active desk top window spyware [HJT log]

I have a scroll bar on my desk top that clicks to a sextriere.com site. The bar is tucked way off to the right of the screen. I shut it down by ending task but it comes back. How do I get rid of this.

Thanks for any help.

 

active desktop window icon

Here is my hijack this log.

Thanks for your help.

Logfile of HijackThis v1.99.1
Scan saved at 4:54:22 PM, on 12/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\PROMon.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\pango.exe
C:\WINNT\system32\pango.exe
C:\Program Files\Common Files\AOL\1158707385\ee\aolsoftware.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINNT\TEMP\PDD58F.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\MP3Torpedo\MP3Torpedo.exe
C:\Program Files\Java\jre1.5.0_06\bin\javaw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\HTJ\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.maine.rr.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.maine.rr.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SDWin32 Class - {19E33C16-C8ED-4FA0-B7F6-BC9BFDD69CD5} - C:\WINNT\System32\wmyit.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogicalM] C:\WINNT\system32\pango.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [pango.exe] C:\WINNT\system32\pango.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.gooogle.bz
O15 - Trusted Zone: www.nanobyte.biz
O15 - Trusted Zone: download.pangocash.com
O15 - Trusted Zone: showtime.pangocash.com
O15 - Trusted Zone: www.playmore.biz
O15 - Trusted Zone: www.preferiti-windows.com
O15 - Trusted Zone: www.ricercadoppia.com
O15 - Trusted Zone: www.scalalap.com
O16 - DPF: 6th Street Omaha Poker by pogo - http://game1.pogo.com/applet-6.7.5.21/omaha/omaha-en_US.cab
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.7.3.23/aces/aces-en_US.cab
O16 - DPF: Blooop by pogo - http://game1.pogo.com/applet-6.7.5.21/cascade/cascade-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.7.3.30/lottso/lottso-en_US.cab
O16 - DPF: Multiline Slots by pogo - http://game1.pogo.com/applet-6.6.5.22/mlslots/mlslots-en_US.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.6.4.29/waterwheel/waterwheel-en_US.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.7.4.28/poppit2/poppit2-en_US.cab
O16 - DPF: Quick Shot by pogo - http://game1.pogo.com/applet-6.7.5.28/quickshot/quickshot-en_US.cab
O16 - DPF: QWERTY by pogo - http://game1.pogo.com/applet-6.7.3.23/squares/squares-en_US.cab
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: Ride The Tide by pogo - http://game1.pogo.com/applet-6.6.5.22/ride/ride-en_US.cab
O16 - DPF: Shuffle Bump by pogo - http://game1.pogo.com/applet-6.7.5.28/puck/puck-en_US.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.7.3.30/spider/spider-en_US.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.7.4.35/peaks/peaks-en_US.cab
O16 - DPF: Wonderland Memories by pogo - http://game1.pogo.com/applet-6.6.4.29/memories/memories-en_US.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-6.7.3.30/wordwhomp2/whomp2-en_US.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-6.6.4.29/whackdown/whackdown-en_US.cab
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://nmsinc.no-ip.biz:4343/officescan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...ttp://www.remington.com/firearms/3d/700_rifle
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://nmsinc.no-ip.biz:4343/officescan/console/ClientInstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://nmsinc.no-ip.biz:4343/officescan/console/ClientInstall/setup.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {29ADFD98-4896-4358-9CF6-289D509DF350} - http://download.pangocash.com/pango.exe
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://nmsinc.no-ip.biz:4343/officescan/console/html/AtxEnc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://nmsinc.no-ip.biz:4343/officescan/console/ClientInstall/RemoveCtrl.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {A97D270F-E14D-4AB3-96C2-72510B30AF23} - http://showtime.pangocash.com/pop/matc/install.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://clubgames.pogo.com/online2/pogop/chuzzle/popcaploader_v6.cab
O16 - DPF: {E9670165-86FE-4C34-8C4B-D3158DDC5D92} (Installer Class) - http://downloads.shopathomeselect.com/axinstall/SRInstall4110_sp2.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: rege2usb - rege2usb.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: STOPzilla Local Service - Unknown owner - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

 

Hello and welcome to WindowsBBS Forums.

