Solved infection [Internet Options cpl won't open]

goes to admin and guest 2

 

cannot get to my desk top so icannot get to combo fix

 

So there's no icon for your account? That screen can only display a couple of account icons without the need to scroll down, and if I remember correctly, there is a scroll bar on the right edge of the screen. Please check again.

 

thanks i will try that sorry im new to this

 

No need to apologize.

 

here is that log will get hjt log ready

 

ComboFix 08-04-26.5 - tom 2008-04-27 15:44:16.9 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.380 [GMT -5:00]
Running from: C:\Documents and Settings\tom\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\opera6.ini
C:\WINDOWS\system32\dllcache\spoolsv.exe
C:\WINDOWS\system32\regapi.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.

2008-04-27 15:13 . 2008-04-27 15:13 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-20 15:34 . 2006-11-07 21:01 66,048 --a------ C:\WINDOWS\ieResetIcons.exe
2008-04-20 03:16 . 2008-04-27 11:19 1,024 --ah----- C:\Documents and Settings\Guest\ntuser.dat.LOG
2008-04-19 18:07 . 2008-04-27 15:42 1,024 --ah----- C:\Documents and Settings\guest 2\ntuser.dat.LOG
2008-04-19 18:02 . 2008-04-26 13:35 <DIR> d-------- C:\Program Files\Symantec
2008-04-19 18:02 . 2008-04-19 18:02 <DIR> d-------- C:\Program Files\LimeWire
2008-04-19 18:02 . 2008-04-19 18:02 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Yahoo!
2008-04-19 18:02 . 2008-04-19 18:02 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Lavasoft
2008-04-19 18:02 . 2008-04-19 18:02 <DIR> d-------- C:\Documents and Settings\guest 2\Application Data\Yahoo!
2008-04-19 18:02 . 2008-04-19 18:02 <DIR> d-------- C:\Documents and Settings\guest 2\Application Data\Lavasoft
2008-04-19 18:02 . 2008-04-19 18:02 <DIR> d-------- C:\Documents and Settings\guest 2\Application Data\DivX
2008-04-19 18:02 . 2008-04-19 18:07 <DIR> d-------- C:\Documents and Settings\guest 2
2008-04-19 18:02 . 2008-04-19 18:02 <DIR> d-------- C:\Documents and Settings\Guest
2008-04-19 18:02 . 2008-04-19 18:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-19 18:01 . 2008-04-19 18:02 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-04-19 17:34 . 2008-04-19 17:58 <DIR> d-------- C:\ComboFix(2)
2008-04-19 09:28 . 2008-04-19 09:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-13 19:56 . 2008-04-19 18:00 <DIR> d--hs---- C:\RECYCLER(2)
2008-04-13 11:24 . 2008-04-27 11:19 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-04-13 10:03 . 2008-04-13 10:03 <DIR> d-------- C:\Deckard
2008-04-13 09:35 . 2008-04-13 09:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-13 01:42 . 2008-04-19 18:01 <DIR> d-------- C:\Documents and Settings\guest 2(2)\Templates(2)
2008-04-13 01:42 . 2008-04-19 18:01 <DIR> d-------- C:\Documents and Settings\guest 2(2)\Local Settings(2)
2008-04-13 01:42 . 2008-04-19 18:01 <DIR> d-------- C:\Documents and Settings\guest 2(2)\Application Data(2)
2008-04-13 01:42 . 2008-04-19 18:01 <DIR> d---s---- C:\Documents and Settings\guest 2(2)
2008-04-13 01:42 . 2008-04-27 11:19 1,024 --ah----- C:\Documents and Settings\guest 2(2)\NTUSER.DAT.LOG
2008-04-12 21:27 . 2008-04-12 21:27 0 --a------ C:\Documents and Settings\tom\undockwithoutlogonREG_DWORD0x1
2008-04-12 21:26 . 2008-04-12 21:28 0 --a------ C:\Documents and Settings\tom\shutdownwithoutlogonREG_DWORD0x1
2008-04-12 21:26 . 2008-04-12 21:28 0 --a------ C:\Documents and Settings\tom\NoDriveTypeAutoRunREG_BINARY5F000000
2008-04-12 21:26 . 2008-04-12 21:28 0 --a------ C:\Documents and Settings\tom\legalnoticetextREG_SZ
2008-04-12 21:26 . 2008-04-12 21:28 0 --a------ C:\Documents and Settings\tom\legalnoticecaptionREG_SZ
2008-04-12 21:26 . 2008-04-12 21:28 0 --a------ C:\Documents and Settings\tom\dontdisplaylastusernameREG_DWORD0x0
2008-04-12 19:43 . 2008-04-12 19:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PCPitstop
2008-04-12 16:56 . 2008-04-19 18:02 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-04-12 09:10 . 2007-01-09 21:47 624,784 --a------ C:\WINDOWS\system32\SymNeti.dll
2008-04-10 03:23 . 2008-04-19 18:04 <DIR> d-------- C:\0447d2e626ba2040e50e452775

