0

A while back i downloaded a program form limewire. That wasn't a very good idea =\. Now my pc has a red x next to my C drive. i used to have constant irritating popups and error messages(kernel error system unstability etc.). now when i run a trend micro internet security scan, it doesn't detect any viruses. But the red x is still there. But all the errors and lagging is completely gone but the red X is still there.Who ever knows how to fix this please help me. I'm getting very irritated that the red X is still there. Thanks to whoever helps me

4
Contributors
34
Replies
35
Views
9 Years
Discussion Span
Last Post by jholland1964
0

If you want to be more sure that your machine is clean then do this:
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
To fix your icon get Powertoys for Windows Tweak UI [from M$ or whoever has it when you google for it]. Got it installed? Right, down the bottom to Repair, option you wnat is Rebuild Icons. This will reset your system to use the corect icons from Shell32.

0

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-04-05 20:28:21
PROTECTIONS: 0
MALWARE: 16
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\frank\Cookies\frank@doubleclick[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\frank\Cookies\frank@tribalfusion[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\frank\Cookies\frank@mediaplex[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\frank\Cookies\frank@statcounter[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\frank\Cookies\frank@advertising[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\frank\Cookies\frank@questionmarket[2].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\frank\Cookies\frank@atwola[1].txt
01262593 Application/NirCmd.A HackTools No 0 No No H:\FixAdrian'sComp\New Folder\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 No No H:\FixAdrian'sComp\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 No No H:\FixAdrian'sComp\ComboFix.exe[327882R2FWJFW\nircmd.com]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\WINDOWS\Nircmd.exe
01262593 Application/NirCmd.A HackTools No 0 No No H:\FixAdrian'sComp\New Folder\ComboFix.exe[327882R2FWJFW\nircmd.com]
02885362 Adware/Lop Adware No 0 Yes No C:\QooBox\Quarantine\C\Program Files\ADSTechnology\ADSTechnology.dll.vir
02885377 Adware/ActivationManager Adware No 0 Yes No C:\QooBox\Quarantine\C\Program Files\ActivationManager\ActivationManager.dll.vir
02887738 Trj/Downloader.PLF Virus/Trojan No 0 Yes Yes C:\WINDOWS\system32\nGpxx07\nGpxx071084.exe
02892536 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{D1BB0304-A786-4975-AF24-FA6CCA085657}\RP178\snapshot\MFEX-1.DAT
02892536 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{D1BB0304-A786-4975-AF24-FA6CCA085657}\RP177\snapshot\MFEX-1.DAT
02896639 Adware/Matcash Adware No 0 Yes No C:\QooBox\Quarantine\C\Program Files\Router\UnInstall.exe.vir
02899162 Trj/Agent.HYR Virus/Trojan No 0 Yes Yes C:\Documents and Settings\frank\Application Data\Microsoft\Windows\emnubt.exe
02900909 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\byxyvsr.dll.vir
02901758 Trj/Downloader.SQZ Virus/Trojan No 0 Yes Yes C:\WINDOWS\system32\wb3\snmaildriv3.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location \
;===================================================================================================================================================================================
No C:\WINDOWS\SYSTEM32\MYSIDESEARCH_SIDEBAR.DLL \
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description \
;===================================================================================================================================================================================
;===================================================================================================================================================================================
ehhh is this the log?if it isnt sry but cud u tell me where it is?