What you have here is an Haxdoor infection. Please do as instructed below.

Also, be advised as this infection many times carries backdoor trojans with it, if you do any online financial transactions, you should alert all institutions with which you do business with online. This is done to be sure you don't get your identity stolen.

I'd also find a clean computer and change all financial related passwords.

This is a two step fix, the first step below:

Download haxfix.exe and save it to your desktop.

• Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
• Checkmark "Create a desktop icon "
• Click "Next "
• When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
• Click "Finish "

A red "dos window" (dos box) will open with options:

• 
  1. Make logfile
  2. Run auto fix
  3. Run manual fix
  E. Exit Haxfix

• Select option 1. Make logfile by typing 1 and then pressing Enter
• Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt
• Copy the contents of that logfile and paste it into this thread. (c:\haxfix.txt)

 

active desk top icon

Thanks for the help. Here is the haxfix log file.

HAXFIX logfile - by Marckie

version 4.30
Sun 12/10/2006 17:04:21.29

--- Checking for Haxdoor ---

checking for a3d files
a3d files not found

checking for matching notify keys
no matching notify keys found

checking for matching services
no matching services found

checking for matching safeboot services
no matching safeboot services found

checking for other Haxdoor-files
no other Haxdoor-files found


--- Checking for Goldun ---


checking for SSODL keys
no ssodl keys found

checking for notify keys
rege2usb

checking for services
no services found

checking for other Goldun-files
no other Goldun-files found


Finished!

 

Second part of fix:

• Double click on My Computer -> C:\ -> Program Files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
• Close all other open windows since this step requires a reboot
• Select option 2. Run auto fix by typing 2 and then pressing Enter

If an infection is found, you'll get a message to close all other open windows.

• Close all open windows except the red dos window from haxfix and then press Enter
• The computer will reboot
• After reboot a logfile will open > (c:\haxfix.txt)
• Post the contents of that logfile along with a new HijackThis log.

 

Active desk top icon

New logs. Thanks again.

HAXFIX logfile - by Marckie

version 4.30
Sun 12/10/2006 19:09:17.45

--- Auto Haxdoorfix ---


searching for files:

no infections found


--- Goldunfix ---


searching for files:

searching for SSODLkeys:
no SSODLkeys found

searching for notifykeys:
rege2usb

searching for services:
no services found


.....rebooting the computer.....


