Recommended Driver Scanner

Member Panel

Remember me ?

Forgot password?   

Sponsors and Ads

Noticeboard
PC Forum PC Help Forum » Security & Safety » [Fixed] Hijackthis! Logs » desktop missing and reappearing after some issues last night

[Fixed] Hijackthis! Logs - desktop missing and reappearing after some issues last night posted in the Security & Safety forums; I think I may have an infection on my computer. When I boot the computer the desktop disappears. I went to the task manager in order to get to the ...

JOIN US NOW to remove these Ads

Post New Thread  Reply
Page 1 of 2 1 2 >
  #1  
Old 07-29-2008
jerryw1976's Avatar
Bronze Member
  
Join Date: Jul 2008
Location: Delaware, USA
Posts: 66
PC Experience: Very Experienced
jerryw1976 - See this Members User comments on their Profile page
Question desktop missing and reappearing after some issues last night
I think I may have an infection on my computer. When I boot the computer the desktop disappears. I went to the task manager in order to get to the internet explorer.exe so I could do this much.

I ran the hijackthis log and have it below. Someone help me please.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:12:19 PM, on 7/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\lxdmcoms.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Comcast.net Home
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = eMachines North America Home Page
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [lxdmmon.exe] "C:\Program Files\Lexmark 5000 Series\lxdmmon.exe"
O4 - HKLM\..\Run: [lxdmamon] "C:\Program Files\Lexmark 5000 Series\lxdmamon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\Jerry Williams\winlogon.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092C BD44BD8689220221DD325762EA4EBF968951185EFC41280686 7680AEDE604D64C2661373F819EBDCD66A47
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OutlookOnDesktop] C:\Program Files\Outlook on the Desktop\OutlookDesktop.exe
O4 - HKCU\..\Run: [MoneyBackgoundBanking] "C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [LabelMaker2.0] regsvr32 C:\Program Files\Common Files\MySoftware\regdll.dll /s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [LabelMaker2.0] regsvr32 C:\Program Files\Common Files\MySoftware\regdll.dll /s (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: AccountLogon - C:\WINDOWS\al-popup-jerry williams.html
O8 - Extra context menu item: Add to Windows &Live Favorites - Add to Windows Live Favorites
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - Comcast.net Home (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - Comcast Help & Support (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\WEB2~1\Office12\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - Comcast Help & Support (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-jerry williams.html (HKCU)
O9 - Extra 'Tools' menuitem: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-jerry williams.html (HKCU)
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxdm_device - - C:\WINDOWS\system32\lxdmcoms.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 9037 bytes
  #2  
Old 07-30-2008
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 3,960
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: desktop missing and reappearing after some issues last night
Yes you do have malware.


Ok.Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please visit this webpage for downloading and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use SP2

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.


__________________
  • An Australian Member of
  • and
My real name is Eddy
  #3  
Old 07-30-2008
jerryw1976's Avatar
Bronze Member
  
Join Date: Jul 2008
Location: Delaware, USA
Posts: 66
PC Experience: Very Experienced
jerryw1976 - See this Members User comments on their Profile page
Default Re: desktop missing and reappearing after some issues last night
Having a few problems gettting this to work right. When I downloaded the file from microsoft, since I do not have the XP CD, I use the mouse to drop the file on combofix and it does not say anything about the Recovery Console being installed. It comes up with the Combofix is preparing to run screen and then warns that 1/100 computers do not make it through the disinfection process. Did I do something wrong?

My steps: downloaded combofix
downloaded the microsoft file
carried the ms file on top of combofix
clicked Run when the box popped up

Thank you for your help. I am so worried
  #4  
Old 07-30-2008
jerryw1976's Avatar
Bronze Member
  
Join Date: Jul 2008
Location: Delaware, USA
Posts: 66
PC Experience: Very Experienced
jerryw1976 - See this Members User comments on their Profile page
Default Re: desktop missing and reappearing after some issues last night
Got it to work. Did not seem to fix the problem though. Here is the combofix report>

