Author Topic: icons and task bar are gone, can't right click on desktop...windows infected (Read 20643 times)

nikis360 · « **on:** September 10, 2008, 11:26:45 AM »

After scanning with Avast, desktop icons and toolbar are gone, can't right click on desktop.
Spybot is uninstalled
I could not remove AV program F-secure

Avast found win32:patched-CK [trj] in files
C:\windows\explorer.exe
C:\windows\system32\lsass.exe
C:\windows\system32\services.exe
C:\windows\system32\svchost.exe
C:\windows\system32\winlogon.exe

Avast could not delete, move, or repair these read only files
I removed any suspicious looking programs from add or remove window
I've ran ccleaner
here is my SUPERAntiSpyware log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 09/10/2008 at 11:59 AM
Application Version : 4.21.1004
Core Rules Database Version : 3561
Trace Rules Database Version: 1549

Scan type : Complete Scan
Total Scan Time : 01:21:18

My Malware log
Malwarebytes' Anti-Malware 1.28
Database version: 1136
Windows 5.1.2600 Service Pack 2

9/10/2008 12:24:37 PM
mbam-log-2008-09-10 (12-24-37).txt

Scan type: Quick Scan
Objects scanned: 51383
Time elapsed: 2 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5b4c3b43-49b6-42a7-a602-f7acdca0d409} (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5b4c3b43-49b6-42a7-a602-f7acdca0d409} (Adware.OneStepSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Run.0xe (Rogue.Installer) -> Quarantined and deleted successfully.

installed java latest version, and removed old versions
ran ccleaner again

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:13:11, on 9/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {04701661-9209-4856-8E64-2D57E49D73F4} - (no file)
O2 - BHO: (no name) - {6E0C8AEE-86B0-4CC2-9152-29A76B7ECFED} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: AutorunsDisabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O16 - DPF: {068BFA33-99F4-4BA9-887D-182386FA2931} (CPlayFirstDinerDashControl Object) - http://www.playfirst.com/play/game/spongebobdash/SpongeBobDinerDashWeb.1.0.0.17.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {6262E38D-C782-4403-A333-8E1AB70E0CAC} (CPlayFirstWeddingDasControl Object) - http://download.playfirst.com/play/game/weddingdash2/WeddingDash2Web.1.0.0.10.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.playfirst.com/play/game/dinerdash2/DinerDash2.1.0.0.67.cab
O16 - DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} (CPlayFirstDoggieDashControl Object) - http://download.playfirst.com/play/game/doggiedash/DoggieDash.1.0.0.9.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v4.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://www.playfirst.com/play/game/dinerdashfloonthego/ddfotg.1.0.0.32.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://download.games.yahoo.com/games/web_games/sony/bewitched/main.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {C0C0CB9B-BFEB-47C2-90FA-BE9692875ADB} (CPlayFirstPetShopHopControl Object) - http://download.playfirst.com/play/game/petshophop/petshophopweb.1.0.0.15.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://www.playfirst.com/play/game/dinerdash/DinerDash.1.0.0.93.cab
O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://www.playfirst.com/play/game/weddingdash/WeddingDash.1.0.0.44.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{64350433-0B8C-4430-B41F-01651DBC4E13}: NameServer = 205.152.37.23,205.152.132.23
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: cbXRKARK - C:\WINDOWS\
O23 - Service: Application Management (AppMgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Windows Audio (AudioSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Computer Browser (Browser) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Cryptographic Services (CryptSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: DHCP Client (Dhcp) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: DNS Client (Dnscache) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Error Reporting Service (ERSvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: COM+ Event System (EventSystem) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (googledesktopmanager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Help and Support (helpsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: HID Input Service (HidServ) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Server (lanmanserver) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Workstation (lanmanworkstation) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: MHN - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe
O23 - Service: Network Connections (Netman) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Network Location Awareness (NLA) (Nla) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe
O23 - Service: Removable Storage (NtmsSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe
O23 - Service: Remote Access Connection Manager (RasMan) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Remote Registry (RemoteRegistry) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Secondary Logon (seclogon) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: System Event Notification (SENS) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Shell Hardware Detection (ShellHWDetection) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: System Restore Service (srservice) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: SSDP Discovery Service (SSDPSRV) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Image Acquisition (WIA) (stisvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Telephony (TapiSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Terminal Services (TermService) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Themes - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Universal Plug and Play Device Host (upnphost) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Time (W32Time) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: WebClient - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Management Instrumentation (winmgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Windows Management Instrumentation Driver Extensions (Wmi) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Driver Foundation - User-mode Driver Framework (WudfSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Wireless Zero Configuration (WZCSVC) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Network Provisioning Service (xmlprov) - Unknown owner - C:\WINDOWS\System32\svchost.exe

