0

I can't get my icons and explorer.exe to run. I 've read a bunch of different forums but I may be in the wrong order so far I've

  • ran ad-aware, spybot, McAfee and AVG anti-virus and anti-spyware they are finding trojans but they keep coming back
  • tried a second profile
  • tried turning off active desktop
  • tried deleting suspicious .exe out of the registry's run file

here are the logs for AVG and hijackthis ran in safemode...it won't run in normal mode

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 5:20:18 PM 5/25/2007
+ Scan result:

C:\System Volume Information\_restore{0A7AC40F-8F52-416B-97DA-5B4322463791}\RP267\A0032129.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A7AC40F-8F52-416B-97DA-5B4322463791}\RP267\A0032130.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A7AC40F-8F52-416B-97DA-5B4322463791}\RP267\A0032132.dll -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINNT\cfg32.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINNT\cfg32a.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A7AC40F-8F52-416B-97DA-5B4322463791}\RP266\A0032042.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A7AC40F-8F52-416B-97DA-5B4322463791}\RP267\A0032078.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A7AC40F-8F52-416B-97DA-5B4322463791}\RP267\A0032079.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A7AC40F-8F52-416B-97DA-5B4322463791}\RP271\A0034381.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A7AC40F-8F52-416B-97DA-5B4322463791}\RP271\A0034382.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A7AC40F-8F52-416B-97DA-5B4322463791}\RP266\A0031991.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A7AC40F-8F52-416B-97DA-5B4322463791}\RP266\A0031999.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A7AC40F-8F52-416B-97DA-5B4322463791}\RP267\A0032131.dll -> Adware.TTC : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\T2\dlb66.exe/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\T2\dlb66.exe/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\T2\dlb66.exe/empty_00000001 -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A7AC40F-8F52-416B-97DA-5B4322463791}\RP266\A0032044.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A7AC40F-8F52-416B-97DA-5B4322463791}\RP266\A0032053.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A7AC40F-8F52-416B-97DA-5B4322463791}\RP271\A0034397.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A7AC40F-8F52-416B-97DA-5B4322463791}\RP271\A0034398.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\twinsndv.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Application Data\tmp2A.tmp.exe -> Downloader.Agent.bjk : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Application Data\tmp2B.tmp.exe -> Downloader.Agent.bjk : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\A18ZMDE5\rellatsnitneilc22_05[1] -> Downloader.Agent.bjk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A7AC40F-8F52-416B-97DA-5B4322463791}\RP266\A0031919.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\tni23.tmp -> Rootkit.Agent.eq : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@cupolaventures.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@www.abcsearch[1].txt -> TrackingCookie.Abcsearch : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ads.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@www.adobe[1].txt -> TrackingCookie.Adobe : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[3].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@com[2].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@techrepublic.com[2].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@server.lon.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.specificclick[3].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@h.starware[1].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@try.starware[1].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@m.webtrends[3].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@m.webtrends[4].txt -> TrackingCookie.Webtrends : Cleaned.
C:\WINNT\sammy3.exe -> Trojan.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A7AC40F-8F52-416B-97DA-5B4322463791}\RP266\A0032052.exe -> Trojan.BHO.ab : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A7AC40F-8F52-416B-97DA-5B4322463791}\RP266\A0031992.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A7AC40F-8F52-416B-97DA-5B4322463791}\RP266\A0032055.exe -> Trojan.Tibs.aa : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A7AC40F-8F52-416B-97DA-5B4322463791}\RP271\A0034379.exe -> Trojan.Tibs.aa : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\dlh9jkd1q7.exe -> Trojan.Tibs.aa : Cleaned with backup (quarantined).