0

sry if this si a double post but i cudnt fina how to edit my post. heres new log more viruses =\
;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-04-06 12:25:52
PROTECTIONS: 0
MALWARE: 19
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\frank\Cookies\frank@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\frank\Cookies\frank@atdmt[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\frank\Cookies\frank@fastclick[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\frank\Cookies\frank@tribalfusion[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\frank\Cookies\frank@mediaplex[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\frank\Cookies\frank@com[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\frank\Cookies\frank@statcounter[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\frank\Cookies\frank@apmebf[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\frank\Cookies\frank@advertising[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\frank\Cookies\frank@ads.pointroll[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\frank\Cookies\frank@questionmarket[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\frank\Cookies\frank@zedo[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\frank\Cookies\frank@atwola[1].txt
01262593 Application/NirCmd.A HackTools No 0 No No H:\FixAdrian'sComp\New Folder\ComboFix.exe[327882R2FWJFW\nircmd.com]
01262593 Application/NirCmd.A HackTools No 0 No No H:\FixAdrian'sComp\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 No No H:\FixAdrian'sComp\ComboFix.exe[327882R2FWJFW\nircmd.com]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\WINDOWS\Nircmd.exe
01262593 Application/NirCmd.A HackTools No 0 No No H:\FixAdrian'sComp\New Folder\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
02885362 Adware/Lop Adware No 0 Yes No C:\QooBox\Quarantine\C\Program Files\ADSTechnology\ADSTechnology.dll.vir
02885377 Adware/ActivationManager Adware No 0 Yes No C:\QooBox\Quarantine\C\Program Files\ActivationManager\ActivationManager.dll.vir
02892536 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{D1BB0304-A786-4975-AF24-FA6CCA085657}\RP178\snapshot\MFEX-1.DAT
02892536 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{D1BB0304-A786-4975-AF24-FA6CCA085657}\RP177\snapshot\MFEX-1.DAT
02896639 Adware/Matcash Adware No 0 Yes No C:\QooBox\Quarantine\C\Program Files\Router\UnInstall.exe.vir
02900909 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\byxyvsr.dll.vir
;===================================================================================================================================================================================
SUSPECTS
Sent Location p
;===================================================================================================================================================================================
No C:\WINDOWS\SYSTEM32\MYSIDESEARCH_SIDEBAR.DLL p
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description p
;===================================================================================================================================================================================
;===================================================================================================================================================================================

0

Most of the results in those two scans are benign cookies in frank's account. Run CCleaner in frank's ac.
When did you run Combofix? Please post the log if it was recent -ie to try to solve this problem.
Delete C:\Qoobox.
Panda deleted these three objects:
02887738 Trj/Downloader.PLF Virus/Trojan No 0 Yes Yes C:\WINDOWS\system32\nGpxx07\nGpxx071084.exe
02899162 Trj/Agent.HYR Virus/Trojan No 0 Yes Yes C:\Documents and Settings\frank\Application Data\Microsoft\Windows\emnubt.exe
02901758 Trj/Downloader.SQZ Virus/Trojan No 0 Yes Yes C:\WINDOWS\system32\wb3\snmaildriv3.exe

These are infecting your restore points:
02892536 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{D1BB0304-A786-4975-AF24-FA6CCA085657}\RP178\snapshot\MFEX-1.DAT
02892536 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{D1BB0304-A786-4975-AF24-FA6CCA085657}\RP177\snapshot\MFEX-1.DAT
02892536 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{D1BB0304-A786-4975-AF24-FA6CCA085657}\RP178\snapshot\MFEX-1.DAT
02892536 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{D1BB0304-A786-4975-AF24-FA6CCA085657}\RP177\snapshot\MFEX-1.DAT

==You should clear all your system restore points because some have been infected.... So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
=Now make a fresh, clean restore point: Start > programs > accessories > system tools > system restore and create a restore point now!!

==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.
Did you do the bit I suggested re TweakUI?

0
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:05:52 PM, on 4/6/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
    C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\frank\Desktop\HiJackThis\imabunny.exe

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: (no name) - {31D7F734-02C3-46F2-BDB0-B01EE77B9AC5} - C:\WINDOWS\system32\mljgh.dll (file missing)
    O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O2 - BHO: MySidesearch Search Assistant - {DDFA1356-E6ED-42a5-9D62-93211D424A90} - C:\WINDOWS\system32\mysidesearch_sidebar.dll
    O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb125\SearchSettings.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - HKUS\S-1-5-21-842925246-838170752-682003330-1002\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
    O4 - HKUS\S-1-5-21-842925246-838170752-682003330-1002\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h (User '?')
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - [url]http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab[/url]
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - [url]http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab[/url]
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://acs.pandasoftware.com/activescan/as5free/asinst.cab[/url]
    O20 - Winlogon Notify: hqjpkson - hqjpkson.dll (file missing)
    O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
    O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
    O24 - Desktop Component 0: (no name) - [url]http://a133.ac-images.myspacecdn.com/images01/112/l_55f93fae7cab24ed6ecd55d8c65e1d1c.jpg[/url]
    O24 - Desktop Component 1: (no name) - [url]http://a946.ac-images.myspacecdn.com/images01/32/l_d6b7ded450e8254e548c62a8c0b95131.jpg[/url]
    O24 - Desktop Component 2: (no name) - [url]http://a793.ac-images.myspacecdn.com/images01/14/l_71e64db8bd6cfcdf73e3b5979ca35930.jpg[/url]
    O24 - Desktop Component 3: (no name) - [url]http://a544.ac-images.myspacecdn.com/images01/70/l_a23c86916ed3f1a27c52db9d65f2222f.jpg[/url]

    --
    End of file - 5389 bytes
    ComboFix 08-02-18.1 - frank 2008-02-19 22:19:41.1 - NTFSx86

    Running from: H:\FixAdrian'sComp\ComboFix.exe

    [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
    .

