# Solved: HUGE error



## Mrevilbobguy (Jul 26, 2007)

OK, so I have Windows XP and whenever I boot the computer Explorer.exe closes. I can't do ANYTHING except run the CTRL+ALT+DEL menu (and whatever else I can run from it. It offers an option to run programs much like the run option on the start menu.) So I can run everything except explorer.exe. If I try to run explorer.exe, it my desktop for a second or so, and then it closes the program.

My computer is pretty much infiltrated by viruses like a pop up adware thing that makes internet explorer pop up with ads (even when I'm running firefox). These are VERY FREQUENT- like two every couple minutes and I would like to get rid of those as well (but I have bigger problems at the moment).

I recently used a program to stop some malicious looking programs in hopes of stopping the IE popup program from booting at startup so I'm wondering if that could be the cause of the explorer crash error. (I can restore the blocked programs, but only if I can access programs on the control panel. Unfourtunately, I don't know where they are stored on the hard drive so I can't run it.

If anyone has any ideas on what I should do, please help!
Thanks


----------



## MFDnNC (Sep 7, 2004)

*Click here* to download *HJTInstall.exe*

Save *HJTInstall.exe* to your desktop.
Doubleclick on the *HJTInstall.exe* icon on your desktop.
By default it will install to *C:\Program Files\Trend Micro\HijackThis* . 
Click on *Install*.
It will create a HijackThis icon on the desktop.
Once installed, it will launch *Hijackthis*.
Click on the *Do a system scan and save a logfile* button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


----------



## Mrevilbobguy (Jul 26, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:24:19 PM, on 7/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\asuskbservice.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\GizmoPlugin\GizmoPlugin.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe
C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\java.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Chris\Start Menu\Programs\Startup\procexp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O3 - Toolbar: PimpFish - {D593DE91-7B41-45C2-830E-E9A99AB142AA} - C:\Program Files\PimpFish\PimpFish.dll
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb101\Dealio.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [{2BA35C60-07CF-1033-0908-050924040001}] "C:\Program Files\Common Files\{2BA35C60-07CF-1033-0908-050924040001}\Update.exe" mc-110-12-0001032
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [{2BA35C60-07D0-1033-0908-050924040001}] "C:\Program Files\Common Files\{2BA35C60-07D0-1033-0908-050924040001}\Update.exe" mc-110-12-0001032
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [g4356cbvy63] C:\WINDOWS\g4356cbvy63
O4 - HKLM\..\Run: [WinTouch] C:\Program Files\WinTouch\WinTouch.exe
O4 - HKLM\..\Run: [SfKg6w] C:\WINDOWS\qwndk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win16.tmp.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvxif.dll,startup
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKCU\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKCU\..\Run: [Advanced WindowsCare V2 Pro] "C:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe" /startup
O4 - HKCU\..\Run: [Ditto] C:\Program Files\Ditto\Ditto.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: procexp.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\kb101\res\DealioSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Visio\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?ad172d226fed4896b05a03e4bba1cc62
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?ad172d226fed4896b05a03e4bba1cc62
O8 - Extra context menu item: PimpFish Grab movies on this page - C:\Program Files\PimpFish\GRABPAGEMOVIES.HTM
O8 - Extra context menu item: PimpFish Grab pictures on this page - C:\Program Files\PimpFish\GRABPAGEPICS.HTM
O8 - Extra context menu item: PimpFish Grab pictures this page links to - C:\Program Files\PimpFish\GRABPAGELINKS.HTM
O8 - Extra context menu item: PimpFish Grab Target File - C:\Program Files\PimpFish\GRABLINK.HTM
O8 - Extra context menu item: PimpFish Grab This Picture - C:\Program Files\PimpFish\GRABPIC.HTM
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O9 - Extra 'Tools' menuitem: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Visio\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Chris\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb101\Dealio.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASUSKeyboardService - ASUSTeK COMPUTER INC. - C:\WINDOWS\asuskbservice.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2hyaXM\command.exe (file missing)
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Gizmo VoIP Service (Gizmo Plugin) - SIPphone, Inc. - C:\Program Files\GizmoPlugin\GizmoPlugin.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maya 7 PLE Documentation Server (mple7docserver) - Unknown owner - C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: %NVSVC.name% (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O24 - Desktop Component 0: (no name) - F:\My Documents\My Videos\Viewable Movies\cutethingdies wo background.gif
O24 - Desktop Component 1: (no name) - F:\My Documents\My Downloads\dancingwii.gif
O24 - Desktop Component 2: (no name) - F:\My Documents\Business Card\Join the bunny clan (box)!.jpg
O24 - Desktop Component 3: (no name) - F:\My Documents\My Videos\Viewable Movies\funny stick fight with wall.gif
O24 - Desktop Component 4: (no name) - F:\My Documents\My Downloads\revbouncegreyjb9.gif
O24 - Desktop Component 5: (no name) - http://www.drunkduck.com/Super_Mario_and_Lou_Igi/pages/7829ea38d31bba43895d43f873a42c22.jpg
O24 - Desktop Component 6: (no name) - (no file)
O24 - Desktop Component 7: (no name) - (no file)
O24 - Desktop Component 9: Pandora Internet Radio - Find New Music, Listen to Free Web Radio - http://www.pandora.com/