--
End of file - 15464 bytes

HP
operating system is windows xp media center edition
version 5.1
service pack2

Any help is greatly appreciated. This is my first time ever posting anything, so forgive me if I make any mistakes. I hope I've provided all the information needed
Thanks

evilfantasy · « **Reply #1 on:** September 10, 2008, 12:25:46 PM »

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- O2 - BHO: (no name) - {04701661-9209-4856-8E64-2D57E49D73F4} - (no file)
- O2 - BHO: (no name) - {6E0C8AEE-86B0-4CC2-9152-29A76B7ECFED} - (no file)

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

nikis360 · « **Reply #2 on:** September 10, 2008, 01:25:25 PM »

Hi, I am can't disable my avast antivirus or spyware programs from the because I do not have a system tray. What other way can I disable these programs or should I just uninstall them.

evilfantasy · « **Reply #3 on:** September 10, 2008, 01:36:12 PM »

Just run ComboFix. If your AV tries to stop it then just allow it to continue.

nikis360 · « **Reply #4 on:** September 10, 2008, 02:12:15 PM »

ComboFix 08-09-05.14 - HP_Administrator 2008-09-10 15:50:15.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1529 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-08-10 to 2008-09-10 )))))))))))))))))))))))))))))))
.

2008-09-10 13:09 . 2008-09-10 13:09   <DIR>   d--------   C:\Program Files\Trend Micro
2008-09-10 12:14 . 2008-09-10 12:21   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-09-10 12:14 . 2008-09-10 00:04   38,528   --a------   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-10 12:14 . 2008-09-10 00:03   17,200   --a------   C:\WINDOWS\system32\drivers\mbam.sys
2008-09-10 03:43 . 2008-09-10 03:43   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2008-09-10 03:43 . 2008-09-10 03:43   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-09-10 03:43 . 2008-09-10 03:43   <DIR>   d--------   C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2008-09-10 03:43 . 2008-09-10 03:43   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-08 14:38 . 2008-09-08 14:38   <DIR>   d--------   C:\Program Files\Alwil Software
2008-08-17 00:45 . 2008-09-01 18:17   <DIR>   d--------   C:\WINDOWS\system32\CatRoot_bak
2008-08-14 03:02 . 2008-08-14 03:02   146   --a------   C:\WINDOWS\system32\MRT.INI
2008-08-12 12:40 . 2008-08-12 12:40   0   --a------   C:\WINDOWS\nsreg.dat
2008-08-12 09:30 . 2007-09-06 00:22   289,144   --a------   C:\WINDOWS\system32\VCCLSID.exe
2008-08-12 09:30 . 2006-04-27 17:49   288,417   --a------   C:\WINDOWS\system32\SrchSTS.exe
2008-08-12 09:30 . 2008-05-29 09:35   86,528   --a------   C:\WINDOWS\system32\VACFix.exe
2008-08-12 09:30 . 2008-05-18 21:40   82,944   --a------   C:\WINDOWS\system32\IEDFix.exe
2008-08-12 09:30 . 2008-08-11 18:07   82,432   --a------   C:\WINDOWS\system32\IEDFix.C.exe
2008-08-12 09:30 . 2008-08-09 15:37   82,432   --a------   C:\WINDOWS\system32\404Fix.exe
2008-08-12 09:30 . 2003-06-05 21:13   53,248   --a------   C:\WINDOWS\system32\Process.exe
2008-08-12 09:30 . 2004-07-31 18:50   51,200   --a------   C:\WINDOWS\system32\dumphive.exe
2008-08-12 09:30 . 2007-10-04 00:36   25,600   --a------   C:\WINDOWS\system32\WS2Fix.exe
2008-08-12 09:30 . 2008-08-12 09:30   6,248   --a------   C:\WINDOWS\system32\tmp.reg
2008-08-12 09:17 . 2008-08-12 09:17   <DIR>   d--------   C:\Documents and Settings\HP_Administrator\Application Data\Malwarebytes
2008-08-12 09:17 . 2008-08-12 09:17   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-10 19:36 . 2008-08-10 20:58   <DIR>   d--------   C:\Documents and Settings\HP_Administrator\.housecall6.6
2008-08-10 17:43 . 2008-08-10 17:43   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-10 17:23 . 2008-08-10 17:23   <DIR>   d--------   C:\Program Files\CCleaner
2008-08-10 15:50 . 2008-08-10 19:25   <DIR>   d--------   C:\Program Files\Enigma Software Group

