please help me fix this problem hijack this

[evilfantasy]

okay it just started kicking me back again this is driving me crazy

OK, we will get there don't worry.

----------

Run this Disable/Remove Windows Messenger to the Desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the Desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the Desktop.

----------

Removing these will not do anything to the programs but make them stop running at startup which will increase your PC's performance. You can still use the programs they just need to be launched from Start >  All Programs.

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
- O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe
- O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
- O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
- O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
- O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
- O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Open Notepad again.

Copy the text in the Code box below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files"

Code: [Select]

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"QuickTime Task"=-
"RealTray"=-
"MediaFace Integration"=-
"HP Software Update"=-
"RoboForm"=-
Once you have saved it double click it and allow it to merge with the Registry.

Now delete the fixME.reg file from the desktop.

----------

You will need to right click AVG in the task bar (next to the clock) and turn it off for this scan.

Download Combofix by sUBs from one of the below links.

• Link #1
  
• Link #2

Important! Combofix.exe MUST be saved to and ran from the Desktop.

• Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
• Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
  
  • Click this link to see a list of security programs that should be disabled and how to disable them.
    
  • If yours is not listed and you don't know how to disable it, please ask.
• Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
  
• Double click combofix.exe & follow the prompts.
• Choose Yes to accept the Disclaimers.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then the Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

• When finished, it will produce a log for you.
• Post that log in your next reply.

Warning: Do not mouseclick Combofix's window while it is running. That may cause it to stall

• If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
  
• Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

If needed, see this Combofix tutorial with screenshots that will detail more thoroughly the downloading and running of Combofix and installing the Recover Console.

Remember to re-enable your antivirus and antispyware protection.

----------

Next post add
Combofix log

[jennifer82777]

click on recommened download  click here to check for system problems ?

[evilfantasy]

Right under Free Downloads From.



[recovering disk space -- attachment deleted by admin]

[jennifer82777]

ComboFix 08-07-26.1 - Owner 2008-07-26 16:37:41.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\FunWebProducts
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\T4JVTZRP\interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\T4JVTZRP\interclick.com\ud.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\T4JVTZRP\www.broadcaster.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\T4JVTZRP\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\T4JVTZRP\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\Need2Find
C:\Program Files\Need2Find\bar\History\search
C:\WINDOWS\Fonts\acrsec.fon
D:\Autorun.inf

.
(((((((((((((((((((((((((   Files Created from 2008-06-26 to 2008-07-26  )))))))))))))))))))))))))))))))
.

2008-07-26 14:42 . 2008-07-26 14:42   <DIR>   d--------   C:\Deckard
2008-07-26 14:08 . 2008-07-26 14:08   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-07-26 14:07 . 2008-07-26 14:08   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-07-26 14:07 . 2008-07-26 14:07   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-26 14:07 . 2008-07-23 20:09   38,472   --a------   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-26 14:07 . 2008-07-23 20:09   17,144   --a------   C:\WINDOWS\system32\drivers\mbam.sys
2008-07-26 10:24 . 2008-07-26 16:17   <DIR>   d--------   C:\sniper.exe
2008-07-26 10:22 . 2008-07-26 10:22   <DIR>   d--------   C:\Program Files\Trend Micro
2008-07-26 04:34 . 2008-07-26 12:04   <DIR>   d--h-----   C:\$AVG8.VAULT$
2008-07-26 04:32 . 2008-07-26 15:43   <DIR>   d--------   C:\WINDOWS\system32\drivers\Avg
2008-07-26 04:32 . 2008-07-26 07:10   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR
2008-07-26 04:32 . 2008-07-26 04:32   97,928   --a------   C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-26 04:32 . 2008-07-26 04:32   76,040   --a------   C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-26 04:32 . 2008-07-26 04:32   12,936   --a------   C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-07-26 04:32 . 2008-07-26 04:32   10,520   --a------   C:\WINDOWS\system32\avgrsstx.dll
2008-07-26 04:31 . 2008-07-26 04:31   <DIR>   d--------   C:\Program Files\AVG
2008-07-26 04:31 . 2008-07-26 12:39   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\avg8
2008-07-24 16:53 . 2007-08-10 12:56   303,104   --a------   C:\WINDOWS\system32\ciplListBar.ocx
2008-07-24 16:53 . 2007-08-10 12:56   155,648   --a------   C:\WINDOWS\system32\ciplImageList.ocx
2008-07-24 16:26 . 2008-07-24 16:26   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Ascentive
2008-07-24 16:09 . 2008-07-24 16:09   <DIR>   d--------   C:\Program Files\RegCure
2008-07-24 03:40 . 2008-07-24 03:40   <DIR>   d--hs----   C:\found.000

