Help removing rootkit

Help please....
Just reloaded windows XP and before I had a chance to install my antivirus/anitspyware selection....I think I have been hijacked!

Currently my start bar (ie the bar that includes the start button that usually runs along the bottom of the screen) is not there....even after restarting.


Panda Activescan report

Incident Status Location

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Sarah\Cookies\sarah@atdmt[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Tony\Cookies\tony@112.2o7[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Tony\Cookies\tony@247realmedia[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Tony\Cookies\tony@2o7[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Tony\Cookies\tony@ad.sensismediasmart.com[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Tony\Cookies\tony@ad.yieldmanager[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Tony\Cookies\tony@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Tony\Cookies\tony@adrevolver[2].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Tony\Cookies\tony@ads.addynamix[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Tony\Cookies\tony@ads.pointroll[2].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Tony\Cookies\tony@adserver.filefront[2].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Tony\Cookies\tony@adtech[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Tony\Cookies\tony@apmebf[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Tony\Cookies\tony@as-eu.falkag[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Tony\Cookies\tony@as-us.falkag[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Tony\Cookies\tony@as1.falkag[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Tony\Cookies\tony@atwola[2].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Tony\Cookies\tony@banner[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Tony\Cookies\tony@bluestreak[2].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Tony\Cookies\tony@bravenet[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Tony\Cookies\tony@bs.serving-sys[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Tony\Cookies\tony@burstnet[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Tony\Cookies\tony@c5.zedo[2].txt
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Tony\Cookies\tony@cdfreaks[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Tony\Cookies\tony@cgi-bin[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Tony\Cookies\tony@cgi-bin[4].txt
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Tony\Cookies\tony@club.cdfreaks[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Tony\Cookies\tony@com[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Tony\Cookies\tony@ct.360i[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Tony\Cookies\tony@go[1].txt
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Tony\Cookies\tony@hotlog[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Tony\Cookies\tony@i.screensavers[2].txt
Spyware:Cookie/Itrack Not disinfected C:\Documents and Settings\Tony\Cookies\tony@ilead.itrack[2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Tony\Cookies\tony@maxserving[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Tony\Cookies\tony@overture[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Tony\Cookies\tony@perf.overture[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Tony\Cookies\tony@qksrv[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Tony\Cookies\tony@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Tony\Cookies\tony@realmedia[1].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Tony\Cookies\tony@revenue[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Tony\Cookies\tony@searchportal.information[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Tony\Cookies\tony@server.iad.liveperson[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Tony\Cookies\tony@serving-sys[1].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Tony\Cookies\tony@stat.onestat[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Tony\Cookies\tony@statcounter[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Tony\Cookies\tony@toplist[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Tony\Cookies\tony@tradedoubler[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Tony\Cookies\tony@tribalfusion[1].txt
Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\Tony\Cookies\tony@weborama[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Tony\Cookies\tony@www.myaffiliateprogram[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Tony\Cookies\tony@xiti[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Tony\Cookies\tony@yadro[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Tony\Cookies\tony@zedo[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Tony.HOME\Cookies\tony@112.2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Tony.HOME\Cookies\tony@ad.yieldmanager[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Tony.HOME\Cookies\tony@doubleclick[1].txt
Adware:Adware/SaveNow Not disinfected C:\Program Files\DAEMON Tools\SetupDTSB.exe
Potentially unwanted tool:Application/Pskill.B Not disinfected E:\System Volume Information\_restore{6890410F-412B-4FF7-8BB8-E4C7A8FCA3FB}\RP104\A0034814.exe[build\quartz\build\install\PVS_V3_ProfileGuided_1334.msi][unk_0022][pskill.exe]

 

HJT log
Logfile of HijackThis v1.99.1
Scan saved at 6:10:39 PM, on 15/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hjt\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166006324334
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 

Seems the start menu disapperance was something to do with Nvidia drivers....

 

Welcome to the forums.

Good to hear you solved the problem.

The findings by Panda are of course no threat, cookies are merely text files and cannot hurt the system in any way.


I urge you to go and get anti-virus and a firewall right away however.

Here are some good well known choices to pick from:
Antivirus:

• Avira AntiVir
• AVG

Firewalls:

• COMODO Personal Firewall
• Zone Alarm Firewall

All are free too, can't beat that with a stick.

To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.5.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

Links for tutorials for all the apps I mentioned can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!!
Tom