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-10 16:55   ---------   d-----w   C:\Program Files\Java
2008-09-10 07:33   ---------   d-----w   C:\Program Files\Spybot - Search & Destroy
2008-09-10 07:33   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-10 06:48   ---------   d-----w   C:\Program Files\F-Secure Internet Security
2008-09-10 05:00   ---------   d-----w   C:\Program Files\Common Files\Symantec Shared
2008-09-10 05:00   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-07 04:01   ---------   d-----w   C:\Documents and Settings\HP_Administrator\Application Data\Azureus
2008-09-07 01:20   ---------   d-----w   C:\Documents and Settings\HP_Administrator\Application Data\Vso
2008-09-03 20:21   942   ----a-w   C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2008-08-14 19:54   ---------   d-----w   C:\Program Files\Azureus
2008-08-10 19:31   ---------   d---a-w   C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-09 04:15   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-08-08 23:57   ---------   d-----w   C:\Program Files\Windows Live Safety Center
2008-08-08 00:25   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\fssg
2008-08-05 20:21   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\ESET
2008-08-01 07:59   ---------   d-----w   C:\Documents and Settings\HP_Administrator\Application Data\Alien Skin
2008-07-31 22:49   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-31 21:45   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-07-31 21:45   ---------   d-----w   C:\Program Files\Bonjour
2008-07-31 21:40   ---------   d-----w   C:\Program Files\Common Files\Macrovision Shared
2008-07-30 04:37   ---------   d-----w   C:\Program Files\Alien Skin
2008-07-28 21:53   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\GoBit Games
2008-07-24 19:59   ---------   d-----w   C:\Program Files\LimeWire
2008-07-19 02:10   94,920   ----a-w   C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 02:10   94,920   ----a-w   C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10   53,448   ----a-w   C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10   53,448   ----a-w   C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 02:10   45,768   ----a-w   C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10   36,552   ----a-w   C:\WINDOWS\system32\wups.dll
2008-07-19 02:10   36,552   ----a-w   C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 02:09   563,912   ----a-w   C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09   563,912   ----a-w   C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 02:09   325,832   ----a-w   C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09   325,832   ----a-w   C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 02:09   205,000   ----a-w   C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09   205,000   ----a-w   C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 02:09   1,811,656   ----a-w   C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:09   1,811,656   ----a-w   C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-14 14:13   ---------   d-----w   C:\Program Files\Belltech Greeting Card Designer
2008-07-14 05:03   ---------   d-----w   C:\Program Files\Jasc Software Inc
2008-07-14 05:03   ---------   d-----w   C:\Program Files\Common Files\Jasc Software Inc
2008-07-14 05:03   ---------   d-----w   C:\Documents and Settings\HP_Administrator\Application Data\Jasc Software Inc
2008-07-10 22:25   ---------   d-----w   C:\Program Files\The Rosetta Stone
2008-07-10 19:08   ---------   d-----w   C:\Documents and Settings\HP_Administrator\Application Data\AdobeUM
2008-07-07 20:32   253,952   ----a-w   C:\WINDOWS\system32\es.dll
2008-07-07 20:32   253,952   ----a-w   C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 22:12   295,936   ----a-w   C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 16:23   74,240   ----a-w   C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23   74,240   ----a-w   C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 14:57   3,592,192   ----a-w   C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20   70,656   ----a-w   C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20   625,664   ----a-w   C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20   13,824   ------w   C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23   161,792   ----a-w   C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:41   245,248   ----a-w   C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41   245,248   ----a-w   C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41   148,992   ----a-w   C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45   360,320   ----a-w   C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44   138,368   ----a-w   C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52   225,920   ----a-w   C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10   272,128   ------w   C:\WINDOWS\system32\dllcache\bthport.sys
2007-02-18 04:29   87,608   -c--a-w   C:\Documents and Settings\HP_Administrator\Application Data\ezpinst.exe
2007-02-18 04:29   47,360   -c--a-w   C:\Documents and Settings\HP_Administrator\Application Data\pcouffin.sys
2007-11-10 17:12   12,208   --sha-w   C:\WINDOWS\system32\KGyGaAvL.sys
.

