C:\autorun.inf
2008-05-29 08:34:57 68096 --a------ C:\WINNT\zip.exe
2008-05-29 08:34:57 49152 --a------ C:\WINNT\VFind.exe
2008-05-29 08:34:57 212480 --a------ C:\WINNT\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-29 08:34:57 136704 --a------ C:\WINNT\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-29 08:34:57 161792 --a------ C:\WINNT\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-29 08:34:57 98816 --a------ C:\WINNT\sed.exe
2008-05-29 08:34:57 80412 --a------ C:\WINNT\grep.exe
2008-05-29 08:34:57 89504 --a------ C:\WINNT\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-26 04:18:30 0 d-------- C:\Program Files\Trend Micro
2008-05-26 03:43:26 86016 --a------ C:\WINNT\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2008-05-26 03:43:11 0 d-------- C:\Program Files\RegistryPatrol3.0
2008-05-19 00:48:20 20480 --a------ C:\WINNT\system32\SysRestore.dll <Not Verified; Ascentive LLC; prjSysRestore>
2008-05-19 00:48:19 208896 --a------ C:\WINNT\system32\ConTest.dll <Not Verified; Ascentive; ConnectionTester>
2008-05-17 21:53:02 0 d-------- C:\Documents and Settings\Administrator\Application Data\Leadertech
2008-05-05 02:44:25 0 d-------- C:\Program Files\Java
2008-05-05 01:12:59 0 d--h---c- C:\WINNT\$SQLUninstallMDAC25SP3-KB927779-x86-ENU$