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 17:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-19 23:07 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-19 23:03 --------- d-----w C:\Program Files\Yahoo!
2008-04-19 23:02 --------- d-----w C:\Program Files\PCPitstop
2008-04-19 23:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2008-04-19 23:01 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-19 23:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-19 22:53 --------- d-----w C:\Documents and Settings\tom\Application Data\Yahoo!
2008-04-12 14:03 --------- d-----w C:\Documents and Settings\sharon jones\Application Data\Yahoo!
2008-03-31 20:19 --------- d-----w C:\Documents and Settings\sharon jones\Application Data\LimeWire
2008-03-29 14:15 --------- d-----w C:\Program Files\Logitech
2008-03-29 14:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-22 21:01 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-03-22 21:01 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-22 21:01 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-22 21:01 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-03-18 18:53 --------- d-----w C:\Documents and Settings\tom\Application Data\LimeWire
2008-03-09 03:50 --------- d-----w C:\Program Files\Java
2008-03-01 23:36 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-03-01 13:06 826,368 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2008-03-01 13:06 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2008-03-01 13:06 478,208 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2008-03-01 13:06 44,544 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-03-01 13:06 347,136 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2008-03-01 13:06 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2008-03-01 13:06 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2008-03-01 13:06 1,159,680 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2008-02-29 02:29 --------- d-----w C:\Program Files\Microsoft Picture It! 2002
2008-02-29 02:19 --------- d-----w C:\Program Files\Microsoft Streets & Trips
2008-02-29 02:11 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-29 02:09 --------- d-----w C:\Program Files\Microsoft Money
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-02-04 22:54 275 ----a-w C:\Documents and Settings\Incomplete\downloads.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6B184A91-2ECA-4919-31A4-C1C3DE8A9BFE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE307A48-71E6-46E7-B692-3B532E700E75}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1E74DAA-8B7B-48A1-A089-6D4A0AC4B0FC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE64D334-BF5D-4434-896E-52CB9CDC5DF1}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 03:41 13312]
"SweetIM "= "C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2008-01-02 21:15 103712]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"LogitechCommunicationsManager "= "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 17:33 563984]
"LogitechQuickCamRibbon "= "C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 17:37 2178832]
"SweetIM "= "C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2008-01-02 21:15 103712]
"UpdReg "= "C:\WINDOWS\Updreg.exe" [2000-05-11 02:00 90112]
"Microsoft Works Update Detection "= "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 23:41 28738]
"YOP "= "C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-10-26 15:42 509224]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59 115816]
"osCheck "= "C:\PROGRA~1\Symantec\osCheck.exe" [2007-01-14 02:11 771704]