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 17:22   ---------   d-----w   C:\Program Files\Winzy
2008-07-26 17:22   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-26 17:21   ---------   d-----w   C:\Program Files\Java
2008-07-26 16:59   ---------   d-----w   C:\Program Files\McAfee
2008-07-26 16:56   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-07-26 11:10   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\WholeSecurity
2008-07-26 08:27   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-07-26 08:27   ---------   d-----w   C:\Program Files\Ascentive
2008-07-24 18:31   ---------   d-----w   C:\Program Files\LimeWire
2008-07-24 18:29   ---------   d-----w   C:\Program Files\BigFix
2008-07-19 18:19   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\WholeSecurity
2008-07-18 00:54   4,724   -c--a-w   C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-07-16 03:45   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\WeatherBug
2008-07-13 00:12   ---------   d--h--w   C:\Documents and Settings\Owner\Application Data\Move Networks
2008-06-20 17:41   245,248   ----a-w   C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45   360,320   ----a-w   C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44   138,368   ----a-w   C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52   225,920   ----a-w   C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 02:42   ---------   d-----w   C:\Program Files\Battle For Troy
2008-06-13 13:10   272,128   ------w   C:\WINDOWS\system32\drivers\bthport.sys
2008-06-02 07:29   ---------   d-----w   C:\Program Files\Disney
2008-06-02 03:17   ---------   d-----w   C:\Program Files\AIM6
2008-05-28 01:22   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\QQ Games Plugin
2008-05-27 22:58   ---------   d-----w   C:\Program Files\Tencent
2008-05-27 22:57   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-05-07 05:18   1,287,680   ----a-w   C:\WINDOWS\system32\quartz.dll
2008-04-29 17:14   208,896   ----a-w   C:\WINDOWS\system32\ConTest.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-12 17:26 68856]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 16:32 8699904]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704]
"Performance Center"="C:\Program Files\Ascentive\Performance Center\ApcMain.exe" [2008-03-13 17:35 3239936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 06:01 32768]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-05-18 21:10 169984]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 21:44 139264]
"eBayToolbar"="C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2008-04-20 17:29 652528]
"Monitor"="C:\WINDOWS\PixArt\PAC207\Monitor.exe" [2006-11-03 11:01 319488]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-26 04:32 1235736]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 20:44 16120832 C:\WINDOWS\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OOBEDDDemise"="erase" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 16:32 8699904]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-07-26 04:32]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-26 04:32]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-26 04:32]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-26 04:32]
R3 PAC207;PC Camera;C:\WINDOWS\system32\DRIVERS\PFC027.SYS [2007-05-29 13:30]
S2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-26 04:32]
S2 W55U01;WINBOND W55U01 USB;C:\WINDOWS\system32\Drivers\W55U01.sys [2005-08-12 09:58]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-09-27 16:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2273231-e6d2-11da-8f08-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder
2008-07-26 C:\WINDOWS\Tasks\RegCure Program Check.job - C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]
2008-07-24 C:\WINDOWS\Tasks\RegCure.job - C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]
2008-07-13 C:\WINDOWS\Tasks\rpc.job - C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Power2GoExpress - (no file)
HKCU-Run-Aim6 - (no file)
HKLM-Run-NetscapeClient - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.armstrongmywire.com/index.php
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 -: eBay Search - C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 -: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 -: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 -: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-26 16:44:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
  OOBEDDDemise = cmd /x /c erase C:\WINDOWS\System32\oobe\msoobe.exe????C?w????e??i?wis??H???*&?|l?&?|??-w?`??|?&?|??&?|B%?|?|?$?|???-wC

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-07-26 16:55:49 - machine was rebooted
ComboFix-quarantined-files.txt  2008-07-26 20:55:02

Pre-Run: 58,438,258,688 bytes free
Post-Run: 58,396,581,888 bytes free

196   --- E O F ---   2008-07-25 00:46:52

[evilfantasy]

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.

• Click Start , then Run
  
• Type notepad.exe in the Run Box.
  

2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

File::
C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OOBEDDDemise"=-
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to freeze

[jennifer82777]

ComboFix 08-07-26.1 - Owner 2008-07-26 17:26:14.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
.