-- Find3M Report ---------------------------------------------------------------

2008-05-28 16:01:15 837030 ---h----- C:\WINNT\ShellIconCache
2008-05-23 23:07:05 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-21 03:10:23 0 d-------- C:\Program Files\Common Files\InstallShield
2008-04-28 05:16:01 1160 --a------ C:\WINNT\mozver.dat
2008-04-24 03:53:14 0 d-------- C:\Documents and Settings\Administrator\Application Data\ErrorSmart
2008-04-23 15:36:09 0 --a------ C:\WINNT\nsreg.dat
2008-04-23 15:36:02 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-04-03 01:28:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\Help
2008-04-03 01:27:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-04-02 18:11:41 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-04-02 18:11:35 0 d-------- C:\Program Files\Google
2008-04-01 23:54:35 0 d-------- C:\Program Files\Adaptec
2008-04-01 23:41:36 0 d-a------ C:\Program Files\Common Files
2008-03-29 15:13:54 1 ---h----- C:\Boots.sys
2008-03-26 08:45:59 1728512 --a------ C:\WINNT\system32\gdiplus.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 03:05p C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/08 04:25a]
"Tweak UI"="TWEAKUI.CPL" [06/18/00 02:03p C:\WINNT\system32\TWEAKUI.CPL]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hotkeyz"="c:\program files\skynergy\hotkeyz\hotkeyz.exe" [11/21/06 12:05p]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [04/02/08 06:11p]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"FlashPlayerUpdate"=C:\WINNT\system32\Macromed\Flash\GetFlash.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"DisableLockWorkstation"=0 (0x0)
"DisableChangePassword"=0 (0x0)
"HideLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispCPL"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"DisableLockWorkstation"=0 (0x0)
"DisableChangePassword"=0 (0x0)
"HideLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeKeyboardNavigationIndicators"=0 (0x0)
"NoChangeAnimation"=0 (0x0)
"NoAddPrinter"=0 (0x0)
"NoDeletePrinter"=0 (0x0)
"RestrictCpl"=0 (0x0)
"DisallowCpl"=0 (0x0)
"NoViewOnDrive"=0 (0x0)
"RestrictRun"=0 (0x0)
"NoPropertiesMyComputer"=0 (0x0)
"NoPropertiesMyDocuments"=0 (0x0)
"NoManageMyComputerVerb"=0 (0x0)
"NoCustomizeWebView"=0 (0x0)
"NoFileMenu"=0 (0x0)
"ClearRecentDocsOnExit"=0 (0x0)
"NoWinKeys"=0 (0x0)
"NoFileAssociate"=0 (0x0)
"NoDFSTab"=0 (0x0)
"NoHardwareTab"=0 (0x0)
"NoInstrumentation"=0 (0x0)
"NoWebView"=0 (0x0)
"DontShowSuperHidden"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoSMConfigurePrograms"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"NoSMMyPictures"=0 (0x0)
"NoStartMenuMyMusic"=0 (0x0)
"NoSMMyDocs"=0 (0x0)
"NoFavoritesMenu"=0 (0x0)
"NoSMHelp"=0 (0x0)
"NoHelp"=0 (0x0)
"NoNetworkConnections"=0 (0x0)
"NoCommonGroups"=1 (0x1)
"NoChangeStartMenu"=0 (0x0)
"NoRecentDocsHistory"=0 (0x0)
"ForceStartMenuLogoff"=0 (0x0)
"NoStartMenuSubFolders"=0 (0x0)
"NoDisconnect"=0 (0x0)
"NoNtSecurity"=0 (0x0)
"GreyMSIAds"=0 (0x0)
"ForceMaxRecentDocs"=0 (0x0)
"NoStartBanner"=00000000
"NoFileUrl"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoExpandedNewMenu"=0 (0x0)
"SpecifyDefaultButtons"=0 (0x0)
"NoNetConnectDisconnect"=0 (0x0)
"NoRecentDocsNetHood"=0 (0x0)
"EnforceShellExtensionSecurity"=0 (0x0)
"NoLogOff"=0 (0x0)
"NoRunasInstallPrompt"=0 (0x0)
"PromptRunasInstallNetPath"=1 (0x1)
"NoResolveTrack"=0 (0x0)
"NoResolveSearch"=0 (0x0)
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoDevMgrUpdate"=0 (0x0)
"ForceCopyAclwithFile"=0 (0x0)
"StartRunNoHOMEPATH"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\RestrictRun]
"0?"=mobsync.exe
"1?"=jusched.exe
"2?"=rundll32.exe
"3?"=newadmin.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeKeyboardNavigationIndicators"=0 (0x0)
"NoChangeAnimation"=0 (0x0)
"NoAddPrinter"=0 (0x0)
"NoDeletePrinter"=0 (0x0)
"RestrictCpl"=0 (0x0)
"DisallowCpl"=0 (0x0)
"NoViewOnDrive"=0 (0x0)
"RestrictRun"=0 (0x0)
"DisallowRun"=0 (0x0)
"NoPropertiesMyComputer"=0 (0x0)
"NoPropertiesMyDocuments"=0 (0x0)
"NoManageMyComputerVerb"=0 (0x0)
"NoCustomizeWebView"=0 (0x0)
"NoSaveSettings"=0 (0x0)
"NoViewContextMenu"=0 (0x0)
"NoFileMenu"=0 (0x0)
"NoShellSearchButton"=0 (0x0)
"ClearRecentDocsOnExit"=0 (0x0)
"NoWinKeys"=0 (0x0)
"NoFileAssociate"=0 (0x0)
"NoDFSTab"=0 (0x0)
"NoHardwareTab"=0 (0x0)
"NoInstrumentation"=0 (0x0)
"NoWebView"=0 (0x0)
"DontShowSuperHidden"=0 (0x0)
"NoRun"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoSMConfigurePrograms"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"NoSMMyPictures"=0 (0x0)
"NoStartMenuMyMusic"=0 (0x0)
"NoSMMyDocs"=0 (0x0)
"NoFavoritesMenu"=0 (0x0)
"NoSMHelp"=0 (0x0)
"NoHelp"=0 (0x0)
"NoNetworkConnections"=0 (0x0)
"NoCommonGroups"=0 (0x0)
"NoFind"=0 (0x0)
"NoChangeStartMenu"=0 (0x0)
"NoRecentDocsHistory"=0 (0x0)
"ForceStartMenuLogoff"=0 (0x0)
"StartMenuLogoff"=0 (0x0)
"NoStartMenuSubFolders"=0 (0x0)
"NoDisconnect"=0 (0x0)
"NoNtSecurity"=0 (0x0)
"NoSetFolders"=0 (0x0)
"GreyMSIAds"=0 (0x0)
"ForceMaxRecentDocs"=0 (0x0)
"NoTrayContextMenu"=0 (0x0)
"NoStartBanner"=00000000
"NoActiveDesktopChanges"=0 (0x0)
"NoFileUrl"=0 (0x0)
"NoInternetIcon"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoExpandedNewMenu"=0 (0x0)
"SpecifyDefaultButtons"=0 (0x0)
"NoNetConnectDisconnect"=0 (0x0)
"NoRecentDocsNetHood"=0 (0x0)
"EnforceShellExtensionSecurity"=0 (0x0)
"NoClose"=0 (0x0)
"NoLogOff"=0 (0x0)
"NoRunasInstallPrompt"=0 (0x0)
"PromptRunasInstallNetPath"=1 (0x1)
"NoResolveTrack"=0 (0x0)
"NoResolveSearch"=0 (0x0)
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoDevMgrUpdate"=0 (0x0)
"ForceCopyAclwithFile"=0 (0x0)
"StartRunNoHOMEPATH"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\RestrictRun]
"0?"=mobsync.exe
"1?"=jusched.exe
"2?"=rundll32.exe
"3?"=newadmin.exe
"4?"=icwconn1.exe