::Report end

Logfile of HijackThis v1.99.1
Scan saved at 3:18:55 PM, on 5/26/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\HJT\analyzehis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dellnet.com
O2 - BHO: (no name) - {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} -
C:\WINNT\System32\fcccbba.dll (file missing)
O2 - BHO: (no name) - {3FA12F5F-0431-495C-A26A-54335796C5B2} -
C:\WINNT\System32\qopmj.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {691caa4d-7edb-4243-9a40-c683c6131456} -
C:\WINNT\system32\mprsvc.dll
O2 - BHO: (no name) - {6FE1E89A-0D0C-4701-B2F3-5B682B263E70} -
C:\WINNT\System32\jdaqowwc.dll (file missing)
O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} -
C:\WINNT\System32\tmp29.tmp.dll
O2 - BHO: 0 - {C29735EF-12F3-4F5D-C586-966CBCFD6984} - C:\Program
Files\ComPlus Applications\quda.dll (file missing)
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} -
C:\WINNT\System32\dnsersnd.dll (file missing)
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} -
C:\WINNT\System32\nzdd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [setup] rundll32.exe
"C:\WINNT\System32\wreqpihw.dll",realset
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network
Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network
Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program
Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Cookie
Washer\washidx.exe "Administrator"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate]
C:\WINNT\System32\Macromed\Flash\GetFlash.exe
O4 - Startup: TA_Start.lnk = C:\WINNT\SYSTEM32\dwdsregt.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common
Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program
Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia -
{2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common
Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia -
{2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common
Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} -
C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37}
- C:\Program Files\Common Files\Microsoft Shared\Reference
2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINNT\System32\Shdocvw.dll
O20 - Winlogon Notify: fcccbba - fcccbba.dll (file missing)
O20 - Winlogon Notify: mprsvc - C:\WINNT\SYSTEM32\mprsvc.dll
O20 - Winlogon Notify: qopmj - C:\WINNT\System32\qopmj.dll
O20 - Winlogon Notify: winzxe32 - winzxe32.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network
Associates, Inc. - C:\Program Files\Network Associates\Common
Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates,
Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network
Associates, Inc. - C:\Program Files\Network
Associates\VirusScan\vstskmgr.exe
O23 - Service: Net Agent - Unknown owner - C:\WINNT\dls0523pmw.exe (file
missing)


please help

2
Contributors
9
Replies
10
Views
10 Years
Discussion Span
Last Post by gerbil
0

For a start you have a vundo infection...
Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
*****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window these two pathnames [one per line]:

C:\WINNT\System32\wreqpihw.dll
C:\WINNT\System32\whipqerw.*

Click the Add Files button, and next the Remove Vundo button.*****
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.

Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} - C:\WINNT\System32\fcccbba.dll (file missing)
O2 - BHO: (no name) - {6FE1E89A-0D0C-4701-B2F3-5B682B263E70} - C:\WINNT\System32\jdaqowwc.dll (file missing)
O2 - BHO: 0 - {C29735EF-12F3-4F5D-C586-966CBCFD6984} - C:\Program Files\ComPlus Applications\quda.dll (file missing)
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINNT\System32\dnsersnd.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINNT\System32\wreqpihw.dll",realset
O20 - Winlogon Notify: fcccbba - fcccbba.dll (file missing)
O20 - Winlogon Notify: winzxe32 - winzxe32.dll (file missing)

O23 - Service: Net Agent - Unknown owner - C:\WINNT\dls0523pmw.exe (file missing)

Good. Now go Start > run and enter:

sc delete Net Agent [you can paste the line into the run box.]

Post the contents of C:\vundofix.txt plus a new HijackThis log. It is very useful if you turn OFF wordwrap when posting logs...

0

Thank you so much for your help Gerbil, I did everything you said. When I ran VundoFix, I couldnt get the display to work, it seemed like it scanned ok, but no text would show up in the pop up boxes and in the white box (but it looked like it picked some stuff up). So I did the "add more files" thing and it seemed like it removed the Vundo (although it didnt display anything). Also, it didnt need to run on reboot.