--
End of file - 12655 bytes

There you go! What now?


----------



## jrbuergel (Jan 17, 2004)

Have you yet tried re-booting into one of the "Advanced Options Menu" items such as safe mode, or Last Known Good Configuration? Or how about a system restore attempt?


----------



## Mrevilbobguy (Jul 26, 2007)

jrbuergel said:


> Have you yet tried re-booting into one of the "Advanced Options Menu" items such as *safe mode, or Last Known Good Configuration*? Or how about a *system restore attempt?*


Do you know where those are located on most hard drives? Because I can't access the start menu.


----------



## MFDnNC (Sep 7, 2004)

*NOTE: If you have downloaded ComboFix previously please delete that version and download it again!*

Download this file :

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
or
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

Note: 
Do not mouseclick combofix's window while its running. That may cause it to stall
================

Download Superantispyware (SAS) free home version

http://www.superantispyware.com/superantispywarefreevspro.html

Install it and double-click the icon on your desktop to run it.
·	It will ask if you want to update the program definitions, click Yes.
·	Under Configuration and Preferences, click the Preferences button.
·	Click the Scanning Control tab.
·	Under Scanner Options make sure the following are checked:
o	Close browsers before scanning
o	Scan for tracking cookies
o	Terminate memory threats before quarantining.
o	Please leave the others unchecked.
o	Click the Close button to leave the control center screen.
·	On the main screen, under Scan for Harmful Software click Scan your computer.
·	On the left check C:\Fixed Drive.
·	On the right, under Complete Scan, choose Perform Complete Scan.
·	Click Next to start the scan. Please be patient while it scans your computer.
·	After the scan is complete a summary box will appear. Click OK.
·	Make sure everything in the white box has a check next to it, then click Next.
·	It will quarantine what it found and if it asks if you want to reboot, click Yes.
·	To retrieve the removal information for me please do the following:
o	After reboot, double-click the SUPERAntispyware icon on your desktop.
o	Click Preferences. Click the Statistics/Logs tab.
o	Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o	It will open in your default text editor (such as Notepad/Wordpad).
o	Please highlight everything in the notepad, then right-click and choose copy.
·	Click close and close again to exit the program.
·	Please paste that information here for me *with a new HijackThis log*.

This will take some time!!!!!!!!


----------



## Mrevilbobguy (Jul 26, 2007)

Thanks- the SUPERAntiSpyware Free Edition worked like a charm. It got rid of the virus (which is called trojan.downloader-CommandDesktop)

Anyway, thanks again! I would recommend this program to anybody with issues on their computer.