------- Sigcheck -------

2008-04-13 20:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18   C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe
md5deep:   C:\WINDOWS\system32\svchost.exe: Permission denied

2008-04-13 20:12 507904 ed0ef0a136dec83df69f04118870003e   C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
md5deep:   C:\WINDOWS\system32\winlogon.exe: Permission denied

2007-06-13 06:23 1035776 3cbffa7fb9031c04892e67547965add3   C:\WINDOWS\explorer.exe
2007-06-13 07:26 1033216 7712df0cdde3a5ac89843e61cd5b3658   C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-09 17:00 1032192 a0732187050030ae399b241436565e64   C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2008-04-13 20:12 1033728 12896823fb95bfb3dc9b46bcaedc9923   C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe

2008-04-13 20:12 108544 0e776ed5f7cc9f94299e70461b7b8185   C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe
md5deep:   C:\WINDOWS\system32\services.exe: Permission denied

2008-04-13 20:12 13312 bf2466b3e18e970d8a976fb95fc1ca85   C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe
md5deep:   C:\WINDOWS\system32\lsass.exe: Permission denied
.
((((((((((((((((((((((((((((( snapshot@2008-09-09_19.53.40.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-10 07:43:47   18,944   ----a-r   C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-09-10 07:43:47   65,024   ----a-r   C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2008-02-22 06:23:35   135,168   ----a-w   C:\WINDOWS\system32\java.exe
+ 2008-06-10 05:21:01   135,168   ----a-w   C:\WINDOWS\system32\java.exe
- 2008-02-22 06:23:39   135,168   ----a-w   C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 05:21:04   135,168   ----a-w   C:\WINDOWS\system32\javaw.exe
- 2008-02-22 07:33:32   139,264   ----a-w   C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 06:32:34   139,264   ----a-w   C:\WINDOWS\system32\javaws.exe
- 2008-08-05 15:11:02   15,888,504   ----a-w   C:\WINDOWS\system32\MRT.exe
+ 2008-08-26 20:28:12   16,208,504   ----a-w   C:\WINDOWS\system32\MRT.exe
+ 2008-09-10 14:32:41   16,384   ------w   C:\WINDOWS\temp\Perflib_Perfdata_678.dat
+ 2008-04-15 17:54:19   1,724,416   ----a-w   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.3352_x-ww_81af8e88\GdiPlus.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 147456]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-07-21 7634944]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-09 180269]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-21 29744]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ftutil2"="ftutil2.dll" [2004-06-07 C:\WINDOWS\system32\ftutil2.dll]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 C:\WINDOWS\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2006-10-31 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Updates From HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2006-09-09 36903]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXRKARK]
[BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"49155:TCP"= 49155:TCP:azureus
"50500:UDP"= 50500:UDP:azureus