I did the HJT, but two of the entries you wanted me to check werent there, 02- fcccbba.dll wasnt there and 04- wreqpihw.dll, realset was missing. (Also, I have to keep running HJT in safe mode, it won't let me run it in normal, and everytime I boot into safe mode, the HJTexe is gone and I have to keep copying it off a CD I burnt from another computer). But I had it fix the rest.

THen I did the sc delete Net Agent, and I got a flash of something, but couldnt tell what it was.

So here is the new log for HJT, and since I had to do Vundo blind, I'll copy what was put in the C:vundofixbackup file (And I'm sorry, I couldnt find where to set word wrap to off, if you tell me how, I can repost it):

jmpoq.bak1.bad
jmpoq.bak2.bad
jmpoq.ini.bad
jmpoq.tmp.bad
qopmj.dll.bad
whipqerw.ini.bad
wreqpihw.dll.bad

Logfile of HijackThis v1.99.1
Scan saved at 12:24:04 PM, on 5/27/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\HJT\analyzehis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: (no name) - {42BF9090-1DC2-458E-9861-981136481B73} - C:\WINNT\System32\qopmj.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {691caa4d-7edb-4243-9a40-c683c6131456} - C:\WINNT\system32\mprsvc.dll
O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINNT\System32\tmp29.tmp.dll
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Cookie Washer\washidx.exe "Administrator"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\System32\Macromed\Flash\GetFlash.exe
O4 - Startup: TA_Start.lnk = C:\WINNT\SYSTEM32\dwdsregt.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1180226447663
O20 - Winlogon Notify: mprsvc - C:\WINNT\SYSTEM32\mprsvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

0

aw, heck, i forgot to put an entry in for fixing.. never mind, we'll get it this time.
Download this file: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
...or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
-leave it for the moment.
Download Avenger from http://swandog46.geekstogo.com/avenger.zip
You must be in an Administrator-privileged account to run this procedure...
-unzip it to your desktop and leave it for the moment.
Run vundofix again and add these pathnames into the text box:

C:\WINNT\system32\mprsvc.dll
C:\WINNT\system32\cvsrpm.*

Now start hijackthis again and do a Scan Only and check these for fixing if they exist:

O2 - BHO: (no name) - {42BF9090-1DC2-458E-9861-981136481B73} - C:\WINNT\System32\qopmj.dll (file missing)
O2 - BHO: (no name) - {691caa4d-7edb-4243-9a40-c683c6131456} - C:\WINNT\system32\mprsvc.dll
O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINNT\System32\tmp29.tmp.dll
O4 - Startup: TA_Start.lnk = C:\WINNT\SYSTEM32\dwdsregt.exe
O20 - Winlogon Notify: mprsvc - C:\WINNT\SYSTEM32\mprsvc.dll

Now for combofix: -- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Good. Start Avenger; select "Input script manually" and then click the magnifying glass icon. Paste into the box as one block all the text between the lines:

_____________________________________
Files to delete:
C:\WINNT\SYSTEM32\dwdsregt.exe
_____________________________________

...and click Done, and finally the green light.
Follow promps to reboot your machine.
The files, etc., that you asked Avenger to delete are zipped to C:\avenger\backup.zip.
Avenger creates a log file that should open with the results of its actions. This file is located at C:\avenger.txt

Please post that log file, plus the vundofix log, the combofix log and a new hjt log. Because you have renamed it to analyzehis.exe I have no idea how it is getting deleted....??? But persist... and wordwrap? -you find it under Format tab in notepad, off is good for posting logs.