searching for ssodlkeys

not needed


searching for notifykeys

notifykey rege2usb not found


searching for services

not needed


searching for safeboot services

not needed


searching for files

rege2usb.dll exists
deleting rege2usb.dll
rege2usb.dll has been deleted


checking for other files

No other files found


checking for a3d files

no a3d files found


Finished


Logfile of HijackThis v1.99.1
Scan saved at 7:13:50 PM, on 12/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\PROMon.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\pango.exe
C:\Program Files\Common Files\AOL\1158707385\ee\aolsoftware.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINNT\system32\pango.exe
C:\WINNT\system32\crypserv.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINNT\TEMP\MT6CE5.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HTJ\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.maine.rr.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.maine.rr.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SDWin32 Class - {19E33C16-C8ED-4FA0-B7F6-BC9BFDD69CD5} - C:\WINNT\System32\wmyit.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogicalM] C:\WINNT\system32\pango.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [pango.exe] C:\WINNT\system32\pango.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.gooogle.bz
O15 - Trusted Zone: www.nanobyte.biz
O15 - Trusted Zone: download.pangocash.com
O15 - Trusted Zone: showtime.pangocash.com
O15 - Trusted Zone: www.playmore.biz
O15 - Trusted Zone: www.preferiti-windows.com
O15 - Trusted Zone: www.ricercadoppia.com
O15 - Trusted Zone: www.scalalap.com
O16 - DPF: 6th Street Omaha Poker by pogo - http://game1.pogo.com/applet-6.7.5.21/omaha/omaha-en_US.cab
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.7.3.23/aces/aces-en_US.cab
O16 - DPF: Blooop by pogo - http://game1.pogo.com/applet-6.7.5.21/cascade/cascade-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.7.3.30/lottso/lottso-en_US.cab
O16 - DPF: Multiline Slots by pogo - http://game1.pogo.com/applet-6.6.5.22/mlslots/mlslots-en_US.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.6.4.29/waterwheel/waterwheel-en_US.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.7.4.28/poppit2/poppit2-en_US.cab
O16 - DPF: Quick Shot by pogo - http://game1.pogo.com/applet-6.7.5.28/quickshot/quickshot-en_US.cab
O16 - DPF: QWERTY by pogo - http://game1.pogo.com/applet-6.7.3.23/squares/squares-en_US.cab
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: Ride The Tide by pogo - http://game1.pogo.com/applet-6.6.5.22/ride/ride-en_US.cab
O16 - DPF: Shuffle Bump by pogo - http://game1.pogo.com/applet-6.7.5.28/puck/puck-en_US.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.7.3.30/spider/spider-en_US.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.7.4.35/peaks/peaks-en_US.cab
O16 - DPF: Wonderland Memories by pogo - http://game1.pogo.com/applet-6.6.4.29/memories/memories-en_US.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-6.7.3.30/wordwhomp2/whomp2-en_US.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-6.6.4.29/whackdown/whackdown-en_US.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...ttp://www.remington.com/firearms/3d/700_rifle
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {29ADFD98-4896-4358-9CF6-289D509DF350} - http://download.pangocash.com/pango.exe
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {A97D270F-E14D-4AB3-96C2-72510B30AF23} - http://showtime.pangocash.com/pop/matc/install.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://clubgames.pogo.com/online2/pogop/chuzzle/popcaploader_v6.cab
O16 - DPF: {E9670165-86FE-4C34-8C4B-D3158DDC5D92} (Installer Class) - http://downloads.shopathomeselect.com/axinstall/SRInstall4110_sp2.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: STOPzilla Local Service - Unknown owner - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

 

Ok, lets finsh off now that we got the big nasty bugger off.

Below you will find my results and recommendations from your HijackThis! log file analysis. Please read ALL instructions carefully BEFORE proceeding.

First:
Download combofix.exe

• Double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Then:
Access your Add or Remove Programs Control Panel by hittting your [Start ]button, select Control Panel and click on 'Add or Remove Programs'. Then find the following programs and click the [Change|Remove ]button for each, if they are listed
Party Poker
StopZilla <<<---this app has been involved in some less than stellar advertising and even less stellar performnce.
Viewpoint<<<--Stealth DL, bundled with AIM. Used for online game playing, will re-install with AIM upgrade. Will not cause any malfunctions with AIM if removed.


Please hit the 'Ctrl' key + 'Alt' key + 'Delete' key to bring up the Task Manager and select the 'Processes' tab. Then find, high-light and select 'End Task' on the following process(es) if present:
C:\WINNT\system32\pango.exe (all)


Open Hijackthis, select the [Do a system scan only[/]b] button and look over the following entries I have listed, check the boxes [] next to them and press the [Fix Checked] button. When you are doing this, make sure you have No IE windows, nor any other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =


O2 - BHO: SDWin32 Class - {19E33C16-C8ED-4FA0-B7F6-BC9BFDD69CD5} - C:\WINNT\System32\wmyit.dll (file missing)


O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe


O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)


O15 - Trusted Zone: www.gooogle.bz
O15 - Trusted Zone: www.nanobyte.biz
O15 - Trusted Zone: download.pangocash.com
O15 - Trusted Zone: showtime.pangocash.com
O15 - Trusted Zone: www.playmore.biz
O15 - Trusted Zone: www.preferiti-windows.com
O15 - Trusted Zone: www.ricercadoppia.com
O15 - Trusted Zone: www.scalalap.com


O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...s/3d/700_rifle

O16 - DPF: {29ADFD98-4896-4358-9CF6-289D509DF350} - http://download.pangocash.com/pango.exe

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe

O16 - DPF: {A97D270F-E14D-4AB3-96C2-72510B30AF23} - http://showtime.pangocash.com/pop/matc/install.exe