C:\Documents and Settings\tom\Start Menu\Programs\Startup\
Enigma Client.lnk.disabled [2008-02-16 17:18:12 666]
LimeWire On Startup.lnk.disabled [2008-02-16 14:30:52 1538]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geebb]
C:\WINDOWS\System32\geebb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkifcd]
jkkifcd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1 "= ctwdm32.dll
"msacm.ctmp3 "= C:\WINDOWS\system32\ctmp3.acm
"aux "= ctwdm32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk.disabled
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk.disabled
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk.disabled
backup=C:\WINDOWS\pss\AT&T Self Support Tool.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk.disabled
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^sharon jones^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\sharon jones\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a--c--- 2002-04-10 19:44 679936 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIAGENT]
--a------ 2001-08-30 02:00 172122 C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a--c--- 2001-08-16 23:41 28738 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-11-15 16:18 1670144 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMC_AutoUpdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
--a--c--- 2001-10-05 19:34 24576 C:\Program Files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
--a------ 2007-06-08 09:59 224248 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Microsoft Works Update Detection "=C:\Program Files\Microsoft Works\WkDetect.exe
"IpWins "=C:\Program Files\Ipwindows\ipwins.exe
"BitTorrent "= "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
"Yahoo! Pager "=~ "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"UpdReg "=C:\WINDOWS\Updreg.exe
"Motive SmartBridge "=C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
"YBrowser "=C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
"LXSUPMON "=C:\WINDOWS\System32\LXSUPMON.EXE RUN
"SunJavaUpdateSched "= "C:\Program Files\Java\j2re1.4.2_13\bin\jusched.exe "
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" -atboottime
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe "
"WinampAgent "=C:\Program Files\Winamp\winampa.exe
"Microsoft Works Portfolio "=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
"MoneyStartUp10.0 "= "C:\Program Files\Microsoft Money\System\Activation.exe "
"MimBoot "=C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
"DIAGENT "=C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
"AHQInit "=C:\Program Files\Creative\SBLive\Program\AHQInit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

S3 ati2mpaa;ati2mpaa;C:\WINDOWS\System32\DRIVERS\ati2mpaa.sys [2001-08-17 07:48]
S3 ati2mtaa;ati2mtaa;C:\WINDOWS\System32\DRIVERS\ati2mtaa.sys [2002-08-28 23:16]
S3 SUPERWEBCAM;SuperWebcam, WDM Virtual Video Capture Device;C:\WINDOWS\System32\DRIVERS\superwebcam.sys [2006-06-27 08:56]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-04-23 14:32:17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 15:47:00
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
Completion time: 2008-04-27 15:49:43
ComboFix-quarantined-files.txt 2008-04-27 20:48:48
ComboFix2.txt 2008-04-14 01:08:03
ComboFix3.txt 2008-04-14 00:04:17

Pre-Run: 16,503,066,624 bytes free
Post-Run: 16,498,352,128 bytes free

218

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:05:35 PM, on 4/27/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: (no name) - {6B184A91-2ECA-4919-31A4-C1C3DE8A9BFE} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {BE307A48-71E6-46E7-B692-3B532E700E75} - (no file)
O2 - BHO: (no name) - {F1E74DAA-8B7B-48A1-A089-6D4A0AC4B0FC} - (no file)
O2 - BHO: (no name) - {FE64D334-BF5D-4434-896E-52CB9CDC5DF1} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe "
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - Startup: Enigma Client.lnk.disabled
O4 - Startup: LimeWire On Startup.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: Ali Baba Slots TM by pogo - http://game1.pogo.com/v/8.1.1.1/applet/slots/alibaba-en_US.cab
O16 - DPF: Hog Heaven Slots by pogo - http://game1.pogo.com/v/8.1.1.1/applet/fancy/fancy-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/v/8.1.1.1/applet/lottso/lottso-en_US.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/v/8.1.2.12/applet/poppit2/poppit2-en_US.cab
O16 - DPF: Spades 2 by pogo - http://game1.pogo.com/v/8.1.1.13/applet/spades2/spades2-en_US.cab
O16 - DPF: Sweet Tooth 2 by Pogo - http://game1.pogo.com/v/8.1.3.26/applet/sweettooth2/sweettooth2-en_US.cab
O16 - DPF: The Sims Pinball by pogo - http://game1.pogo.com/v/8.1.1.18/applet/simball/simball-en_US.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6D53ADB7-6AD5-4A59-BFE4-7B57D2F4AA89} - http://www.00110.net/tj2007/00110.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: geebb - C:\WINDOWS\System32\geebb.dll (file missing)
O20 - Winlogon Notify: jkkifcd - jkkifcd.dll (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 10127 bytes

 

Delete the following files.