    (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\frank\Application Data\WinTouch\WinTouch.exe
    C:\WINDOWS\system32\hgghiii.dll
    C:\Documents and Settings\frank\Application Data\SSTEM3~1
    C:\Documents and Settings\frank\Application Data\SSTEM3~1\n?lookup.exe
    C:\Documents and Settings\frank\Application Data\WinTouch\wintouch.cfg
    C:\Documents and Settings\frank\Application Data\WinTouch\WinTouch.exe
    C:\Documents and Settings\frank\Application Data\WinTouch\WTUninstaller.exe
    C:\Documents and Settings\frank\Start Menu\Programs\Outerinfo
    C:\Documents and Settings\frank\Start Menu\Programs\Outerinfo\Terms.lnk
    C:\Documents and Settings\frank\Start Menu\Programs\Outerinfo\Uninstall.lnk
    C:\Program Files\ActivationManager
    C:\Program Files\ActivationManager\ActivationManager.dll
    C:\Program Files\ActivationManager\Uninstall.exe
    C:\Program Files\ADSTechnology
    C:\Program Files\ADSTechnology\ADSTechnology.dll
    C:\Program Files\ADSTechnology\ADSTechnology.exe
    C:\Program Files\ADSTechnology\Uninstall.exe
    C:\Program Files\outerinfo
    C:\Program Files\outerinfo\FF\chrome.manifest
    C:\Program Files\outerinfo\FF\components\FF.dll
    C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
    C:\Program Files\outerinfo\FF\install.rdf
    C:\Program Files\outerinfo\Terms.rtf
    C:\Program Files\outlook
    C:\Program Files\outlook\p.zip
    C:\Program Files\Router
    C:\Program Files\Router\Router.exe
    C:\Program Files\Router\UnInstall.exe
    C:\Program Files\Temporary
    C:\Program Files\Temporary\InsiDERInst.exe
    C:\Program Files\Temporary\kernInst.exe
    C:\Temp\1cb
    C:\Temp\1cb\syscheck.log
    C:\Temp\isgTi19
    C:\Temp\isgTi19\lPig.log
    C:\WINDOWS\b104.exe
    C:\WINDOWS\b122.exe
    C:\WINDOWS\b138.exe
    C:\WINDOWS\b151.exe
    C:\WINDOWS\b153.exe
    C:\WINDOWS\crosof~1
    C:\WINDOWS\crosof~1\??crosoft\
    C:\WINDOWS\crosof~1\svchost.exe
    C:\WINDOWS\Fonts\a.zip
    C:\WINDOWS\mrofinu1000106.exe
    C:\WINDOWS\mrofinu1000137.exe
    C:\WINDOWS\mrofinu1000140.exe
    C:\WINDOWS\system32\byxyvsr.dll
    C:\WINDOWS\system32\dccdd.ini
    C:\WINDOWS\system32\dccdd.ini2
    C:\WINDOWS\system32\gebyw.dll
    C:\WINDOWS\system32\gsvwrrsj.dll
    C:\WINDOWS\system32\gumphpge.dll
    C:\WINDOWS\system32\hgghiii.dll
    C:\WINDOWS\system32\hgjlm.ini
    C:\WINDOWS\system32\hgjlm.ini2
    C:\WINDOWS\system32\lqwodadm.dll
    C:\WINDOWS\system32\mcrh.tmp
    C:\WINDOWS\system32\nokzaqjb.dll
    C:\WINDOWS\system32\nqtss.ini
    C:\WINDOWS\system32\nqtss.ini2
    C:\WINDOWS\system32\nsa14.dll
    C:\WINDOWS\system32\nsq15.dll
    C:\WINDOWS\system32\orkdujcf.dll
    C:\WINDOWS\system32\pac.txt
    C:\WINDOWS\system32\pjbrre.dll
    C:\WINDOWS\system32\qvljofix.dll
    C:\WINDOWS\system32\sprt_ads.dll
    C:\WINDOWS\system32\ssttr.dll
    C:\WINDOWS\system32\tjbjnykw.ini
    C:\WINDOWS\system32\uggtkyak.dll
    C:\WINDOWS\system32\v9
    C:\WINDOWS\system32\v9\rabs2135.exe
    C:\WINDOWS\system32\whpxjevv.dll
    C:\WINDOWS\system32\wkynjbjt.dll
    C:\WINDOWS\system32\wxacpvyy.dll

    .
    (((((((((((((((((((((((((   Files Created from 2008-01-20 to 2008-02-20  )))))))))))))))))))))))))))))))
    .