R1 aswsp;avast! Self Protection;C:\WINDOWS\system32\drivers\aswsp.sys [2008-07-19 78416]
R2 aswfsblk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2004-08-09 3584]
S2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [ ]
S3 CXFALCON;Conexant Falcon II NTSC Video Capture;C:\WINDOWS\system32\drivers\cxfalcon.sys [2006-04-20 82048]
S3 googledesktopmanager-061008-081103;Google Desktop Manager 5.7.806.10245;C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-08-21 29744]
S3 WN5301;LIteon Wireless PCI Network Adapter Service;C:\WINDOWS\system32\DRIVERS\wn5301.sys [2005-10-05 468768]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\ek9jxv36.default\
FF -: plugin - C:\Documents and Settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-10 15:52:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

-> C:\WINDOWS\system32\winlogon.exe

-> C:\WINDOWS\system32\lsass.exe
.
Completion time: 2008-09-10 15:56:34
ComboFix-quarantined-files.txt 2008-09-10 19:56:17
ComboFix2.txt 2008-09-09 23:54:09

Pre-Run: 41,131,601,920 bytes free
Post-Run: 41,116,717,056 bytes free

228   --- E O F ---   2008-09-10 07:01:55

[recovering disk space -- attachment deleted by admin]

evilfantasy · « **Reply #5 on:** September 10, 2008, 02:15:59 PM »

Download OTMoveIt2 by OldTimer

Save it to your desktop.

Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

Double-click OTMoveIt2.exe to run it.
Copy the lines in the codebox below.

[/list]

Code: [Select]

[kill explorer]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXRKARK
EmptyTemp
[start explorer]

Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste

Click the red Moveit! button.
Copy everything in the Results window (under the green bar) and paste it in your next reply.
Close OTMoveIt2

.
Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

How is everything now?

nikis360 · « **Reply #6 on:** September 10, 2008, 02:28:54 PM »

No change yet,

Unable to kill explorer.exe
< HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXRKARK >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXRKARK\\ deleted successfully.
< EmptyTemp >
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\etilqs_ohQX08kXLRyEGMgdoA0R scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_678.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Unable to start explorer.exe

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09102008_161809

evilfantasy · « **Reply #7 on:** September 10, 2008, 03:03:22 PM »

Download SDFix by AndyManchesta and save it to your desktop.

When using this tool, you must use the Administrator's account or an account with Administrative rights

Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix).
DO NOT use it just yet.

Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Copy and paste the contents of the results file Report.txt in your next reply.

nikis360 · « **Reply #8 on:** September 10, 2008, 03:44:44 PM »

: When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

nothing happened after the pc restarted, should I repeat the steps?

evilfantasy · « **Reply #9 on:** September 10, 2008, 04:14:58 PM »

Go to C:\Report.txt to get the log.

nikis360 · « **Reply #10 on:** September 10, 2008, 05:05:42 PM »

Quote from: evilfantasy on September 10, 2008, 04:14:58 PM

Go to C:\Report.txt to get the log.

I can't find C:\Report.txt though the task manager, not even by browsing

evilfantasy · « **Reply #11 on:** September 10, 2008, 05:23:40 PM »

Try going to Start > Run and type C:\Report.txt then click OK.

nikis360 · « **Reply #12 on:** September 10, 2008, 05:45:27 PM »

I found it while safemode in the Sd folder and dragged it my desktop and rebooted. that was the only way I could see the file.

The only thing I can do from my desktop is open the task manager. I can't go to start and I don't have a task bar or system tray.

Here is the report.text

SDFix: Version 1.223
Run by HP_Administrator on Wed 09/10/2008 at 17:23

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

evilfantasy · « **Reply #13 on:** September 10, 2008, 05:55:38 PM »

Sorry, forgot about the task bar...

It doesn't look like it finished running, the log is cut off.

Download DrWeb CureIt & save it to your desktop.