ComboFix 08-07-29.1 - Jerry Williams 2008-07-30 9:36:09.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.174 [GMT -4:00]
Running from: C:\Documents and Settings\Jerry Williams\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jerry Williams\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Jerry Williams\Application Data\macromedia\Flash Player\#SharedObjects\E553AHBC\interclick.com
C:\Documents and Settings\Jerry Williams\Application Data\macromedia\Flash Player\#SharedObjects\E553AHBC\interclick.com\ud.s ol
C:\Documents and Settings\Jerry Williams\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#int erclick.com
C:\Documents and Settings\Jerry Williams\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#int erclick.com\settings.sol
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\byXPHaYO.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\OYaHPXyb.ini
C:\WINDOWS\system32\OYaHPXyb.ini2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\tuvTkIaX.dll
C:\WINDOWS\system32\xxyyxwXR.dll
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-30 )))))))))))))))))))))))))))))))
.
2008-07-30 09:54 . 112,378 C:\smss.exe
2008-07-30 09:54 . 8,784 C:\csrss.exe
2008-07-30 09:53 . 49,152 C:\services.exe
2008-07-29 14:11 . 2008-07-29 14:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-28 22:13 . 2008-07-28 22:13 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\McAfee
2008-07-28 21:49 . 2008-07-30 09:54 <DIR> d-------- C:\WINDOWS\system32\kBin02
2008-07-28 21:49 . 2008-07-30 09:55 <DIR> d-------- C:\TEMP\epr1
2008-07-28 07:15 . 2008-07-28 07:15 <DIR> d-------- C:\Program Files\Serif
2008-07-28 07:15 . 1993-11-24 08:38 21,008 --a------ C:\WINDOWS\system32\Ctl3d.dll
2008-07-23 11:50 . 2008-07-23 11:51 <DIR> d-------- C:\Program Files\Avanquest update
2008-07-23 11:50 . 2008-07-23 11:50 <DIR> d-------- C:\Documents and Settings\Jerry Williams\Application Data\InstallShield
2008-07-23 11:48 . 2008-07-23 11:48 <DIR> d-------- C:\Program Files\MySoftware
2008-07-23 11:48 . 2008-07-23 11:49 <DIR> d-------- C:\Program Files\Common Files\MySoftware
2008-07-23 11:48 . 1995-03-03 00:00 348,160 --a------ C:\WINDOWS\system32\MFC30.DLL
2008-07-19 13:47 . 2008-07-22 10:13 <DIR> d-------- C:\Program Files\Microsoft Small Business
2008-07-11 13:54 . 2008-07-11 13:54 136,612 --a--c--- C:\Umbro_white.ico
2008-07-11 13:54 . 2008-07-11 13:54 136,612 --a--c--- C:\lotto_black_and_white.ico
2008-07-11 13:54 . 2008-07-11 13:54 136,612 --a--c--- C:\lotto_black.ico
2008-07-11 13:53 . 2008-07-11 13:53 136,612 --a--c--- C:\Umbro_noir.ico
2008-07-11 13:53 . 2008-07-11 13:53 136,612 --a--c--- C:\Umbro_blue.ico
2008-07-11 13:53 . 2008-07-11 13:53 136,612 --a--c--- C:\Puma_blue.ico
2008-07-11 13:53 . 2008-07-11 13:53 136,612 --a--c--- C:\lotto_noir.ico
2008-07-11 13:53 . 2008-07-11 13:53 136,612 --a--c--- C:\Adidas_blue.ico
2008-07-11 13:52 . 2008-07-11 13:52 136,612 --a--c--- C:\lotto_blue.ico
2008-07-08 13:31 . 2008-07-28 11:20 <DIR> d-------- C:\Documents and Settings\Jerry Williams\Application Data\Inkscape
2008-07-08 13:21 . 2008-07-28 11:22 <DIR> d-------- C:\Program Files\Inkscape
2008-07-07 13:35 . 2008-07-07 13:35 <DIR> d-------- C:\Documents and Settings\Jerry Williams\.thumbnails
2008-07-07 11:18 . 2008-07-07 11:18 <DIR> d-------- C:\Documents and Settings\Jerry Williams\Application Data\McAfee
2008-07-07 07:41 . 2008-07-09 13:29 <DIR> d--hsc--- C:\USMT.TMP
2008-07-07 07:20 . 2008-07-25 11:32 <DIR> d-------- C:\Documents and Settings\Jerry Williams\Application Data\gtk-2.0
2008-07-07 06:54 . 2008-07-08 07:40 <DIR> d-------- C:\Documents and Settings\Jerry Williams\.gimp-2.4
2008-07-02 16:59 . 2008-07-02 17:57 <DIR> d-------- C:\Documents and Settings\Jerry Williams\.insightPoint
2008-07-02 11:44 . 2008-07-02 11:44 <DIR> d-------- C:\Program Files\Microsoft Works