    2008-02-19 23:41 . 2008-02-19 23:42 134 ---hs----   C:\WINDOWS\system32\nokzaqjb.dllbox
    2008-02-10 22:24 . 2008-02-10 22:24 <DIR>    d--------   C:\Program Files\IEEE 802.11g Wireless LAN Utility
    2008-02-10 12:47 . 2008-02-10 12:47 <DIR>    d--------   C:\Program Files\xInsIDE
    2008-02-10 00:23 . 2008-02-10 13:58 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\WinZip
    2008-02-09 19:50 . 2008-02-09 19:50 72,566  --a------   C:\WINDOWS\system32\GameFly_2.ico
    2008-02-09 19:03 . 2008-02-10 18:43 2,274   --ahs----   C:\WINDOWS\system32\mbcemesn.ini
    2008-02-09 09:14 . 2005-11-10 12:54 402,944 -ra------   C:\WINDOWS\system32\drivers\BLKWGU.sys
    2008-02-08 20:53 . 2008-02-08 20:53 2,560   --a------   C:\WINDOWS\_MSRSTRT.EXE
    2008-02-08 19:21 . 2008-02-08 19:21 163,904 --a------   C:\WINDOWS\system32\nokzaqjb.dll_old
    2008-02-08 19:21 . 2008-02-19 22:24 163,904 --a------   C:\WINDOWS\system32\nokzaqjb.dll
    2008-02-08 19:00 . 2008-02-09 18:51 1,614   --ahs----   C:\WINDOWS\system32\fcgjbmbc.ini
    2008-02-07 17:09 . 2008-02-08 16:54 1,134   --ahs----   C:\WINDOWS\system32\lpxqksno.ini
    2008-02-06 22:38 . 2008-02-06 22:40 <DIR>    d--------   C:\Documents and Settings\frank\Application Data\PrevxCSI
    2008-02-06 22:27 . 2008-02-06 22:56 7,168   --a------   C:\WINDOWS\system32\windows_old
    2008-02-06 22:08 . 2008-02-07 16:54 474 --ahs----   C:\WINDOWS\system32\amgkjgey.ini
    2008-02-06 22:01 . 2008-02-06 22:01 <DIR>    d--------   C:\Program Files\Drmupgds
    2008-02-06 22:00 . 2008-02-06 22:00 86  --a------   C:\Documents and Settings\frank\n.bat
    2008-02-06 21:59 . 2008-02-06 21:59 778 --a------   C:\Documents and Settings\frank\z.dat
    2008-02-06 21:59 . 2008-02-06 21:59 291 --a------   C:\Documents and Settings\frank\x.dat
    2008-02-06 21:58 . 2008-02-06 21:58 <DIR>    d--------   C:\WINDOWS\system32\wb3
    2008-02-06 21:58 . 2008-02-07 06:55 <DIR>    d--------   C:\WINDOWS\system32\rp4
    2008-02-06 21:58 . 2008-02-06 21:58 <DIR>    d--------   C:\WINDOWS\system32\nGpxx07
    2008-02-06 21:58 . 2008-02-07 06:55 <DIR>    d--------   C:\WINDOWS\system32\cz6
    2008-02-06 21:58 . 2008-02-19 22:20 <DIR>    d--------   C:\Temp
    2008-02-06 21:58 . 2008-02-06 21:58 53,248  ---------   C:\Documents and Settings\frank\hl.exe
    2008-02-06 16:56 . 2008-02-06 16:56 <DIR>    d--------   C:\Program Files\Belkin
    2008-02-03 23:00 . 2008-02-03 23:00 46,300  --a------   C:\WINDOWS\system32\AdssiteSocial-uninstall.exe
    2008-02-03 21:24 . 2008-02-03 23:00 77,353  --a------   C:\WINDOWS\system32\adssite_sidebar_uninstall.exe
    2008-02-03 21:23 . 2008-02-03 21:23 80,090  --a------   C:\WINDOWS\system32\adssite-remove.exe
    2008-02-03 21:19 . 2008-02-03 22:55 <DIR>    d--------   C:\Program Files\Incomplete
    2008-02-03 21:18 . 2008-02-03 21:18 147,456 --a------   C:\WINDOWS\system32\vbzip10.dll
    2008-02-03 19:11 . 2008-02-07 19:55 <DIR>    d--------   C:\Program Files\Common Files\Adobe
    2008-02-03 19:09 . 1998-10-29 16:45 306,688 --a------   C:\WINDOWS\IsUninst.exe
    2008-02-03 19:00 . 2008-02-03 19:01 84,761  --a------   C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
    2008-02-03 19:00 . 2008-02-03 19:00 46,300  --a------   C:\WINDOWS\system32\DcadsSocial-uninstall.exe
    2008-02-03 18:59 . 2008-02-10 18:45 80,112  --a------   C:\WINDOWS\system32\dcads-remove.exe
    2008-02-03 18:59 . 2008-02-03 19:01 40,730  --a------   C:\WINDOWS\system32\superiorads-uninst.exe
    2008-01-30 15:52 . 2008-01-30 15:52 <DIR>    d--------   C:\Program Files\Common Files\INCA Shared
    2008-01-28 19:53 . 2008-01-28 19:53 <DIR>    d--------   C:\WINDOWS\Sun
    2008-01-28 19:20 . 2008-01-28 19:35 <DIR>    d--------   C:\Program Files\PDF Reader 2
    2008-01-28 19:20 . 2008-01-28 19:20 72,192  --a------   C:\WINDOWS\cadkasdeinst01e.exe
    2008-01-24 20:36 . 2008-01-24 20:46 <DIR>    d--------   C:\Program Files\Rockstar Custom Tracks
    2008-01-21 14:58 . 2008-01-21 14:58 <DIR>    d--------   C:\WINDOWS\ShellNew
    2008-01-21 14:58 . 2008-01-21 14:58 <DIR>    d--------   C:\Program Files\Microsoft ActiveSync
    2008-01-21 14:58 . 2008-01-21 14:58 376 --a------   C:\WINDOWS\ODBC.INI
    2008-01-21 14:53 . 2008-01-21 14:54 <DIR>    d--------   C:\Program Files\Microsoft Works
    2008-01-21 14:52 . 2008-01-21 14:52 <DIR>    d--------   C:\Program Files\Microsoft Works Suite 2003
    2008-01-21 10:08 . 2008-02-19 08:10 980 --a------   C:\WINDOWS\WININIT.INI