(((((((((((((((((((((((((   Files Created from 2008-06-26 to 2008-07-26  )))))))))))))))))))))))))))))))
.

2008-07-26 14:42 . 2008-07-26 14:42   <DIR>   d--------   C:\Deckard
2008-07-26 14:08 . 2008-07-26 14:08   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-07-26 14:07 . 2008-07-26 14:08   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-07-26 14:07 . 2008-07-26 14:07   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-26 14:07 . 2008-07-23 20:09   38,472   --a------   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-26 14:07 . 2008-07-23 20:09   17,144   --a------   C:\WINDOWS\system32\drivers\mbam.sys
2008-07-26 10:24 . 2008-07-26 16:17   <DIR>   d--------   C:\sniper.exe
2008-07-26 10:22 . 2008-07-26 10:22   <DIR>   d--------   C:\Program Files\Trend Micro
2008-07-26 04:34 . 2008-07-26 12:04   <DIR>   d--h-----   C:\$AVG8.VAULT$
2008-07-26 04:32 . 2008-07-26 15:43   <DIR>   d--------   C:\WINDOWS\system32\drivers\Avg
2008-07-26 04:32 . 2008-07-26 07:10   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR
2008-07-26 04:32 . 2008-07-26 04:32   97,928   --a------   C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-26 04:32 . 2008-07-26 04:32   76,040   --a------   C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-26 04:32 . 2008-07-26 04:32   12,936   --a------   C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-07-26 04:32 . 2008-07-26 04:32   10,520   --a------   C:\WINDOWS\system32\avgrsstx.dll
2008-07-26 04:31 . 2008-07-26 04:31   <DIR>   d--------   C:\Program Files\AVG
2008-07-26 04:31 . 2008-07-26 12:39   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\avg8
2008-07-24 16:53 . 2007-08-10 12:56   303,104   --a------   C:\WINDOWS\system32\ciplListBar.ocx
2008-07-24 16:53 . 2007-08-10 12:56   155,648   --a------   C:\WINDOWS\system32\ciplImageList.ocx
2008-07-24 16:26 . 2008-07-24 16:26   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\Ascentive
2008-07-24 16:09 . 2008-07-24 16:09   <DIR>   d--------   C:\Program Files\RegCure
2008-07-24 03:40 . 2008-07-24 03:40   <DIR>   d--hs----   C:\found.000

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 17:22   ---------   d-----w   C:\Program Files\Winzy
2008-07-26 17:22   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-26 17:21   ---------   d-----w   C:\Program Files\Java
2008-07-26 16:59   ---------   d-----w   C:\Program Files\McAfee
2008-07-26 16:56   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-07-26 11:10   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\WholeSecurity
2008-07-26 08:27   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-07-26 08:27   ---------   d-----w   C:\Program Files\Ascentive
2008-07-24 18:31   ---------   d-----w   C:\Program Files\LimeWire
2008-07-24 18:29   ---------   d-----w   C:\Program Files\BigFix
2008-07-19 18:19   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\WholeSecurity
2008-07-18 00:54   4,724   -c--a-w   C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-07-16 03:45   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\WeatherBug
2008-07-13 00:12   ---------   d--h--w   C:\Documents and Settings\Owner\Application Data\Move Networks
2008-06-20 17:41   245,248   ----a-w   C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45   360,320   ----a-w   C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44   138,368   ----a-w   C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52   225,920   ----a-w   C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 02:42   ---------   d-----w   C:\Program Files\Battle For Troy
2008-06-13 13:10   272,128   ------w   C:\WINDOWS\system32\drivers\bthport.sys
2008-06-02 07:29   ---------   d-----w   C:\Program Files\Disney
2008-06-02 03:17   ---------   d-----w   C:\Program Files\AIM6
2008-05-28 01:22   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\QQ Games Plugin
2008-05-27 22:58   ---------   d-----w   C:\Program Files\Tencent
2008-05-27 22:57   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-05-07 05:18   1,287,680   ----a-w   C:\WINDOWS\system32\quartz.dll
2008-04-29 17:14   208,896   ----a-w   C:\WINDOWS\system32\ConTest.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-12 17:26 68856]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 16:32 8699904]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704]
"Performance Center"="C:\Program Files\Ascentive\Performance Center\ApcMain.exe" [2008-03-13 17:35 3239936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 06:01 32768]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-05-18 21:10 169984]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 21:44 139264]
"eBayToolbar"="C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2008-04-20 17:29 652528]
"Monitor"="C:\WINDOWS\PixArt\PAC207\Monitor.exe" [2006-11-03 11:01 319488]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-26 04:32 1235736]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 20:44 16120832 C:\WINDOWS\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OOBEDDDemise"="erase" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 16:32 8699904]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-07-26 04:32]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-26 04:32]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-26 04:32]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-26 04:32]
R3 PAC207;PC Camera;C:\WINDOWS\system32\DRIVERS\PFC027.SYS [2007-05-29 13:30]
S2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-26 04:32]
S2 W55U01;WINBOND W55U01 USB;C:\WINDOWS\system32\Drivers\W55U01.sys [2005-08-12 09:58]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-09-27 16:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a2273231-e6d2-11da-8f08-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder
2008-07-26 C:\WINDOWS\Tasks\RegCure Program Check.job - C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]
2008-07-24 C:\WINDOWS\Tasks\RegCure.job - C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]
2008-07-13 C:\WINDOWS\Tasks\rpc.job - C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe []
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-26 17:32:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
  OOBEDDDemise = cmd /x /c erase C:\WINDOWS\System32\oobe\msoobe.exe????C?w????e??i?wis??H???*&?|l?&?|??-w?`??|?&?|??&?|B%?|?|?$?|???-wC