2008-07-02 11:44 . 2008-07-02 11:44 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-07-02 11:37 . 2008-07-02 11:37 <DIR> d-------- C:\Program Files\Microsoft Expression
2008-07-02 11:21 . 2008-07-02 11:21 <DIR> d-------- C:\Program Files\MSBuild
2008-07-02 11:20 . 2008-07-02 11:20 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-07-02 11:20 . 2008-07-02 11:20 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-07-02 11:17 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-07-02 07:21 . 2008-07-02 16:16 <DIR> d-------- C:\Program Files\Actual Drawing
2008-07-02 07:21 . 2008-07-02 07:21 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\PY_Software
2008-07-01 16:52 . 2008-07-24 10:54 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-01 14:16 . 2008-07-01 14:21 <DIR> d-------- C:\Documents and Settings\Jerry Williams\.gimp-2.2
2008-07-01 13:53 . 2008-07-01 14:02 <DIR> d-------- C:\Program Files\Digital Locker Assistant
2008-06-30 07:45 . 2008-07-02 06:52 <DIR> d-------- C:\Program Files\Nvu
2008-06-27 18:38 . 2008-06-27 18:38 53,248 ---hs---- C:\Documents and Settings\Jerry Williams\winlogon.exe
2008-06-27 13:45 . 2008-07-01 11:41 <DIR> d-------- C:\Documents and Settings\Jerry Williams\Application Data\FileZilla
2008-06-27 13:17 . 2008-06-27 13:17 <DIR> d-------- C:\Program Files\FileZilla FTP Client
2008-06-11 06:58 . 2008-06-13 09:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 06:58 . 2008-06-13 09:10 272,128 --a--c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-07 06:46 . 2008-06-07 06:46 <DIR> d-------- C:\WINDOWS\Cache
2008-06-05 11:05 . 2008-06-05 11:05 <DIR> d-------- C:\Program Files\QuickTime
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-07-30 13:56 --------- d-----w C:\Program Files\Network Monitor
2008-07-30 13:56 --------- d-----w C:\Documents and Settings\LocalService\Application Data\NetMon
2008-07-30 13:55 932 ----a-w C:\WINDOWS\system32\drivers\core.cache.dsk
2008-07-30 13:55 86,144 ----a-w C:\WINDOWS\system32\drivers\tapee.sys
2008-07-30 13:54 32,256 ----a-w C:\WINDOWS\system32\khfDvsRh.dll
2008-07-30 13:54 32,256 ----a-w C:\WINDOWS\system32\iifecaBR.dll
2008-07-29 11:20 --------- d-----w C:\Documents and Settings\Jerry Williams\Application Data\LimeWire
2008-07-28 15:28 --------- d-----w C:\Program Files\Coupons
2008-07-28 15:25 --------- d-----w C:\Program Files\Lavasoft
2008-07-23 15:50 --------- dc----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-07-23 15:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-22 16:56 --------- d-----w C:\Program Files\Windows Live
2008-07-22 16:43 --------- dc----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-22 14:38 --------- dc----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-22 14:18 --------- d-----w C:\Program Files\Microsoft.NET
2008-07-19 17:40 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-07-16 06:15 --------- d-----w C:\Program Files\Java
2008-07-07 15:18 --------- dc----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-04 00:07 --------- d-----w C:\Program Files\LimeWire
2008-06-30 17:48 --------- d-----w C:\Documents and Settings\Jerry Williams\Application Data\OpenOffice.org2
2008-06-30 17:06 --------- d-----w C:\Documents and Settings\Jerry Williams\Application Data\Nvu
2008-06-29 16:48 --------- d-----w C:\Program Files\DesignPro
2008-06-23 13:51 --------- dc----w C:\Documents and Settings\All Users\Application Data\LxThumbs
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-09 11:48 --------- d-----w C:\Documents and Settings\Jerry Williams\Application Data\Windows Live Writer
2008-06-08 15:16 --------- d-----w C:\Program Files\Common Files\McAfee
2008-06-08 15:11 --------- d-----w C:\Program Files\McAfee
2008-06-03 13:20 --------- d-----w C:\Program Files\Google
2008-05-07 05:18 1,287,680 -c--a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-06 14:07 520,192 -c--a-w C:\WINDOWS\system32\lovebeautyhope_3130187.scr