Scan with DrWeb-CureIt as follows:

Double-click on drweb-cureit.exe and then click Start.
An Express Scan of your PC notice will appear.
Under Start the Express Scan Now Click OK to start.
- This is a short scan that will scan the files currently running in memory.
- If or when something is found, click the Yes button when it asks you if you want to cure it.
Once the short scan has finished, Click Options > Change settings
Choose the Scan tab and UNcheck Heuristic analysis and click OK
Back at the main window, select the Complete scan button.
Then click the Green Arrow Start Scanning button on the right and the scan will start.
- Click Yes to all if it asks if you want to cure/move any file(s).
When the scan is done.
In the Dr.Web CureIt menu on top left, click File and choose Save report list.
Save the DrWeb.csv report to your Desktop.
Exit Dr.Web Cureit.

Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

[/COLOR]

After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
Copy and paste that log in the next reply

.

Do you have an XP CD?

Any changes after running Dr Web?

nikis360 · « **Reply #14 on:** September 10, 2008, 08:50:53 PM »

I rebooted after scan at startup SDfix completed the final scan here is the report.txt

Rebooting

Checking Files :

No Trojan Files Found

Here is the DrWeb.csv

explorer.exe;c:\windows;Trojan.Starter.384;Cured.;
lsass.exe;c:\windows\system32;Trojan.Starter.384;Cured.;
services.exe;c:\windows\system32;Trojan.Starter.384;Cured.;
svchost.exe;c:\windows\system32;Trojan.Starter.384;Cured.;
winlogon.exe;c:\windows\system32;Trojan.Starter.384;Cured.;
ComboFix.exe\327882R2FWJFW\psexec.cfexe;C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Documents and Settings\HP_Administrator\Desktop;Archive contains infected objects;Moved.;
SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\HP_Administrator\Desktop\SDFix.exe;Tool.Prockill;;
SDFix.exe;C:\Documents and Settings\HP_Administrator\Desktop;Archive contains infected objects;Moved.;
ComboFix.exe\327882R2FWJFW\psexec.cfexe;C:\Documents and Settings\HP_Administrator\My Documents\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Documents and Settings\HP_Administrator\My Documents;Archive contains infected objects;Moved.;
KillWind.exe;C:\hp\bin;Tool.ProcessKill;;
SlgClientServicesRedists.exe\data002;C:\Program Files\HP Games\Cake Mania\SlgClientServicesRedists.exe;Adware.SpywareStorm;;
SlgClientServicesRedists.exe;C:\Program Files\HP Games\Cake Mania;Archive contains infected objects;Moved.;
Dc2.exe\SmitfraudFix\Process.exe;C:\RECYCLER\S-1-5-21-1910497479-1301464851-1006375060-1007\Dc2.exe;Tool.Prockill;;
Dc2.exe\SmitfraudFix\restart.exe;C:\RECYCLER\S-1-5-21-1910497479-1301464851-1006375060-1007\Dc2.exe;Tool.ShutDown.11;;
Dc2.exe;C:\RECYCLER\S-1-5-21-1910497479-1301464851-1006375060-1007;Archive contains infected objects;Moved.;
Process.exe;C:\RECYCLER\S-1-5-21-1910497479-1301464851-1006375060-1007\Dc1;Tool.Prockill;;
restart.exe;C:\RECYCLER\S-1-5-21-1910497479-1301464851-1006375060-1007\Dc1;Tool.ShutDown.11;;
Process.exe;C:\SDFix\apps;Tool.Prockill;;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;;
data030\data002;E:\I386\APPS\APP01313\src\install\Worldwide-MediaCenter\games\cakemania-setup.exe\data030;Adware.SpywareStorm;;
data030;E:\I386\APPS\APP01313\src\install\Worldwide-MediaCenter\games\cakemania-setup.exe;Archive contains infected objects;;
cakemania-setup.exe;E:\I386\APPS\APP01313\src\install\Worldwide-MediaCenter\games;Archive contains infected objects;Moved.;

I don't have an XP CD

I've never been so happy to see my desktop icons and taskbar. Your great!

evilfantasy · « **Reply #15 on:** September 10, 2008, 09:09:53 PM »

Glad you got your desktop icons and taskbar back.