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= C:\Documents and Settings\Administrator\My Documents\My Pictures\Alex, Jeff, Anthony, and da illest ni99a of all them Lance.jpg
FriendlyName=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

*Newly Created Service* - MBAMCATCHME



-- End of Deckard's System Scanner: finished at 2008-05-30 23:11:42 ------------

[fenzodahl512]

Hello wrecklesskane, I have a good news for you.. Your logs look clean to my eyes.. :thumbup:


Time for some housekeeping

• Click START then RUN
• Now type Combofix /u in the runbox and click OK
  Please note that the space between x and / is needed
  
  

NEXT


Make sure you have an Internet Connection.

• Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Click on the CleanUp! button
• A list of tool components used in the Cleanup of malware will be downloaded.
• If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
• Click Yes to begin the Cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

NEXT


Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.





NEXT


I noticed that you already have MalwareBytes' Anti-Malware as your antispyware..


I haven't seen any antivirus in your logs.. Antivirus is extremely crucial as without it you will get re-infected again! Do you have any? If you don't, please install ONLY ONE of these free and excellent antivirus below:

• Avira AntiVir Personal
• Avast! 4 Home Edition
• PC Tools Antivirus

I also haven't seen any third-party firewall in your logs.. Do you have any? If you don't, please install ONLY ONE of these free and excellent firewal below:

• Comodo Firewall Pro
• PC Tools Firewall Plus
  After you install the third party firewall, please disable your Windows firewall. Please go to My Computer >> Control Panel >> Windows Firewall and choose Off (not recommended) option. Then please click Apply and Ok.
  
  
  
  
  NEXT
  
  
  Please Install/Update Sun Java
  
  Updating Java:[list]
• Go to Start --> Control Panel --> Add or Remove Programs.
• Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
• It should have next icon next to it:
• Select it and click Remove. This will uninstall the previous (outdated) version of Java.
• Then Download and install the newest version from here: Java Runtime Environment (JRE) 6 Update 6

NEXT


Let's clean your Restore Points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous Restore Points which are likely to be infected)
To create a new Restore Point.

• On the Desktop, right-click My Computer.
• Click Properties.
• Click the System Restore tab.
• Check Turn off System Restore.
• Click Apply, and then click OK. This will flush your old System Restore.
• Then please UNCHECK the Turn off System Restore.
• Click again on Apply, and then click OK. This will create a new Restore Point

System Restore will now be active again




And now, to help protect your computer in the future I would like to recommend you these following free programs. Please do remember to use only ONE "Real-Time Protection" software for EACH Antivirus, AntiSpyware and Firewall.

• SpywareBlaster 4.0 to help prevent spyware from installing in the first place.
• SpywareGuard to catch and block spyware before it can execute.
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

Lastly, to keep your operating system up to date please visit the link below monthly

• Microsoft Windows Update

To learn more about how to protect yourself while on the internet read this excellent article by Tony Klein: So how did I get infected in the first place?

Please also read an excellent article by miekiemoes :Help! My computer is slow!

And another excellent article by CastleCops Malware Prevention: Prevent Re-infection

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread



Have a safe and happy computing day!


Regards
fenzodahl512

Edited by fenzodahl512, 31 May 2008 - 03:50 AM.

[wrecklesskane]

Hey thanks for all your help fenzodahl512, but I have one more final problem, well there's a whole bunch of steps to install the Java Runtime Environment (JRE) 6 Update 6, and I really don't know what I'm doing. So I was wondering if you can help me out with that?

Edited by wrecklesskane, 31 May 2008 - 10:17 AM.

[fenzodahl512]

Ok..

First, please go to Start > Control Panel > Add or Remove Programs and remove the following (if present):

J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 5

After that please restart your computer..



NEXT


Please go to this webpage, scroll down, and choose Java Runtime Environment (JRE) 6 Update 6

• click on the Download button.
• At Platform, Please choose Windows
• Tick on I agree to the Java SE Runtime Environment 6 License Agreement >> click on Continue
• At Required Files, Please go to Windows Offline Installation and click on jre-6u6-windows-i586-p.exe
• It will ask you to download a file. Just download that file and save it at your Desktop
• Just double-click the file that has been download and the installation process will continue. Please follow all the instruction given

Please let me know whether you have succeed to install it or not


Regards
fenzodahl512