    .
    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-02-20 03:28    ---------   d-----w C:\Documents and Settings\frank\Application Data\U3
    2008-02-19 01:51    ---------   d-----w C:\Documents and Settings\frank\Application Data\MegauploadToolbar
    2008-02-11 04:24    ---------   d--h--w C:\Program Files\InstallShield Installation Information
    2008-02-09 02:53    ---------   d-----w C:\Program Files\Free Audio Pack
    2008-02-09 02:53    ---------   d-----w C:\Program Files\Common Files\Stardock
    2008-02-04 05:15    ---------   d-----w C:\Documents and Settings\frank\Application Data\LimeWire
    2008-02-04 03:18    278,542 ----a-w C:\WINDOWS\Fonts\Setup.exe
    2008-01-21 16:37    ---------   d-----w C:\Documents and Settings\All Users\Application Data\ATI MMC
    2008-01-21 16:36    ---------   d-----w C:\Program Files\Common Files\ATI
    2008-01-21 16:36    ---------   d-----w C:\Program Files\ATI Multimedia
    2008-01-12 15:28    ---------   d-----w C:\Program Files\LegacyGamers
    2008-01-10 22:31    ---------   d-----w C:\Program Files\Java
    2008-01-01 08:18    ---------   d-----w C:\Documents and Settings\frank\Application Data\Xfire
    2007-12-31 02:35    ---------   d-----w C:\Program Files\Game Cam v1.4
    2007-12-30 05:35    ---------   d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2007-12-29 18:14    ---------   d-----w C:\Documents and Settings\frank\Application Data\Search Settings
    2007-12-29 18:01    ---------   d-----w C:\Program Files\Search Settings
    2007-12-29 18:01    ---------   d-----w C:\Program Files\Common Files\SWF Studio
    2007-12-29 02:58    22,328  ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
    2007-12-27 01:08    22,328  ----a-w C:\Documents and Settings\frank\Application Data\PnkBstrK.sys
    2007-12-27 00:34    ---------   d-----w C:\Program Files\Common Files\InstallShield
    2007-12-27 00:05    ---------   d-----w C:\Documents and Settings\frank\Application Data\ATI
    2007-12-27 00:01    ---------   d-----w C:\Program Files\Common Files\Borland Shared
    2007-12-26 23:51    ---------   d-----w C:\Program Files\Common Files\CyberLink
    2007-12-25 20:01    ---------   d-----w C:\Program Files\directx
    2007-12-25 19:55    ---------   d-----w C:\Program Files\PIXELA
    2007-12-24 04:02    ---------   d--h--w C:\Documents and Settings\frank\Application Data\ijjigame
    2007-12-23 07:26    ---------   d-----w C:\Program Files\Teamspeak2_RC2
    2007-12-23 07:26    ---------   d-----w C:\Documents and Settings\frank\Application Data\teamspeak2
    .