O16 - DPF: {E9670165-86FE-4C34-8C4B-D3158DDC5D92} (Installer Class) - http://downloads.shopathomeselect.co...ll4110_sp2.cab


O23 - Service: STOPzilla Local Service - Unknown owner - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)


Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Open 'My Computer' and select the 'Search' feature. Then click the 'All files and folders' button. Click the 'More advanced search options' button and be sure the 'Search system folders', 'Search hidden files and folders' and 'Search subfolders' boxes are check marked then search for and delete, if found, (some may not be present after previous steps) the following files/folders:
C:\Program Files\STOPzilla!<<<<---this folder
C:\Program Files\PartyPoker<<<<---this folder
C:\Program Files\Viewpoint<<<<---this folder
C:\WINNT\System32\wmyit.dll <<<--this file
C:\WINNT\TEMP\MT6CE5.EXE<<<--this file
C:\WINNT\system32\pango.exe<<<--this file

To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.

Restart, post a new HJT log along with the ComboFix log.

 

Active desk top icon

No party poker or stopzilla found in add or remove programs. Here are the log files. Thanks again.

Logfile of HijackThis v1.99.1
Scan saved at 6:35:07 AM, on 12/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\PROMon.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Common Files\AOL\1158707385\ee\aolsoftware.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINNT\TEMP\ZV72CE.EXE
C:\WINNT\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.maine.rr.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.maine.rr.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogicalM] C:\WINNT\system32\pango.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [pango.exe] C:\WINNT\system32\pango.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: 6th Street Omaha Poker by pogo - http://game1.pogo.com/applet-6.7.5.21/omaha/omaha-en_US.cab
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.7.3.23/aces/aces-en_US.cab
O16 - DPF: Blooop by pogo - http://game1.pogo.com/applet-6.7.5.21/cascade/cascade-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.7.3.30/lottso/lottso-en_US.cab
O16 - DPF: Multiline Slots by pogo - http://game1.pogo.com/applet-6.6.5.22/mlslots/mlslots-en_US.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.6.4.29/waterwheel/waterwheel-en_US.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.7.4.28/poppit2/poppit2-en_US.cab
O16 - DPF: Quick Shot by pogo - http://game1.pogo.com/applet-6.7.5.28/quickshot/quickshot-en_US.cab
O16 - DPF: QWERTY by pogo - http://game1.pogo.com/applet-6.7.3.23/squares/squares-en_US.cab
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: Ride The Tide by pogo - http://game1.pogo.com/applet-6.6.5.22/ride/ride-en_US.cab
O16 - DPF: Shuffle Bump by pogo - http://game1.pogo.com/applet-6.7.5.28/puck/puck-en_US.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.7.3.30/spider/spider-en_US.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.7.4.35/peaks/peaks-en_US.cab
O16 - DPF: Wonderland Memories by pogo - http://game1.pogo.com/applet-6.6.4.29/memories/memories-en_US.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-6.7.3.30/wordwhomp2/whomp2-en_US.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-6.6.4.29/whackdown/whackdown-en_US.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://clubgames.pogo.com/online2/pogop/chuzzle/popcaploader_v6.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

Mike - 06-12-11 5:58:59.12 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Mike\Desktop "

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\bszip.dll


((((((((((((((((((((((((((((((( Files Created from 2006-11-11 to 2006-12-11 ))))))))))))))))))))))))))))))))))


2006-12-10 17:04 90,112 --a------ C:\WINNT\system32\RegDACL.exe
2006-12-10 17:04 7,483 --a------ C:\clean.bat
2006-12-10 17:04 40,960 --a------ C:\WINNT\system32\swsc.exe
2006-12-10 17:04 4,096 --a------ C:\WINNT\system32\reboot.exe
2006-12-10 17:04 38,400 --a------ C:\WINNT\system32\moveex.exe
2006-12-10 17:01 <DIR> d-------- C:\Program Files\HaxFix
2006-12-08 16:53 <DIR> d-------- C:\HTJ
2006-11-30 19:09 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\AdobeAUM
2006-11-26 14:38 <DIR> d-------- C:\Program Files\skiStunt
2006-11-18 08:28 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-18 08:27 <DIR> d-------- C:\eb092c970fca3c68d769aab5


