0

For some reason I had a Spyware Protector 2009 program pop up on my system and thats where the troubele starterd. Now the explorer.exe wont run and I cant get it to run throught taskmanager. Here is my hijack this log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:31 AM, on 1/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Grisoft\AVG Free\avgwb.dat
C:\Documents and Settings\Rottin Corpse\Desktop\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 91.207.117.244 browser-security.microsoft.com
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Ezisuqoqiwogij] rundll32.exe "C:\WINDOWS\Lkoqa.dll",e
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - HKCU\..\Run: [sysguard] C:\WINDOWS\sysguard.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB5489] command /c del "C:\Program Files\Microsoft Common\svchost.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4297] cmd /c del "C:\Program Files\Microsoft Common\svchost.exe"
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video Access ActiveX Object\isamntr.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Belkin Wireless G USB Adapter Client Utility.lnk = C:\Program Files\Belkin\F5D7050v5011\Belkinwcui.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231878895890
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: uckakt.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009.SP2\RpcAgentSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7018 bytes

2
Contributors
10
Replies
11
Views
8 Years
Discussion Span
Last Post by Satyr000
0

Hi and welcome to the Daniweb forums :).

==========

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Make sure that you restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Post new HJT log.

0

Things have gotten worse. Now I keep getting this run dll as an app box poping up. I got Antivirus pro on my computer and I didnt install it. I cant hit control alt and del cos my admin disabled it and this is my computer and Im the only user profile on it!
Malware log:
Malwarebytes' Anti-Malware 1.33
Database version: 1712
Windows 5.1.2600 Service Pack 3

1/31/2009 5:55:22 PM
mbam-log-2009-01-31 (17-55-22).txt

Scan type: Quick Scan
Objects scanned: 68253
Time elapsed: 18 minute(s), 31 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 9
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Failed to unload process.

Memory Modules Infected:
C:\WINDOWS\Temp\mousehook.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Framework Windows (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ntdll64.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rottin Corpse\Local Settings\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\Temp\mousehook.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Rottin Corpse\Local Settings\Temp\mousehook.dll (Trojan.FakeAlert) -> Delete on reboot.


New Hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:51:56 PM, on 1/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Belkin\F5D7050v5011\Belkinwcui.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Innovative Solutions\Advanced Uninstaller PRO - Version 9\Uninstaller.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 91.207.117.244 browser-security.microsoft.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {ED3446EF-5AE5-42F5-84D9-4C0BA655B63C} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Belkin Wireless G USB Adapter Client Utility.lnk = C:\Program Files\Belkin\F5D7050v5011\Belkinwcui.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\docume~1\rottin~1\locals~1\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\docume~1\rottin~1\locals~1\temp\ntdll64.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231878895890
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: wifgou.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009.SP2\RpcAgentSrv.exe

--
End of file - 7195 bytes

0

Please download ComboFix by sUBs from HERE or HERE

  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

0

Well Im back in windows every thing seems to be fine. But now I got this odd background and I cant change it
http://img140.imageshack.us/my.php?image=73407315sr0.png

Here is the log file.
ComboFix 09-01-31.01 - Rottin Corpse 2009-01-31 19:02:34.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.3058 [GMT -6:00]
Running from: c:\documents and settings\Rottin Corpse\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\frmwrk32.exe
c:\windows\system32\win32hlp.cnf
.
---- Previous Run -------
.
c:\documents and settings\Rottin Corpse\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Common Files\{646EE~1
c:\windows\system32\components
c:\windows\system32\frmwrk32.exe
c:\windows\system32\senekabobvmyns.dat
c:\windows\system32\senekahyjhrsga.dat
c:\windows\system32\test.ttt
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))
.