Download random's system information tool (RSIT) by random/random from and save it to your Desktop.

Double click on RSIT.exe to run.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open.
log.txt <will be maximized and info.txt <will be minimized
Please post the contents of both logs in the next reply.

nikis360 · « **Reply #16 on:** September 10, 2008, 09:57:29 PM »

I've attached the logs

[recovering disk space -- attachment deleted by admin]

evilfantasy · « **Reply #17 on:** September 10, 2008, 10:10:03 PM »

Looks good. Let me know if you have any questions.

Delete RSIT and any logs from it.

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt2

----------

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

Go to Start > Programs > Accessories > System Tools and click System Restore
Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Next go to Start > Run and type Cleanmgr
Click OK
Click the More Options Tab.
Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide
.
----------

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Concerned about Browser Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

nikis360 · « **Reply #18 on:** September 10, 2008, 10:25:05 PM »

when I try to open system restore the message says that system restrore is unable to protect my computer. reboot and run system restore again

should I do this

evilfantasy · « **Reply #19 on:** September 10, 2008, 10:35:12 PM »

Try a different way.

Turn OFF System Restore

On the Desktop, right-click My Computer
Click Properties
Click the System Restore tab.
Check Turn off System Restore
Click Apply, and then click OK

.
Restart your computer

Turn ON System Restore

On the Desktop, right-click My Computer
Click Properties
Click the System Restore tab.
UN-Check Turn off System Restore
Click Apply, and then click OK

.
System Restore will now be active again

nikis360 · « **Reply #20 on:** September 10, 2008, 10:41:20 PM »

tried to turn off system restore and message says system restore encountered an error trying to enable/disable one or more drives. please restart your machine and try again

evilfantasy · « **Reply #21 on:** September 10, 2008, 10:51:47 PM »

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Go to Start > Run and type notepad.exe then click OK

Copy All of the text in the Code box below and paste it into Notepad.

Code: [Select]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableConfig"=dword:00000000
"DisableSR"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSaveSettings"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr]
"Type"=dword:00000002
"Start"=dword:00000000
"ErrorControl"=dword:00000001
"Tag"=dword:00000004
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,73,00,72,00,2e,00,73,00,79,00,73,\
  00,00,00
"DisplayName"="System Restore Filter Driver"
"Group"="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Parameters]
"FirstRun"=dword:00000000
"DontBackup"=dword:00000000
"MachineGuid"="{EAAFAEEC-4AFE-42BE-83D9-C12FDD4942A6}"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Enum]
"0"="Root\\LEGACY_SR\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows NT\SystemRestore]
"DisableConfig"=dword:00000000

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows NT\SystemRestore]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows NT\SystemRestore]

In Notepad go to File > Save as...

Next to File name: type fixme.reg Use the dropdown box next to Save as type: and select All files. Save it to the Desktop.

There should now be a file on the Desktop that looks like this

Double-click fixme.reg it and allow it to merge with the Registry.

You may not see anything happen but give it a few seconds or so to finish.

Now delete the fixme.reg file from the Desktop and restart the computer.

----------

Try to turn off/on System Restore again.

nikis360 · « **Reply #22 on:** September 10, 2008, 11:27:23 PM »

now the system restore screen pops up and asks if I want to create a restore point when I click create I get the message

system restore is not able to create a restore point. Please restart the computer, and then run system restore again

evilfantasy · « **Reply #23 on:** September 10, 2008, 11:34:03 PM »

This is getting interesting....

Try this. If it doesn't work then we will do another scan for malware. We might not have gotten it all.

Download Dial-a-Fix by djlizard, save it to the desktop then extract it to it's own folder.

Open the folder and run Dial-a-fix.exe
2 windows will open. Close the one in the background labeled Restrictive Policies
Check the box in section 1, Empty temp folders.
Check the box in section 2, Fix Windows Installer.
Check the box in section 4, labeled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked
Check all boxes in Section 5, labeled Registration Center.
Click Go
OK any error messages if received, but write them down and post them here.
Restart the computer when done.