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-09 12:59 -------- d-------- C:\Documents and Settings\Mike\Application Data\Adobe
2006-12-07 16:38 -------- d-------- C:\Documents and Settings\Mike\Application Data\AdobeUM
2006-11-26 14:38 -------- d-------- C:\Program Files\Common Files
2006-11-18 08:27 -------- d-------- C:\Program Files\Internet Explorer
2006-11-15 16:00 -------- d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2006-11-12 19:41 96464 --a------ C:\Documents and Settings\Mike\Application Data\GDIPFONTCACHEV1.DAT
2006-11-12 18:02 -------- d-------- C:\Program Files\Google
2006-11-04 14:14 1245696 --a------ C:\WINNT\system32\msxml4.dll
2006-11-03 13:19 30307 --a------ C:\WINNT\system32\pango.exe
2006-10-29 13:30 -------- d-------- C:\Program Files\Nova Development
2006-10-29 12:44 -------- d-------- C:\Program Files\The Print Shop 21
2006-10-29 12:38 -------- d-------- C:\Program Files\Web Publish
2006-10-29 12:07 -------- d---s---- C:\Documents and Settings\Mike\Application Data\Microsoft
2006-10-19 18:33 1 --a------ C:\config.sys
2006-10-13 07:35 65536 --a------ C:\WINNT\system32\nwwks.dll
2006-10-13 07:35 64000 --a------ C:\WINNT\system32\nwapi32.dll
2006-10-13 07:35 142336 --a------ C:\WINNT\system32\nwprovau.dll
2006-10-13 05:23 163584 --a------ C:\WINNT\system32\drivers\nwrdr.sys
2006-09-13 00:01 1084416 --a------ C:\WINNT\system32\msxml3.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AIM "= "C:\\PROGRA~1\\AIM\\aim.exe -cnetwait.odl "
"pango.exe "= "C:\\WINNT\\system32\\pango.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray "= "C:\\WINNT\\System32\\igfxtray.exe "
"HotKeysCmds "= "C:\\WINNT\\System32\\hkcmd.exe "
"PROMon.exe "= "PROMon.exe "
"PaperPort PTD "= "c:\\progra~1\\scansoft\\paperp~1\\pptd40nt.exe "
"ViewMgr "= "C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr_.exe "
"SunJavaUpdateSched "= "C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe "
"IPHSend "= "C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe "
"OfficeScanNT Monitor "= "\ "C:\\Program Files\\Trend Micro\\OfficeScan Client\\pccntmon.exe\" -HideWindow "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"LogicalM "= "C:\\WINNT\\system32\\pango.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000004

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,38,01,00,00,00,00,00,00,c8,02,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo "=hex:18,00,00,00,38,01,00,00,00,00,00,00,c8,02,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=hex:91,00,00,00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091
"CDRAutoRun "=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091
"CDRAutoRun "=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

Completion time: 06-12-11 6:00:48.43
C:\ComboFix.txt ... 06-12-11 06:00

 

Ok, everything looks good, how is the machine behaving at this point? Let me know.

There is one line which is still in the HJT log file, related perhaps to some sort of IM application, pango.exe. Do you use this IM? If so, you can obviously leave it intact.

We have 3 more things to do, mostly maintenance and then our recommendations:

Empty the TIF (Temporary Internet Files)
Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
The app below will help with temp files.
Index.dat Suite

Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

This would also be a good time to set a new system restore point for your machine.
Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion.

Here is a link which describes how security apps work with WIN XP machines.
XP User Accts Security Apps Operation

To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.5.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

Links for tutorials for all the apps I mentioned can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!!
Tom

 

Active desk top icon

Icon is gone and everything looks good so far. I am going to do the last steps shortly. You guys know your stuff.

Thanks to all for your help.
Happy Holidays.

 

Active desk top icon

Should I delete everything in the temporary internet files including .dat files and desktop.ini files and any content.IES folers and sub folders?

 

You can leave desktop.ini file if you like. Everything else can go.