2009-01-31 18:43 . 2007-12-18 06:41 273,280 -r------- c:\windows\system32\drivers\BLKWGU.sys
2009-01-31 18:41 . 2009-01-31 18:44 664 --a------ c:\windows\system32\d3d9caps.dat
2009-01-31 17:33 . 2009-01-31 17:37 142,848 --a--c--- c:\windows\system32\dllcache\userinit.exe
2009-01-31 13:53 . 2009-01-31 13:53 <DIR> d-------- c:\program files\RadarSync
2009-01-31 13:41 . 2009-01-31 13:41 <DIR> d-------- c:\program files\Trend Micro
2009-01-31 01:42 . 2009-01-31 01:42 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-31 01:42 . 2009-01-31 01:42 <DIR> d-------- c:\documents and settings\Rottin Corpse\Application Data\Malwarebytes
2009-01-31 01:42 . 2009-01-31 01:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-31 01:42 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-31 01:42 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-31 00:08 . 2009-01-31 00:08 104 --a------ c:\windows\wininit.ini
2009-01-30 23:47 . 2009-01-30 23:47 61,440 --a------ c:\windows\system32\chert13-303374.exe
2009-01-30 23:36 . 2009-01-30 23:36 <DIR> d-------- c:\program files\XPC Tools
2009-01-30 23:15 . 2009-01-30 23:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Drivers Headquarters
2009-01-30 22:42 . 2009-01-30 22:42 <DIR> d-------- c:\program files\SiSoftware
2009-01-27 14:18 . 2009-01-27 14:18 8,412 --a------ C:\Metroid - Zero Mission - GBA.clt
2009-01-25 20:01 . 2009-01-25 20:01 <DIR> d-------- c:\program files\RivaTuner v2.22
2009-01-25 19:29 . 2009-01-25 19:29 324 --a------ c:\windows\game.ini
2009-01-24 13:40 . 2009-01-24 13:40 <DIR> d-------- c:\program files\Opera
2009-01-23 21:25 . 2009-01-23 21:25 <DIR> d-------- c:\program files\Teamspeak2_RC2
2009-01-23 13:21 . 2009-01-23 13:21 376 --a------ c:\windows\ODBC.INI
2009-01-23 13:20 . 2009-01-23 13:20 <DIR> d-------- c:\program files\Microsoft ActiveSync
2009-01-23 13:20 . 2009-01-23 13:20 <DIR> d-------- c:\program files\Common Files\L&H
2009-01-23 13:19 . 2009-01-23 13:20 <DIR> d-------- c:\windows\SHELLNEW
2009-01-23 13:19 . 2009-01-24 17:10 <DIR> d-------- c:\program files\Microsoft Works
2009-01-23 13:18 . 2009-01-23 13:18 <DIR> d-------- c:\program files\Microsoft.NET
2009-01-23 13:17 . 2009-01-23 13:17 <DIR> d-------- C:\Office 2003
2009-01-22 23:55 . 2009-01-27 21:14 140,216 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2009-01-22 23:54 . 2009-01-27 21:11 201,352 --a------ c:\windows\system32\PnkBstrB.exe
2009-01-22 23:53 . 2009-01-22 23:53 66,872 --a------ c:\windows\system32\PnkBstrA.exe
2009-01-22 23:44 . 2009-01-22 23:44 682,280 --a------ c:\windows\system32\pbsvc.exe
2009-01-20 16:15 . 2009-01-20 16:16 <DIR> d-------- C:\Unreal
2009-01-20 16:15 . 1998-01-23 12:22 321,536 --a------ c:\windows\IsUninst.exe
2009-01-17 11:15 . 2008-12-29 02:30 4,224 --a------ c:\windows\system32\drivers\NVStrap.sys
2009-01-15 08:19 . 2009-01-15 08:19 1,253,376 --a------ c:\windows\system32\NvPVEnc.ax
2009-01-14 23:27 . 2009-01-14 23:27 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-01-14 23:08 . 2009-01-14 23:08 <DIR> d-------- c:\program files\Western Digital Technologies
2009-01-14 15:45 . 2009-01-23 12:42 <DIR> d-------- c:\program files\Flagship Studios
2009-01-14 15:32 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-01-14 15:32 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-01-13 20:38 . 2009-01-13 20:38 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-13 20:38 . 2009-01-13 20:38 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-13 20:38 . 2009-01-13 20:38 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-13 20:38 . 2009-01-13 20:38 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-13 17:23 . 2009-01-13 17:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Innovative Solutions
2009-01-13 17:23 . 2006-11-22 11:35 42,496 --a------ c:\windows\system32\AdvUninstCPL.cpl
2009-01-13 17:22 . 2009-01-31 13:49 <DIR> d-------- c:\program files\Innovative Solutions
2009-01-12 21:52 . 2009-01-12 21:52 <DIR> d-------- c:\documents and settings\Rottin Corpse\Application Data\DAEMON Tools Pro
2009-01-12 21:52 . 2009-01-12 21:52 <DIR> d-------- c:\documents and settings\Rottin Corpse\Application Data\DAEMON Tools
2009-01-12 21:51 . 2009-01-12 21:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-01-12 21:48 . 2009-01-12 21:53 <DIR> d-------- c:\documents and settings\Rottin Corpse\Application Data\DAEMON Tools Lite
2009-01-12 11:00 . 2009-01-12 11:03 741,376 --a------ c:\windows\iun6002ev.exe
2009-01-12 10:58 . 2009-01-12 10:59 <DIR> d-------- C:\silenthill
2009-01-09 18:14 . 2009-01-09 18:14 331 --a------ c:\windows\doom3.ini