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-07-26 17:45:23 - machine was rebooted
ComboFix-quarantined-files.txt  2008-07-26 21:44:32
ComboFix2.txt  2008-07-26 20:55:51

Pre-Run: 58,384,715,776 bytes free
Post-Run: 58,375,356,416 bytes free

167   --- E O F ---   2008-07-25 00:46:52

[evilfantasy]

That didn't work for some reason.

Download

OTMoveIt2 by OldTimer

• Save it to your desktop.

Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

• Double-click OTMoveIt2.exe to run it.
  
• Copy the lines in the codebox below.

Code: [Select]

[kill explorer]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OOBEDDDemise
C:\WINDOWS\Tasks\rpc.job
C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
EmptyTemp
[start explorer]

• Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste

• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) and paste it in your next reply.
  
• Close OTMoveIt2

[jennifer82777]

Explorer killed successfully
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OOBEDDDemise >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OOBEDDDemise\\ not found.
C:\WINDOWS\Tasks\rpc.job moved successfully.
File/Folder C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe not found.
< EmptyTemp >
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\etilqs_HYZr3WpohFwk166U45KW scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF4343.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF8DD7.tmp scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully
 
OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07262008_180750

[evilfantasy]

Sorry but we are actually making progress, it's this OOBEDDDemise that is being stubborn!

• Double-click OTMoveIt2.exe to run it.
  
• Copy the lines in the codebox below.

Code: [Select]

[kill explorer]
C:\WINDOWS\System32\oobe\msoobe.exe
EmptyTemp
[start explorer]

• Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste

• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) and paste it in your next reply.
  
• Close OTMoveIt2

[jennifer82777]

Explorer killed successfully
C:\WINDOWS\System32\oobe\msoobe.exe moved successfully.
< EmptyTemp >
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\etilqs_HYZr3WpohFwk166U45KW scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF4343.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF8DD7.tmp scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully
 
OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07262008_181348

[evilfantasy]

Finally!

Go to My Computer->Tools->Folder Options->View tab:

• Under the Hidden files and folders heading:
• Select Show hidden files and folders.
  
• Uncheck Hide protected operating system files (recommended) option.
  
• Also, make sure there is no checkmark beside Hide file extensions for known file types.
  
• Click OK

.
----------

Now delete this entire folder (highlighted in blue)

C:\WINDOWS\System32\oobe

Let me know when it is deleted.

[jennifer82777]

there is no folder highlighted in blue

[evilfantasy]

Its not going to be highlighted on your PC I just want to make sure you don't try to delete the WINDOWS or System32 folders, just look for the oobe folder and delete it.

[jennifer82777]

okay i found a 20 when i searched for files and folders what one am i supposed to get rid of ?

[evilfantasy]

That doesn't sound right. Let's do it this way.

Now download The Avenger by Swandog46 and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
  
• Copy everything in the Code box below, and paste it into the Input script here window:

Code: [Select]

Comment:

Folders to delete:
C:\WINDOWS\System32\oobe

Note: the above instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

• Now click the Execute button.
  
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

• Add the Avenger log in your next post.