2006-12-03 21:21 344 -c--a-w C:\Documents and Settings\Jerry Williams\Application Data\internaldb1942.dat
2006-09-03 06:07 9,583,328 -c--a-w C:\Documents and Settings\Jerry Williams\DesktopDoctor1.5.4.exe
2006-06-16 12:48 524 -c--a-w C:\Documents and Settings\Jerry Williams\Application Data\wklnhst.dat
2004-09-18 18:28 20,480 -c--a-w C:\WINDOWS\inf\WtUninst.exe
2005-08-02 20:46 187,904 --sha-r C:\WINDOWS\IA\asappsrv.dll
2005-08-02 20:58 293,888 --sha-r C:\WINDOWS\IA\command.exe
2005-07-29 20:24 472 --sha-r C:\WINDOWS\IA\KE.vbs
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8b60c11d-cbc7-1491-e608-43a6d88a0fba}]
2008-07-08 11:13 158208 --a------ C:\WINDOWS\system32\bfdvztjkvchpfr.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1B03BAA-CC28-4ABC-98E3-845F779CC0F0}]
2008-07-30 09:59 283136 --a------ C:\WINDOWS\system32\khfDspQH.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"OutlookOnDesktop"="C:\Program Files\Outlook on the Desktop\OutlookDesktop.exe" [2007-04-03 21:58 290816]
"MoneyBackgoundBanking"="C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe" [2008-02-19 13:05 53264]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 13:47 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 13:47 688218]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-15 01:05 344064]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"lxdmmon.exe"="C:\Program Files\Lexmark 5000 Series\lxdmmon.exe" [2007-07-06 12:53 455344]
"lxdmamon"="C:\Program Files\Lexmark 5000 Series\lxdmamon.exe" [2007-06-01 16:06 20480]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-06-05 11:05 413696]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 13:59 4838952]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]
"Windows Logon Applicationedc"="C:\Documents and Settings\Jerry Williams\winlogon.exe" [2008-06-27 18:38 53248]
"runner1"="C:\WINDOWS\mrofinu1000106.exe" [2008-07-23 15:54 44544]
"{d2dd90fc-01e0-d004-98e7-9265c7753247}"="C:\WINDOWS\system32\bfdvztjkvchpfr .dll" [2008-07-08 11:13 158208]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"LabelMaker2.0"="C:\Program Files\Common Files\MySoftware\regdll.dll" [2006-08-02 09:05 94208]
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{748D6EA8-CD59-4682-91E7-AF92F4F2D40E}"= "C:\WINDOWS\system32\khfDvsRh.dll" [2008-07-30 09:54 32256]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfDvsRh]
2008-07-30 09:54 32256 C:\WINDOWS\system32\khfDvsRh.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.rhetorex"= rhetorex.acm
"msacm.ldadpcm"= LDADP32.acm
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\khfDspQH
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\system32\\lxdmcoms.exe"=
"C:\\Program Files\\Lexmark 5000 Series\\lxdmamon.exe"=
"C:\\Program Files\\Lexmark 5000 Series\\frun.exe"=
"C:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"C:\\Program Files\\Lexmark 5000 Series\\LXDMFax.exe"=
"C:\\Program Files\\Lexmark 5000 Series\\lxdmmon.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxdmpswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxdmjswx.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFH WATI.sys [2004-12-15 19:18]
S3 AMDMSRIO;AMDMSRIO;C:\DOCUME~1\Owner\LOCALS~1\Temp\ Safe To Delete 3_0_4_8\AMDMSRIO.sys []
S3 tj2knd5;Terayon Cable Modem (NDIS);C:\WINDOWS\system32\DRIVERS\tj2knd5.sys [2002-10-14 01:40]
S3 tj2kunic;Terayon Cable Modem (WDM);C:\WINDOWS\system32\DRIVERS\tj2kunic.sys [2002-10-14 01:40]
*Newly Created Service* - CMDSERVICE
*Newly Created Service* - MCHINJDRV
*Newly Created Service* - NETWORK_MONITOR
*Newly Created Service* - TAPEE
.
Contents of the 'Scheduled Tasks' folder
2007-01-05 C:\WINDOWS\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2007-01-29 C:\WINDOWS\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{A057A204-BACC-4D26-CEC4-75A487FD6484} - (no file)