2009-01-09 18:06 . 2009-01-30 15:21 <DIR> d-------- c:\program files\Doom 3
2009-01-08 15:09 . 2009-01-08 15:09 <DIR> d-------- c:\program files\Intelore
2009-01-05 22:55 . 2009-01-05 22:55 <DIR> d-------- c:\documents and settings\Rottin Corpse\Application Data\DivX
2009-01-04 22:03 . 2009-01-08 11:56 <DIR> d-------- C:\theme
2009-01-04 18:29 . 2009-01-04 18:29 <DIR> d-------- c:\program files\Content
2009-01-04 18:29 . 2009-01-04 18:29 <DIR> d-------- c:\program files\Builds
2009-01-04 11:27 . 2009-01-04 11:27 <DIR> d-------- c:\program files\2K Games
2009-01-03 23:50 . 2009-01-11 21:48 <DIR> d-------- c:\program files\7-Zip
2009-01-03 23:34 . 2009-01-03 23:34 <DIR> dr-h----- c:\documents and settings\Rottin Corpse\Application Data\SecuROM
2009-01-03 23:34 . 2009-01-07 20:34 <DIR> d-------- c:\documents and settings\Rottin Corpse\Application Data\Bioshock
2009-01-03 17:12 . 2009-01-03 18:12 <DIR> d-------- C:\Redneck2
2009-01-02 22:35 . 2009-01-26 14:40 <DIR> d-------- C:\Redneck
2009-01-02 20:27 . 2009-01-05 15:09 <DIR> d-------- C:\blood
2009-01-02 20:26 . 2009-01-26 14:53 <DIR> d-------- c:\program files\DOSBox-0.72
2009-01-02 14:25 . 2009-01-02 14:25 <DIR> d-------- c:\program files\DivX
2009-01-01 16:03 . 2009-01-01 16:05 <DIR> d-------- c:\program files\BitLord
2009-01-01 12:44 . 2009-01-01 12:44 <DIR> d-------- c:\documents and settings\Rottin Corpse\Application Data\Leadertech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-01 00:44 21,035 ----a-w c:\windows\system32\drivers\AegisP.sys
2009-01-31 23:29 --------- d-----w c:\program files\Steam
2009-01-31 19:45 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-31 05:15 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-26 21:01 --------- d-----w c:\program files\QuickTime
2009-01-26 21:00 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-23 18:58 --------- d-----w c:\program files\OpenOffice.org 2.2
2009-01-23 18:37 --------- d-----w c:\program files\Diablo II
2009-01-23 18:36 --------- d-----w c:\documents and settings\Rottin Corpse\Application Data\OpenOffice.org2
2009-01-23 16:24 --------- d-----w c:\program files\VDMSound
2009-01-23 05:50 --------- d-----w c:\program files\ASUS
2009-01-15 14:19 6,301,248 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2009-01-15 04:56 --------- d-----w c:\program files\Logitech
2009-01-15 04:56 --------- d-----w c:\program files\Common Files\LogiShrd
2009-01-14 23:02 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-14 21:35 --------- d-----w c:\documents and settings\Rottin Corpse\Application Data\Lavasoft
2009-01-14 21:34 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-13 03:48 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-01-01 18:44 --------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2009-01-01 18:44 --------- d-----w c:\documents and settings\All Users\Application Data\LogiShrd
2009-01-01 05:56 --------- d-----w c:\program files\Doomsday
2009-01-01 04:18 --------- d-----w c:\documents and settings\Rottin Corpse\Application Data\.wyzo
2008-12-31 19:38 --------- d-----w c:\documents and settings\Rottin Corpse\Application Data\Logitech
2008-12-31 19:37 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-12-31 19:37 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2008-12-31 19:37 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-12-31 19:37 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-12-29 17:04 --------- d-----w c:\program files\MSXML 4.0
2008-12-29 12:45 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-12-29 12:45 --------- d-----w c:\program files\Common Files\Adobe
2008-12-29 07:47 --------- d-----w c:\program files\LimeWire
2008-12-29 02:19 --------- d-----w c:\program files\Belkin
2008-12-27 03:38 --------- d-----w c:\program files\Common Files\Logitech
2008-12-27 03:36 --------- d--h--r c:\documents and settings\Rottin Corpse\Application Data\yahoo!
2008-12-27 03:36 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2008-12-26 23:54 --------- d-----w c:\documents and settings\Rottin Corpse\Application Data\dvdcss
2008-12-25 22:36 --------- d-----w c:\program files\Ubisoft
2008-12-25 04:41 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-24 04:25 --------- d-----w c:\program files\Realtek
2008-12-24 04:24 335,872 ----a-w c:\windows\HideWin.exe
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2007-11-27 17:51 1,959 ----a-w c:\program files\BioShock Patch ReadMe_November 2007_ENGLISH.txt
2006-08-02 10:46 1 ----a-w c:\documents and settings\Rottin Corpse\SI.bin
.