Edited by mike_2000_17: Fixed formatting

0

THANK YOU SO MUCH! I finally got my desktop back! I did everything you said and it worked. I cannot thank you enough!
Here are the log files.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\yisxcuwb
*******************
Script file located at: \??\C:\kmdlmnur.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:

File C:\WINNT\SYSTEM32\dwdsregt.exe not found!
Deletion of file C:\WINNT\SYSTEM32\dwdsregt.exe failed!
Could not process line:
C:\WINNT\SYSTEM32\dwdsregt.exe
Status: 0xc0000034

Completed script processing.
*******************

Start Time= Mon 05/28/2007 9:28:17.49
QuickScan did not find any signs of infected files
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-25 12:20:52 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2007-05-24 12:59:12 ( .D... ) "C:\Program Files\Common Files\Cisco Systems"
2007-05-24 12:54:24 ( .D... ) "C:\Program Files\Network Associates"
2007-05-24 12:54:24 ( .D... ) "C:\Program Files\Common Files\Network Associates"
2007-05-23 17:00:44 ( .D... ) "C:\Documents and Settings\Administrator\Application Data\AVG7"
2007-05-23 16:57:24 ( .D... ) "C:\Program Files\Grisoft"
2007-05-23 16:41:52 50421 ( A.... ) "C:\Documents and Settings\Administrator\Application Data\tmp29.tmp.exe"
2007-05-23 14:15:48 1174356 ( A.... ) "C:\Documents and Settings\Administrator\Application Data\Install.dat"
2007-05-23 14:15:18 9066 ( ..... ) "C:\WINNT\SYSTEM32\dlh9jkd1q6.exe"
2007-05-23 14:15:14 22890 ( ..... ) "C:\WINNT\SYSTEM32\dlh9jkd1q2.exe"
2007-05-23 14:07:52 8464 ( A.... ) "C:\WINNT\SYSTEM32\sporder.dll"
2007-05-23 14:04:56 16 ( A.... ) "C:\Documents and Settings\Administrator\Application Data\.rdr.ini"
2007-05-23 14:03:42 34816 ( A.... ) "C:\WINNT\rau001978.exe"
2007-05-23 14:01:16 14390 ( A.... ) "C:\syskvcl.exe"
2007-05-23 13:36:42 931 ( A.... ) "C:\WINNT\SYSTEM32\winpfz32.sys"
2007-05-23 13:36:42 931 ( A.... ) "C:\WINNT\SYSTEM32\winpfz32.sys"
2007-05-23 09:10:38 ( .D... ) "C:\Documents and Settings\Administrator\Application Data\Lavasoft"
2007-05-23 09:08:34 ( .D... ) "C:\Program Files\Lavasoft"
2007-05-23 09:06:22 ( .D... ) "C:\Program Files\Common Files\Wise Installation Wizard"
2007-05-22 20:32:14 2560 ( A.... ) "C:\WINNT\_MSRSTRT.EXE"
2007-05-22 18:39:26 ( .D... ) "C:\Program Files\?dobe"
2007-05-07 20:54:50 202240 ( A.... ) "C:\WINNT\SYSTEM32\shieldScreensaver_pc.scr"
2007-04-23 20:09:30 ( .D... ) "C:\Documents and Settings\Administrator\Application Data\Google"
2007-04-23 20:09:08 ( .D... ) "C:\Program Files\Google"
2001-04-10 07:58:58 21952 ( A..H. ) "C:\Program Files\FOLDER.HTT"
2001-04-10 07:58:58 271 ( ..SH. ) "C:\Program Files\DESKTOP.INI"

((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"AtiPTA"="atiptaxx.exe"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"Network Associates Error Reporting Service"="\"C:\\Program Files\\Common Files\\Network Associates\\TalkBack\\tbmon.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservicesonce]
"washindex"="C:\\Program Files\\Cookie Washer\\washidx.exe \"Administrator\""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINNT\\System32\\ctfmon.exe"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Wallpaper"=""
"DisableRegistryTools"=dword:00000000
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Care2GTU]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Care2GTU\""
"hkey"="HKLM"
"command"="wjview /cp:p \"C:\\Program Files\\Care2GTU\\System\\Code\" Main lp: \"C:\\Program Files\\Care2GTU\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DadApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dadapp"
"hkey"="HKLM"
"command"="C:\\Program Files\\DELL\\AccessDirect\\dadapp.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GhostStartTrayApp"
"hkey"="HKLM"
"command"="C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\GhostStartTrayApp.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLHostManager"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1101904416\\EE\\AOLHostManager.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WksSb"
"hkey"="HKLM"
"command"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WkDetect"
"hkey"="HKLM"
"command"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Promon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Promon"
"hkey"="HKLM"
"command"="Promon.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mobsync"
"hkey"="HKLM"
"command"="mobsync.exe /logon"
"inimapping"="0"