C:\Documents and Settings\tom\undockwithoutlogonREG_DWORD0x1
C:\Documents and Settings\tom\shutdownwithoutlogonREG_DWORD0x1
C:\Documents and Settings\tom\NoDriveTypeAutoRunREG_BINARY5F000000
C:\Documents and Settings\tom\legalnoticetextREG_SZ
C:\Documents and Settings\tom\legalnoticecaptionREG_SZ
C:\Documents and Settings\tom\dontdisplaylastusernameREG_DWORD0x0


Scan again with HijackThis and place a check next to the following entries.

R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {6B184A91-2ECA-4919-31A4-C1C3DE8A9BFE} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {BE307A48-71E6-46E7-B692-3B532E700E75} - (no file)
O2 - BHO: (no name) - {F1E74DAA-8B7B-48A1-A089-6D4A0AC4B0FC} - (no file)
O2 - BHO: (no name) - {FE64D334-BF5D-4434-896E-52CB9CDC5DF1} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O20 - Winlogon Notify: geebb - C:\WINDOWS\System32\geebb.dll (file missing)
O20 - Winlogon Notify: jkkifcd - jkkifcd.dll (file missing)

Close all other windows then click Fx Checked. Close HijackThis.

If you don't already have it, download ATF Cleaner by Atribune and save it to your Desktop.

• Double click ATF-Cleaner.exe to run the program.
• Check the boxes to the left of:
  
  
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Prefetch
  • Java Cache
  • Recycle bin
  
  
• The rest are optional - if you want it to remove everything check "Select All ".
• Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK then exit.

Reboot


Now, please do an online scan with Kaspersky WebScanner

Click Scan Now and Accept the agreement. You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

Post the Kaspersky log and one more fresh HijackThis log.

 

thanks for getting back soon
Monday, April 28, 2008 9:27:06 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/04/2008
Kaspersky Anti-Virus database records: 651454


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 52701
Number of viruses found 4
Number of infected objects 4
Number of suspicious objects 2
Duration of the scan process 00:59:59

Infected Object Name Virus Name Last Action
C:\Deckard\System Scanner\20080427111200\backup\DOCUME~1\tom\LOCALS~1\Temp\Av-test.txt Infected: EICAR-Test-File skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt1.zip/retadpu1000106.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt1.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\tom\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\tom\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\tom\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\tom\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\tom\Local Settings\History\History.IE5\MSHist012008042820080429\index.dat Object is locked skipped

C:\Documents and Settings\tom\Local Settings\Temp\Perflib_Perfdata_44c.dat Object is locked skipped

C:\Documents and Settings\tom\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\tom\ntuser.dat Object is locked skipped

C:\Documents and Settings\tom\NTUSER.DAT.LOG Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{4DCA892E-887C-45FD-8B59-575B89179E95}\RP329\A0065595.dll Infected: Trojan.Win32.Kolweb.o skipped

C:\System Volume Information\_restore{4DCA892E-887C-45FD-8B59-575B89179E95}\RP329\A0065596.exe Infected: Trojan.Win32.Kolweb.l skipped

C:\System Volume Information\_restore{4DCA892E-887C-45FD-8B59-575B89179E95}\RP329\A0065597.exe Infected: Trojan.Win32.Kolweb.l skipped

C:\System Volume Information\_restore{4DCA892E-887C-45FD-8B59-575B89179E95}\RP360\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{F99A1999-96A9-4EF4-8DEE-0B1BDBFDC516}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
soon

 

The other hjt
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:30:03 AM, on 4/28/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe "
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - Startup: Enigma Client.lnk.disabled
O4 - Startup: LimeWire On Startup.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6D53ADB7-6AD5-4A59-BFE4-7B57D2F4AA89} - http://www.00110.net/tj2007/00110.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 8222 bytes

 

Looks good. Lets finish up. Please refer to the instructions in this post for removing quarantine items by Spybot. Remove everything it has in quarantine.