----------



## MFDnNC (Sep 7, 2004)

You are making a mistake not posting the requested logs and a new hijack log

There is more to clean than what SAS did


----------



## Mrevilbobguy (Jul 26, 2007)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:13:30 PM, on 7/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\asuskbservice.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\GizmoPlugin\GizmoPlugin.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\java.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\anvshell.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe
C:\Program Files\Ditto\Ditto.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Palm\Hotsync.exe
C:\Documents and Settings\Chris\Start Menu\Programs\Startup\procexp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://torrent-finder.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {023AFF80-311B-48BB-3823-11E4BCC4EF9E} - C:\WINDOWS\system32\qrwpfb.dll (file missing)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: BandBHO Class - {6CA1C00B-90FC-4F3E-911F-95306ABA49AA} - C:\Program Files\AdSponsorCL\AdSponsorCL.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O3 - Toolbar: PimpFish - {D593DE91-7B41-45C2-830E-E9A99AB142AA} - C:\Program Files\PimpFish\PimpFish.dll
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb101\Dealio.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKCU\..\Run: [Advanced WindowsCare V2 Pro] "C:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe" /startup
O4 - HKCU\..\Run: [Ditto] C:\Program Files\Ditto\Ditto.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: procexp.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\kb101\res\DealioSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Visio\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?ad172d226fed4896b05a03e4bba1cc62
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?ad172d226fed4896b05a03e4bba1cc62
O8 - Extra context menu item: PimpFish Grab movies on this page - C:\Program Files\PimpFish\GRABPAGEMOVIES.HTM
O8 - Extra context menu item: PimpFish Grab pictures on this page - C:\Program Files\PimpFish\GRABPAGEPICS.HTM
O8 - Extra context menu item: PimpFish Grab pictures this page links to - C:\Program Files\PimpFish\GRABPAGELINKS.HTM
O8 - Extra context menu item: PimpFish Grab Target File - C:\Program Files\PimpFish\GRABLINK.HTM
O8 - Extra context menu item: PimpFish Grab This Picture - C:\Program Files\PimpFish\GRABPIC.HTM
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O9 - Extra 'Tools' menuitem: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Visio\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Chris\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb101\Dealio.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: System Safety Monitor - C:\WINDOWS\SYSTEM32\SSMWinlogonEx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASUSKeyboardService - ASUSTeK COMPUTER INC. - C:\WINDOWS\asuskbservice.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Gizmo VoIP Service (Gizmo Plugin) - SIPphone, Inc. - C:\Program Files\GizmoPlugin\GizmoPlugin.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maya 7 PLE Documentation Server (mple7docserver) - Unknown owner - C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe
O23 - Service: %NVSVC.name% (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O24 - Desktop Component 0: (no name) - F:\My Documents\My Videos\Viewable Movies\cutethingdies wo background.gif
O24 - Desktop Component 1: (no name) - F:\My Documents\My Downloads\dancingwii.gif
O24 - Desktop Component 2: (no name) - F:\My Documents\Business Card\Join the bunny clan (box)!.jpg
O24 - Desktop Component 3: (no name) - F:\My Documents\My Videos\Viewable Movies\funny stick fight with wall.gif
O24 - Desktop Component 4: (no name) - F:\My Documents\My Downloads\revbouncegreyjb9.gif
O24 - Desktop Component 5: (no name) - http://www.drunkduck.com/Super_Mario_and_Lou_Igi/pages/7829ea38d31bba43895d43f873a42c22.jpg
O24 - Desktop Component 6: (no name) - (no file)
O24 - Desktop Component 7: (no name) - (no file)
O24 - Desktop Component 9: Pandora Internet Radio - Find New Music, Listen to Free Web Radio - http://www.pandora.com/

--
End of file - 12819 bytes


----------



## Mrevilbobguy (Jul 26, 2007)

"Chris" - 2007-07-29 20:16:17 [GMT -7:00] - ComboFix 07-07-24 - Service Pack 2 NTFS

((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-30 )))))))))))))))))))))))))))))))