Contents of the 'Scheduled Tasks' folder
Completion time: Mon 05/28/2007 9:31:00.95
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt

Vundo:
jmpoq.ini.bad
qopmj.dll.bad
jmpoq.bak1.bad
jmpoq.tmp.bad
whipqerw.ini.bad
jmpoq.bak2.bad
mprsvc.dll.bad
wreqpihw.dll.bad

Again thank you!

0

shrooms, combofix has listed a lot of bad files as having been installed, but i must assume they are no longer there because it would most certainly have deleted those particular ones... i mean, it should have... Let's check.
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon and the Windows tab; press Run Cleaner. Next select the Applications tab and Run Cleaner again.
___________________________________________________
Files to delete:
C:\WINNT\SYSTEM32\dlh9jkd1q6.exe
C:\WINNT\SYSTEM32\dlh9jkd1q2.exe
C:\WINNT\rau001978.exe
C:\Documents and Settings\Administrator\Application Data\.rdr.ini
C:\syskvcl.exe
C:\WINNT\SYSTEM32\winpfz32.sys
C:\WINNT\_MSRSTRT.EXE
C:\Program Files\?dobe
C:\WINNT\SYSTEM32\shieldScreensaver_pc.scr
C:\Program Files\FOLDER.HTT
C:\Program Files\DESKTOP.INI
___________________________________________________
Paste all the text between the lines into Avenger. Show me the log.
Update AVG AS and run it, post the log.
Run hijackthis in normal mode, post the log.

0

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\wyxtpcot
*******************
Script file located at: \??\C:\WINNT\System32\brtypmee.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINNT\SYSTEM32\dlh9jkd1q6.exe deleted successfully.
File C:\WINNT\SYSTEM32\dlh9jkd1q2.exe deleted successfully.
File C:\WINNT\rau001978.exe deleted successfully.
File C:\Documents and Settings\Administrator\Application Data\.rdr.ini deleted successfully.
File C:\syskvcl.exe deleted successfully.
File C:\WINNT\SYSTEM32\winpfz32.sys deleted successfully.
File C:\WINNT\_MSRSTRT.EXE deleted successfully.

Could not open file C:\Program Files\?dobe for deletion
Deletion of file C:\Program Files\?dobe failed!
Could not process line:
C:\Program Files\?dobe
Status: 0xc0000033
File C:\WINNT\SYSTEM32\shieldScreensaver_pc.scr deleted successfully.
File C:\Program Files\FOLDER.HTT deleted successfully.
File C:\Program Files\DESKTOP.INI deleted successfully.
Completed script processing.
*******************
Finished! Terminate.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 3:52:43 PM 5/30/2007
+ Scan result:

C:\Documents and Settings\Administrator\Cookies\administrator@advertising[1].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt -> TrackingCookie.Questionmarket : No action taken.

::Report end


Logfile of HijackThis v1.99.1
Scan saved at 8:19:18 PM, on 5/30/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINNT\System32\wuauclt.exe
D:\analyzehis\analyzehis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Cookie Washer\washidx.exe "Administrator"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1180226447663
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

0

What is in this: C:\Program Files\?dobe
And please run ComboFix again. Are there any more symptoms, problems outstanding? Are your icons still missing, and explorer still will not run?

0

Im sorry Gerbil, read post 5, everything is working great, desktop icons are all there, nothing was lost. You have been so helpful. Thank you so much!

0

Okeydoke.. that's gotta be good. Just check that C:\program files\?dobe folder tho, it is trying to look like Adobe....
Cheers.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.