------- Sigcheck -------

2008-04-13 18:12 1051136 da41e11e677bacab6e53bb84fec4c75e c:\windows\explorer.exe
2004-08-04 06:00 1049600 a54982033a7fa964bd96e3e4419de04a c:\windows\$NtServicePackUninstall$\explorer.exe
2008-04-13 18:12 1051136 165773dab14edd3e4652c4174bf42adc c:\windows\ServicePackFiles\i386\explorer.exe

2004-08-04 06:00 32768 4a09b00ab717426fc3d3e3a4dd3a3424 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 18:12 32768 16bcf372b7e9cb12a95ff7f35e0ba40c c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-13 18:12 32768 e32ef4af2d29bff5e830c55eb297c5be c:\windows\system32\ctfmon.exe

2005-06-10 18:17 75264 6c218be7031a40e56af73f5131bdf2f7 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 17:53 75264 daa679f5e0c6b84e5e52f7939195e40d c:\windows\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 06:00 75264 861d20c662ab9e47140757b90e9b3fc3 c:\windows\$NtUninstallKB896423$\spoolsv.exe
2008-04-13 18:12 75264 7ff9a662abe592dcea15d846a5dcdf0d c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-13 18:12 75264 2d4b48d3ee13892c00fc33dea97b9342 c:\windows\system32\spoolsv.exe

2004-08-04 06:00 41984 e8ed215d90040ff2db62fa1b83c18ec1 c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 18:12 43520 33b0f9bae3a9e347bf855685e7b81194 c:\windows\ServicePackFiles\i386\userinit.exe
2009-01-31 17:33 142848 0f1bb1f8dc7c201fa2397456ffb7782a c:\windows\system32\userinit.exe
2009-01-31 17:37 142848 ec843a7281ba0e2208b196bd955e73c0 c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1712640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"nwiz"="nwiz.exe" [2009-01-15 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 c:\windows\RTHDCPL.EXE]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-10-10 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless G USB Adapter Client Utility.lnk - c:\program files\Belkin\F5D7050v5011\Belkinwcui.exe [2008-12-28 1609728]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-12-31 809488]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 17:41 72208 c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wifgou.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"c:\\Program Files\\Steam\\steamapps\\abbathdoomocluta\\dark messiah might and magic multi-player\\mm.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"c:\\Program Files\\Steam\\steamapps\\abbathdoomocluta\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF21.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Steam\\steamapps\\abbathdoomocluta\\team fortress classic\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\abbathdoomocluta\\source sdk base\\hl2.exe"=