2007-07-29 20:11 d--------	C:\Program Files\FontLab
2007-07-29 20:11 d--------	C:\Program Files\Common Files\FontLab
2007-07-29 00:26 d--------	C:\DOCUME~1\Chris\APPLIC~1\Nexon
2007-07-27 22:59 d--------	C:\Program Files\SUPERAntiSpyware
2007-07-27 22:59 d--------	C:\DOCUME~1\Chris\APPLIC~1\SUPERAntiSpyware.com
2007-07-27 22:59 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-27 21:47	51,200	--a------	C:\WINDOWS\nircmd.exe
2007-07-26 19:23 d--------	C:\Program Files\Trend Micro
2007-07-26 14:27	70,312	--a------	C:\Program Files\codec_setup.exe
2007-07-26 14:13	6,507	---hs----	C:\WINDOWS\system32\nqtss.bak2
2007-07-26 00:38	6,466	---hs----	C:\WINDOWS\system32\nqtss.bak1
2007-07-24 17:34 d--------	C:\temp\brr
2007-07-24 17:34 d--------	C:\temp\0c2
2007-07-23 20:25 d--------	C:\Program Files\iPod
2007-07-19 19:43 d--------	C:\Program Files\Fantasyware
2007-07-03 00:06 d--------	C:\Program Files\Balance to Win
2007-07-02 17:15 d--------	C:\Program Files\iTunes
2007-07-02 17:14 d--------	C:\Program Files\Common Files\Apple
2007-07-02 17:14 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-01 18:52 d--------	C:\Team17
2007-06-29 08:46 d--------	C:\DOCUME~1\Chris\APPLIC~1\IMVU
2007-06-29 03:23 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-30 03:13:38	--------	d-----w	C:\DOCUME~1\Chris\APPLIC~1\Ditto
2007-07-30 01:49:01	--------	d-----w	C:\DOCUME~1\Chris\APPLIC~1\DNA
2007-07-30 01:38:58	163,584	----a-w	C:\WINDOWS\system32\drivers\vidstub.sys
2007-07-29 23:44:54	--------	d-----w	C:\DOCUME~1\Chris\APPLIC~1\BitTorrent
2007-07-28 06:28:24	--------	d-----w	C:\Program Files\Ditto
2007-07-28 05:58:23	--------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2007-07-26 05:38:07	--------	d-----w	C:\Program Files\Dictionary
2007-07-25 20:51:01	--------	d-----w	C:\DOCUME~1\Chris\APPLIC~1\MSNGames
2007-07-25 13:17:30	664	----a-w	C:\WINDOWS\system32\d3d9caps.dat
2007-07-24 03:10:29	--------	d-----w	C:\Program Files\QuickTime
2007-07-19 07:28:44	--------	d-----w	C:\Program Files\BitTorrent
2007-07-03 02:22:01	--------	d-----w	C:\Program Files\Picasa2
2007-07-02 01:52:43	--------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-06-30 16:05:46	--------	d-----w	C:\DOCUME~1\Chris\APPLIC~1\Move Networks
2007-06-29 10:23:36	--------	d--h--r	C:\DOCUME~1\Chris\APPLIC~1\yahoo!
2007-06-28 00:31:04	--------	d-----w	C:\Program Files\Yahoo!
2007-06-27 14:28:37	--------	d-----w	C:\DOCUME~1\Chris\APPLIC~1\gtk-2.0
2007-06-25 13:54:32	53,248	----a-w	C:\WINDOWS\uni_eh44.exe
2007-06-25 13:53:26	53,248	----a-w	C:\WINDOWS\uninst1014.exe
2007-06-24 15:25:57	--------	d-----w	C:\DOCUME~1\Chris\APPLIC~1\Joost
2007-06-24 15:25:50	--------	d-----w	C:\Program Files\Joost
2007-06-23 05:22:23	--------	d-----w	C:\Program Files\Windows Live Toolbar
2007-06-23 04:49:21	--------	d-----w	C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-06-22 06:12:08	--------	d-----w	C:\Program Files\PokeTronic
2007-06-22 03:23:18	--------	d-----w	C:\DOCUME~1\Chris\APPLIC~1\Rominator Data
2007-06-08 21:58:01	--------	d-----w	C:\Program Files\Babelgum
2007-06-08 21:44:06	--------	d-----w	C:\Program Files\Free Download Manager
2007-06-07 01:34:40	--------	d-----w	C:\Program Files\WFCStatus
2007-06-02 18:28:38	--------	d-----w	C:\Program Files\Skype
2007-06-02 18:28:38	--------	d-----w	C:\Program Files\Common Files\Skype
2007-06-02 09:04:46	--------	d-----w	C:\DOCUME~1\Chris\APPLIC~1\Adesso Systems
2007-06-02 08:00:24	--------	d-----w	C:\Program Files\Adesso Systems
2007-05-31 16:17:50	--------	d-----w	C:\Program Files\Google
2007-05-16 15:12:02	683,520	----a-w	C:\WINDOWS\system32\inetcomm.dll