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language }:{referrer:source?}&ie={inputEncoding}&oe={output Encoding}&sourceid=ie7
R0 -: HKCU-Main,Default_Search_URL = hxxp://www.google.com/ie
R0 -: HKLM-Main,Start Page = hxxp://www.comcast.net/
R0 -: HKLM-Main,Window Title = Windows Internet Explorer provided by Comcast
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.emachines.com/
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/keyword/%s
O8 -:
O8 -: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 -: AccountLogon - C:\WINDOWS\al-popup-jerry williams.html
O8 -: Add to Windows &Live Favorites - Add to Windows Live Favorites
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 -: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - Comcast.net Home
O9 -: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - Comcast Help & Support
O9 -: {97809617-3937-4F84-B335-9BB05EF1A8D4} - Comcast Help & Support

************************************************** ************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-30 09:52:28
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...

C:\WINDOWS\system32\khfDvsRh.dll 32256 bytes executable
C:\WINDOWS\system32\MSINET.oca 29184 bytes executable
C:\WINDOWS\system32\pac.txt 279600 bytes
C:\WINDOWS\system32\snplrdeqdddtwnhct.exe 64841 bytes executable
C:\WINDOWS\system32\vn3
C:\WINDOWS\system32\atmtd.dll.tmp 0 bytes
C:\WINDOWS\system32\iifecaBR.dll 32256 bytes executable
scan completed successfully
hidden files: 7
************************************************** ************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\m chInjDrv]
"ImagePath"="\??\C:\WINDOWS\TEMP\mc215.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\khfDvsRh.dll
-> C:\Documents and Settings\Jerry Williams\winlogon.exe
-> C:\WINDOWS\system32\khfDspQH.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\lxdmcoms.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\system32\kBin02\kBin022328.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\IA\command.exe
C:\WINDOWS\mrofinu1000106.exec
C:\WINDOWS\mrofinu1000106.exec
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
.
************************************************** ************************
.
Completion time: 2008-07-30 10:08:06 - machine was rebooted [Jerry Williams]
ComboFix-quarantined-files.txt 2008-07-30 14:07:47
Pre-Run: 62,653,861,888 bytes free
Post-Run: 62,633,095,168 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
289 --- E O F --- 2008-07-21 18:43:39

The new Hijack this log is below:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:39 AM, on 7/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\IA\command.exe
C:\WINDOWS\system32\lxdmcoms.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Comcast.net Home
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = eMachines North America Home Page
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [lxdmmon.exe] "C:\Program Files\Lexmark 5000 Series\lxdmmon.exe"
O4 - HKLM\..\Run: [lxdmamon] "C:\Program Files\Lexmark 5000 Series\lxdmamon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\Jerry Williams\winlogon.exe
O4 - HKLM\..\Run: [{d2dd90fc-01e0-d004-98e7-9265c7753247}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\bfdvztjkvchpfr.dll" DllStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OutlookOnDesktop] C:\Program Files\Outlook on the Desktop\OutlookDesktop.exe
O4 - HKCU\..\Run: [MoneyBackgoundBanking] "C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [LabelMaker2.0] regsvr32 C:\Program Files\Common Files\MySoftware\regdll.dll /s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [LabelMaker2.0] regsvr32 C:\Program Files\Common Files\MySoftware\regdll.dll /s (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: AccountLogon - C:\WINDOWS\al-popup-jerry williams.html
O8 - Extra context menu item: Add to Windows &Live Favorites - Add to Windows Live Favorites
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - Comcast.net Home (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - Comcast Help & Support (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\WEB2~1\Office12\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - Comcast Help & Support (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-jerry williams.html (HKCU)
O9 - Extra 'Tools' menuitem: AccountLogon - {1CB13C88-96B6-11d6-9AF5-D12D26EE1F36} - C:\WINDOWS\al-popup-jerry williams.html (HKCU)
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxdm_device - - C:\WINDOWS\system32\lxdmcoms.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 9775 bytes

I am still have the same problems. Help me!!!! I know you will. Thanks.
  #5  
Old 07-31-2008
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 3,960
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: desktop missing and reappearing after some issues last night
Dont worry about the Recovery Console as you already have it in place.


Have "HijackThis" fix the following item/s in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and close"HijackThis".Please close any open programs before doing this fix.

O4 - HKLM\..\Run: [{d2dd90fc-01e0-d004-98e7-9265c7753247}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\bfdvztjkvchpfr.dll" DllStart
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - Comcast.net Home (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - Comcast Help & Support (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - Comcast Help & Support (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)


Reboot.......................

==================================

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:




File::
C:\smss.exe
C:\csrss.exe
C:\WINDOWS\system32\khfDvsRh.dll
C:\WINDOWS\system32\iifecaBR.dll
C:\WINDOWS\IA\asappsrv.dll
C:\WINDOWS\IA\command.exe
C:\WINDOWS\IA\KE.vbs
C:\WINDOWS\system32\bfdvztjkvchpfr.dll
C:\WINDOWS\system32\khfDspQH.dll
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\system32\snplrdeqdddtwnhct.exe
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\TEMP\mc215.tmp

Folder::
C:\WINDOWS\system32\kBin02
C:\TEMP\epr1
C:\Documents and Settings\Jerry Williams\Application Data\LimeWire
C:\Program Files\LimeWire
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8b60c11d-cbc7-1491-e608-43a6d88a0fba}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1B03BAA-CC28-4ABC-98E3-845F779CC0F0}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"runner1"=-
"{d2dd90fc-01e0-d004-98e7-9265c7753247}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfDvsRh]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*


__________________
  • An Australian Member of
  • and
My real name is Eddy
  #6  
Old 07-31-2008
jerryw1976's Avatar