    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown 
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1648E328-3E5A-4EA5-A9C6-E5F09EE272DA}]
    2007-12-24 07:02    319488  --a------   C:\WINDOWS\system32\adssite_sidebar.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D8282E6-BC4F-469B-AAED-7E4FF077AD93}]
    2008-01-18 04:06    294912  --a------   C:\WINDOWS\system32\iebrowserc.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31D7F734-02C3-46F2-BDB0-B01EE77B9AC5}]
                C:\WINDOWS\system32\mljgh.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
    2008-02-19 22:24    163904  --a------   C:\WINDOWS\system32\nokzaqjb.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}]
    2007-12-06 11:58    1198432 --a------   C:\Program Files\Search Settings\kb125\SearchSettings.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "SpybotDeletingB766"="command /c del C:\WINDOWS\system32\nokzaqjb.dllbox" [ ]
    "SpybotDeletingD2670"="cmd /c del C:\WINDOWS\system32\nokzaqjb.dllbox" [ ]
    "SpybotDeletingB3805"="command /c del C:\WINDOWS\system32\nokzaqjb.dll_old" [ ]
    "SpybotDeletingD8412"="cmd /c del C:\WINDOWS\system32\nokzaqjb.dll_old" [ ]
    "SpybotDeletingB3287"="command /c del C:\WINDOWS\system32\nokzaqjb.dll" [ ]
    "SpybotDeletingD4237"="cmd /c del C:\WINDOWS\system32\nokzaqjb.dll" [ ]
    "SpybotDeletingB7495"="command /c del C:\WINDOWS\system32\nokzaqjb.dll_old" [ ]
    "SpybotDeletingD1088"="cmd /c del C:\WINDOWS\system32\nokzaqjb.dll_old" [ ]
    "SpybotDeletingB1430"="command /c del C:\WINDOWS\system32\nokzaqjb.dllbox" [ ]
    "SpybotDeletingD8590"="cmd /c del C:\WINDOWS\system32\nokzaqjb.dllbox" [ ]
    "SpybotDeletingB3751"="command /c del C:\WINDOWS\system32\nokzaqjb.dll" [ ]
    "SpybotDeletingD1755"="cmd /c del C:\WINDOWS\system32\nokzaqjb.dll" [ ]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-05-25 07:43 155648]
    "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-05-25 07:43 126976]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
    "MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 06:00 158208]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "SpybotDeletingA7446"="command /c del C:\WINDOWS\system32\nokzaqjb.dllbox" [ ]
    "SpybotDeletingC2699"="cmd /c del C:\WINDOWS\system32\nokzaqjb.dllbox" [ ]
    "SpybotDeletingA1993"="command /c del C:\WINDOWS\system32\nokzaqjb.dll_old" [ ]
    "SpybotDeletingC7547"="cmd /c del C:\WINDOWS\system32\nokzaqjb.dll_old" [ ]
    "SpybotDeletingA8221"="command /c del C:\WINDOWS\system32\nokzaqjb.dll" [ ]
    "SpybotDeletingC7780"="cmd /c del C:\WINDOWS\system32\nokzaqjb.dll" [ ]
    "SpybotDeletingA1239"="command /c del C:\WINDOWS\system32\nokzaqjb.dll_old" [ ]
    "SpybotDeletingC1622"="cmd /c del C:\WINDOWS\system32\nokzaqjb.dll_old" [ ]
    "SpybotDeletingA5442"="command /c del C:\WINDOWS\system32\nokzaqjb.dllbox" [ ]
    "SpybotDeletingC442"="cmd /c del C:\WINDOWS\system32\nokzaqjb.dllbox" [ ]
    "SpybotDeletingA6302"="command /c del C:\WINDOWS\system32\nokzaqjb.dll" [ ]
    "SpybotDeletingC1931"="cmd /c del C:\WINDOWS\system32\nokzaqjb.dll" [ ]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hqjpkson]
    hqjpkson.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nokzaqjb]
    nokzaqjb.dll 2008-02-19 22:24 163904 C:\WINDOWS\system32\nokzaqjb.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless USB Utility.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin Wireless USB Utility.lnk
    backup=C:\WINDOWS\pss\Belkin Wireless USB Utility.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IEEE 802.11g Wireless LAN Utility.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\IEEE 802.11g Wireless LAN Utility.lnk
    backup=C:\WINDOWS\pss\IEEE 802.11g Wireless LAN Utility.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VersionTrackerPro.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VersionTrackerPro.lnk
    backup=C:\WINDOWS\pss\VersionTrackerPro.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
    backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^frank^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
    path=C:\Documents and Settings\frank\Start Menu\Programs\Startup\LimeWire On Startup.lnk
    backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