R4 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2008-12-28 38144]
R4 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2008-12-31 10384]
S1 amdtools;AMD Special Tools Driver;c:\windows\system32\DRIVERS\amdtools.sys --> c:\windows\system32\DRIVERS\amdtools.sys [?]
S1 glaide32;glaide32;\??\c:\windows\system32\drivers\glaide32.sys --> c:\windows\system32\drivers\glaide32.sys [?]
S3 BELKIN;Belkin Wireless G USB Network Adapter;c:\windows\system32\drivers\BLKWGU.sys [2009-01-31 273280]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2009.SP2\RpcAgentSrv.exe [2009-01-30 98488]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Installer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{06918826-3dd3-11db-8b67-0011e6bd7b6e}]
\shell\open\command - %SystemRoot%\Explorer.exe /idlist,%I,%L

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9687b642-3931-11db-bcb9-8eaf61353e38}]
\Shell\AutoRun\command - E:\setup.exe /autorun
\Shell\directx\command - e:\directx\dxsetup.exe
\Shell\setup\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d55f6adb-3735-11db-a2fb-806d6172696f}]
\Shell\AutoRun\command - D:\ASUSACPI.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-01 c:\windows\Tasks\ycyrpzpl.job
- c:\windows\system32\ljJARife.dll []
.
- - - - ORPHANS REMOVED - - - -

BHO-{ED3446EF-5AE5-42F5-84D9-4C0BA655B63C} - (no file)
HKCU-Run-DriverUpdaterPro - c:\program files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-31 19:06:58
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1644491937-1637723038-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1644491937-1637723038-839522115-1004\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-1644491937-1637723038-839522115-1004)
@Allowed: (Read) (S-1-5-21-1644491937-1637723038-839522115-1004)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1644491937-1637723038-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:48,09,7b,0f,e1,3a,4a,3a,e1,99,23,49,59,44,39,56,7c,63,b7,cf,04,f1,36,
d8,80,a5,ed,fa,0a,2b,5f,b2,53,f0,1f,7e,9d,f3,5e,fb,ae,96,cc,a7,fe,8c,c1,ee,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\LogiShrd\KHAL2\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2009-01-31 19:09:53 - machine was rebooted [Rottin Corpse]
ComboFix-quarantined-files.txt 2009-02-01 01:09:50

Pre-Run: 33,365,229,568 bytes free
Post-Run: 33,302,953,984 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
283 --- E O F --- 2009-01-26 05:18:23

0

Combofix was run twice after I requested it be run only once. Can you post the log from the first run you did.
Will be found in C:\qoobox

Also need the new hijackthis log, as requested.

0

Combofix locked up the first time I tryed it.
Here is a new hjt log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:13:08 PM, on 1/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Belkin\F5D7050v5011\Belkinwcui.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\frmwrk32.exe
C:\Program Files\Belkin\F5D7050v5011\Belkinwcui.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\BitLord\BitLord.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgfrw.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Belkin Wireless G USB Adapter Client Utility.lnk = C:\Program Files\Belkin\F5D7050v5011\Belkinwcui.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231878895890
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: wifgou.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009.SP2\RpcAgentSrv.exe

--
End of file - 6648 bytes

0

Combofix locked up the first time I tryed it.

That is the sort of info you need to pass on. Any reason it locked up that you know of?

==

Looks like you have run MBA-M again since running combofix. If you want to do things your way, I am happy to leave you to it?

0

WeLL there are two techs working on this computer. My co worker stated and left about 2 min ago. Im taking over. He said some thing about the prep.exe not working in windows so he ran it in safe mode.

0

No worries. I'll leave it to you's then :).

Instructions for removing combofix; Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /, it needs to be there.


Attachments CF_cleanup.png 6.73 KB
0

Keep getting this spoolsv.exe can not be written error when windows is loading. Any idea what could cause that?

Also the customer brought me there laptop recovery disks, is it at all posable to wipe there pc harddrive and use there laptop disks to install windows? Never tryed that befor.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.