Now, click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing the infected files there as well. The C:\Deckard's folder will also be removed. You can delete any logs that were created/saved too.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.


I would like to see you run one more online scan with Kaspersky to make sure everything is cleaned now. Let me know how the computer is behaving now too, and if there are any other problems to address.

 

Here are the results of Kaspersky Scan. Thanks for all your help and patience.


KASPERSKY ONLINE SCANNER REPORT
Saturday, May 03, 2008 9:45:04 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/05/2008
Kaspersky Anti-Virus database records: 659262


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 42427
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 00:46:36

Infected Object Name Virus Name Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\tom\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\tom\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\tom\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\tom\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\tom\Local Settings\History\History.IE5\MSHist012008050320080504\index.dat Object is locked skipped

C:\Documents and Settings\tom\Local Settings\Temp\Perflib_Perfdata_6bc.dat Object is locked skipped

C:\Documents and Settings\tom\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\tom\ntuser.dat Object is locked skipped

C:\Documents and Settings\tom\NTUSER.DAT.LOG Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{4DCA892E-887C-45FD-8B59-575B89179E95}\RP363\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{90F5B6DB-80B4-4D02-BAC0-3CC200182264}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

 

Computer is running fine but you were right about cd rom not working and other devices could you help with that

 

Glad to hear things are working properly again.

The autorun/autoplay feature, when enabled, causes one of two things to happen depending on previously made choices.

1. When a cd-rom or dvd is inserted, or a usb device (camera, flashdrive, external hard drive, etc) is attached, Windows will open a message window that provides a list of actions to take based on the content of the device or media.

2. If on prior occasion of the message window, the user selected to always perform the same action with certain types of media/device, there will be no message window opened upon detection of media/device. Instead, it will automatically run the previously selected program or execute the same behavior.

Example: with autorun/autoplay enabled you insert a music cd. Windows will detect the cd and it's contents, then open a message window that might offer to play the cd with Media Player, Music Match Jukebox, or any of many applications you may or may not have installed.
Insert a Movie DVD and Windows might prompt you to view it with Power DVD, Media Player, etc.

Example: with autorun/autoplay enabled and on a previous prompt for action the box was checked to always apply the same action, Windows might automatically open Roxio CD Creator or Nero Burning ROM when a blank cd is inserted.

Plug in a usb camera and Windows might open or prompt you to use the Scanner and Camera Transfer Wizard to transfer the pictures to your computer.

Plug in a flash drive and Windows might open or prompt you to use Windows Explorer to browse the contents of the flash drive. It may also just execute an infection residing on the flash drive, thereby infecting your computer.

Insert a game cd or software cd, and Windows might automatically begin the installation setup.

Malware authors have begun to exploit the autorun/autoplay feature, so the author of ComboFix, in an effort to help protect your computer from becoming infected via that avenue, configured ComboFix to disable it. Many security apps disable it as well, and even Microsoft recommends disabling it. Disabling autorun/autoplay does not prevent you from accessing those media sources. They are still available by opening My Computer and accessing the source drive (cd, dvd, usb flash or external harddrive). Pictures on a camera can still be accessed/transfered through My Pictures and selecting Get Pictures from a Scanner or Camera. Media can also be accessed via the program you intend to use it with, such as music cds accessed via Media Player, blank cds via your burning program, image handling software provided with the camera, etc. I do recommend you leave the feature disabled and get into the habit of accessing those media devices manually, however, I will send you via PM the information required to re-enable the autoplay feature should you decide to do so.


Your computer is now clean! Geri has posted some very helpful information and recommendations regarding future protection in the following link.

http://www.windowsbbs.com/showthread.php?t=67958

Surf safe!

 

Noahdfear I want to say thanks for all your help and patiance and all is good here will keep reading on this site and try to learn more about the things to do and not what to do again thanks for all you guys do a lot to help ppl who get in trouble so i am going to be more careful.


Boggie

 

Happy to have helped. You're welcome, Boggie