    [HKLM\~\startupfolder\C:^Documents and Settings^frank^Start Menu^Programs^Startup^Xfire.lnk]
    path=C:\Documents and Settings\frank\Start Menu\Programs\Startup\Xfire.lnk
    backup=C:\WINDOWS\pss\Xfire.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
    --a------ 2007-11-23 10:18 962560 C:\Program Files\Ares\Ares.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Remote Control]
    --a------ 2005-05-10 16:21 1482752 C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
    --a------ 2007-09-06 04:06 79224 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bbbq]
    C:\Documents and Settings\frank\Application Data\s?stem32\n?lookup.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ecsu]
    C:\WINDOWS\CROSOF~1\svchost.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    --a------ 2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\outlook]
    C:\Program Files\outlook\outlook.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
    --a------ 2007-08-06 18:05 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Router]
    C:\Program Files\Router\Router.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
    C:\WINDOWS\mrofinu1000140.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchSettings]
    --a------ 2007-12-06 11:58 1069920 C:\Program Files\Search Settings\SearchSettings.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]
    --a------ 2008-02-10 12:58 35840 C:\Documents and Settings\frank\Application Data\Microsoft\Windows\emnubt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    --a------ 2007-10-30 22:55 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTouch]
    C:\Documents and Settings\frank\Application Data\WinTouch\WinTouch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xInsIDE]
    --a------ 2008-02-10 12:47 57344 C:\Program Files\xInsIDE\xInsIDE.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Viewpoint Manager Service"=2 (0x2)
    "PnkBstrA"=2 (0x2)
    "NVSvc"=2 (0x2)
    "gusvc"=3 (0x3)
    "AresChatServer"=3 (0x3)


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    DcomLaunch  REG_MULTI_SZ    DcomLaunch

    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
    Rootkit scan 2008-02-19 23:42:00
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ... 

    scanning hidden autostart entries ...

    scanning hidden files ... 

    scan completed successfully 
    hidden files: 0 

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\nokzaqjb.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    .
    **************************************************************************
    .
    Completion time: 2008-02-19 23:53:23 - machine was rebooted
    ComboFix-quarantined-files.txt  2008-02-20 05:53:19
    .
    2008-01-22 21:35:16 --- E O F ---

Edited by mike_2000_17: Fixed formatting

0

Okay, bo... start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {31D7F734-02C3-46F2-BDB0-B01EE77B9AC5} - C:\WINDOWS\system32\mljgh.dll (file missing)
O2 - BHO: MySidesearch Search Assistant - {DDFA1356-E6ED-42a5-9D62-93211D424A90} - C:\WINDOWS\system32\mysidesearch_sidebar.dll
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb125\SearchSettings.dll
O20 - Winlogon Notify: hqjpkson - hqjpkson.dll (file missing)

Good, Now uninstall Search Settings.
Delete this file:
C:\WINDOWS\system32\mysidesearch_sidebar.dll
And say how things are...

0

ok i fixed the files u sed to deleted the file u sed to and did the repair icons thing but no diff. any ideas? wut do i do next?

0

I'd like to look at a key in your registry; this will do that, and then delete it.
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt
__________________________________________________________
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Drive Icons" /s >C:\showkey.txt
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Drive Icons" /f
start C:\showkey.txt
__________________________________________________________

Open a fresh explorer window [my computer]

0

srry for all the questions but im still confused. i made a note pad with the text format/wordwrap unchecked in it and saved it with a .bat extension. but once i double clicked it a command prompt came up for like a fourth of a second then it automatically closed. and by posting the file showkeys.txt do u mean to change the .bat back to .txt? sorry again for all the questions but im really confused and i really wanna get this virus off my computer

0

If yu look in your C: root there should be a file C:\showkey.txt. If you dclick that it will open; if it is empty [no text] just say so.
You may delete showkey.bat - it has done its job. That black command window does just flash like that as the batch file runs.