How is everything now?

nikis360 · « **Reply #24 on:** September 11, 2008, 12:19:39 AM »

ok I've created a restore point and deleted old restore points.
My out of date software was realplayer, quicktime and apple quicktime.
Do I really have to update them. I don't want any of my media settings to change.
I don't actually use these programs. I only use windows media player.

evilfantasy · « **Reply #25 on:** September 11, 2008, 12:20:57 AM »

If you don't use them then it would be good to uninstall them. Those programs take up a lot of space.

nikis360 · « **Reply #26 on:** September 11, 2008, 12:39:44 AM »

Ok I guess everything is back to normal now.

I can't thank you enough, you're the best!

Is it ok to erase all of the downloaded programs or should I keep some of them?

Should I start a new post on how to get rid of f-secure? If so, I want to thank you again. All of your help and time are greatly appreciated!!

evilfantasy · « **Reply #27 on:** September 11, 2008, 01:00:59 AM »

Keep MBAM and SAS. Update them and scan now and then to be sure nothing has snuck in.

I will look around on the F-secure problem. What exactly happened again?

nikis360 · « **Reply #28 on:** September 11, 2008, 01:22:03 AM »

With F-secure, I'm having the most difficult time trying to uninstall/delete the program from my system

evilfantasy · « **Reply #29 on:** September 11, 2008, 10:18:15 AM »

How have you tried to remove it so far?

Can you reinstall it and then use the uninstaller to remove it properly?

nikis360 · « **Reply #30 on:** September 11, 2008, 12:06:48 PM »

I've tried removing it with add/remove programs when rebooted, F-secure was no longer on the add/remove list but the F-secure folder was still in my program files.
I tried using the uninstalltool.exe and when rebooted the folder is still there

evilfantasy · « **Reply #31 on:** September 11, 2008, 12:37:24 PM »

Download Unlocker

Open the installation file, select the installation language and click OK.
An installation wizard will pop up, click Next.
Choose the default destination folder C:\Programs Files\Unlocker and click Next.
Click Install directly. (Don't change anything)
After the installation completes, go back to the file/folder you want to delete.
Right-click on the file/folder and select Unlocker.
There should be a window opening, select Delete.
This should permanantly delete your file.

.
If it comes back let me know.

nikis360 · « **Reply #32 on:** September 11, 2008, 01:25:13 PM »

ok that worked. Does this also clean the registry

evilfantasy · « **Reply #33 on:** September 11, 2008, 01:39:16 PM »

No it doesn't.

Now run CCleaner.

From the main window click Run cleaner to clean all files found
Next select the Registry tab to the left and then click the Scan for Issues button.
When it finishes look through the list to ensure everything found should indeed be removed. Uncheck any you may be unsure of.[/B]
Click Fix selected issues...
Make sure you say Yes to the Do you want to backup changes to the registry? prompt and let it save the backup cc_2008xxxxxxx.reg file. (xxxxxxx is based on the date and time when saved).
It may prompt you again with messages about the things being fixed. Just click Fix All Selected Issues.

nikis360 · « **Reply #34 on:** September 11, 2008, 02:30:27 PM »

ok, done

thank you for all your help!

evilfantasy · « **Reply #35 on:** September 11, 2008, 03:07:36 PM »

Glad it worked.

Safe surfing....

Computer Hope Forum

News:

Author Topic: icons and task bar are gone, can't right click on desktop...windows infected (Read 20643 times)

nikis360

evilfantasy

nikis360

evilfantasy

nikis360

evilfantasy

nikis360

evilfantasy

nikis360

evilfantasy

nikis360

evilfantasy

nikis360

evilfantasy

nikis360

evilfantasy

nikis360

evilfantasy

nikis360

evilfantasy

nikis360

evilfantasy

nikis360

evilfantasy

nikis360

evilfantasy

nikis360

evilfantasy

nikis360

evilfantasy

nikis360

evilfantasy

nikis360

evilfantasy

nikis360

evilfantasy