0

lemee try agn but i dont think theres one. wut exactly do i do again? i mite have did it wrong

0

Bo, from what you said a couple of posts back it sounds like you ran the batch file correctly [the no-wordwrap" bit is/was important, but you did that correctly, so the showkey.txt file should have been created, and it should have popped on your desktop too. Running the batch file again would not do damage but will only create an empty notepad the second time, so no need to do that.
Do you still have a red cross?

0

yea. wen i put the txt in the notepad do i hve2 hve those [ ]?

0

Here is a fresh way: save this text in the box using a notepad [wordwrap unchecked] as showkey.bat, dclick it to run and post the notepad that opens...

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\DefaultIcon" /s >> C:\showkey.txt
reg query "HKEY_CLASSES_ROOT\Drive\DefaultIcon" /s >> C:\showkey.txt
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Drive" /s >> C:\showkey.txt
start C:\showkey.txt
0

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\DefaultIcon
<NO NAME> REG_EXPAND_SZ %SystemRoot%\System32\shell32.dll,8

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\Drive\DefaultIcon
<NO NAME> REG_EXPAND_SZ %SystemRoot%\System32\shell32.dll,8

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\DefaultIcon
<NO NAME> REG_EXPAND_SZ %SystemRoot%\System32\shell32.dll,8

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\Drive\DefaultIcon
<NO NAME> REG_EXPAND_SZ %SystemRoot%\System32\shell32.dll,8

thats wat pops up in notepad

0

well ok. thx for trying to help me. at least the virus is gone.

0

One other thing, in an explorer window if you go Tools, Folder Options, View tab, uncheck Hide Protected Op SYS files, Apply and OK... do you have a C:\autorun.inf file? If so, drag it into an empty notepad and post it, please. Lastly, check that box again to hide those files.

0

Bo, I found the red cross icon in shell32.dll [most system icons are stored in there]....now only if you are comfortable with going into registry.. ie have done it before... go start, run, type regedit and OK.
Click on My Computer at top, then go Edit, Find, type in..
shell32.dll,240
... and tell me the keys it occurs in.

0

HKEY_CLASSES_ROOT\CLSID\{00021400-0000-0000-C000-000000000046}\InProcServer32
am i supposed to type in shell23.dll,240? or do u mean shell32.dll as one search and 240 as another? cuz wen i put both in one it just says searchin registry and nothin happens

0

Search for the whole string:
shell23.dll,240
-if it is not found a box will pop saying that. That searchline represents the icon in shell32 - I am wondering since you do not have an autorun.inf file [which would override a reg key] if that red cross is being specified by some reistry key other than those we checked earlier. If you do find it please export that key and post it [change the "exportname".reg file extension to .txt first, then dclick the file to open it in a notepad][..or you simply drag the "exportname".reg file into a notepad]

0

it jus sed finished searching through registry and nothing happened

0

Okay, it's not in there. Bo, I am going to have to give up on this one for a while - I am not helping you... This is the result of a vundo infection, it seems, and you are clean of that now. There is a temporary fix to remove the cross that I spotted on one site...
Paste this text in a notepad, save it as C:\autorun.inf

ICON=C:\Windows\system32\shell32.dll,8

Stop and restart explorer.exe [or restart your sys].
Should work, but it does not fix the actual problem...

0

Bo, I still think that you should run Combofix again...
"Could you dlete your copy of combofix and dl a fresh copy and run it?
http://download.bleepingcomputer.com/sUBs/ComboFix.exe"....
That cross has to be mandated from somewhere... it does not seem to be from a registry entry nor a .inf file on the drive so there must be a malware file still remaining on your machine. Combofix may find it now, it is being updated all the time.

0

Bo, one more thing, you could do this before you try the combofix run - I did not get a satisfactory result from my first request to run this batch file, it may not have been applied correctly [and the one you ran successfully was different], so please try it again:
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Drive Icons" /s >C:\showkey.txt
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Drive Icons" /f
start C:\showkey.txt
0

nvm i fixed the x. sum1 told me dat i mke a registry file and save it to the registry its gone now.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.