2007-05-15 07:02:01	356,352	----a-w	C:\WINDOWS\eSellerateEngine.dll
2007-04-28 05:18:38	217,903	----a-w	C:\WINDOWS\Setup105.exe
2006-11-16 02:26:27	179,456	-c--a-w	C:\DOCUME~1\Chris\APPLIC~1\GDIPFONTCACHEV1.DAT
2001-03-31 12:00:06	120,823	-c--a-w	C:\Program Files\Common Files\mscombtl32.exe
2001-03-31 12:00:01	24,576	-c--a-w	C:\Program Files\Common Files\upddebug.exe
2005-05-14 01:12:00	217,073	-csha-r	C:\WINDOWS\meta4.exe
2005-10-24 19:13:58	66,560	-csha-r	C:\WINDOWS\MOTA113.exe
2005-10-14 05:27:00	422,400	-csha-r	C:\WINDOWS\x2.64.exe
2005-10-08 03:14:52	308,224	-csha-r	C:\WINDOWS\system32\avisynth.dll
2005-07-14 20:31:20	27,648	-csha-r	C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 23:32:28	616,448	-csha-r	C:\WINDOWS\system32\cygwin1.dll
2005-06-22 06:37:42	45,568	-csha-r	C:\WINDOWS\system32\cygz.dll
2004-01-25 08:00:00	70,656	-csha-r	C:\WINDOWS\system32\i420vfw.dll
2006-04-27 18:24:24	2,945,024	-csha-r	C:\WINDOWS\system32\Smab.dll
2005-02-28 21:16:22	240,128	-csha-r	C:\WINDOWS\system32\x.264.exe
2004-01-25 08:00:00	70,656	-csha-r	C:\WINDOWS\system32\yv12vfw.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{023AFF80-311B-48BB-3823-11E4BCC4EF9E}]
C:\WINDOWS\system32\qrwpfb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6CA1C00B-90FC-4F3E-911F-95306ABA49AA}]
2007-04-06 07:45	192512	--a------	C:\Program Files\AdSponsorCL\AdSponsorCL.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BootSkin Startup Jobs"="C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 17:21]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-08 22:26]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 22:17]
"nwiz"="nwiz.exe" [2004-07-09 03:02 C:\WINDOWS\system32\nwiz.exe]
"anvshell"="anvshell.exe" [2004-06-24 06:28 C:\WINDOWS\anvshell.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-06-15 16:15]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BootSkin Startup Jobs"="C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 17:21]
"Advanced WindowsCare V2 Pro"="C:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe" [2007-02-23 14:30]
"Ditto"="C:\Program Files\Ditto\Ditto.exe" [2006-08-04 12:20]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 12:37]
"DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-05-05 14:03]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"Free Download Manager"="C:\Program Files\Free Download Manager\fdm.exe" []
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-03-01 16:11]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\Chris\Start Menu\Programs\Startup\
procexp.exe [2005-08-22 14:29:44]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 15:27:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= F:\My Documents\My Videos\Viewable Movies\cutethingdies wo background.gif
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= F:\My Documents\My Downloads\dancingwii.gif
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= F:\My Documents\Business Card\Join the bunny clan (box)!.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
Source= F:\My Documents\My Videos\Viewable Movies\funny stick fight with wall.gif
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\4]
Source= F:\My Documents\My Downloads\revbouncegreyjb9.gif
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{7512AD8C-F357-4FDE-8537-AA01D926B5FA}"= C:\WINDOWS\system32\clbwat.dll [2001-01-01 06:36 57344]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 
LMIinit.dll 2006-10-06 20:56 11504 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\System Safety Monitor] 
SSMWinlogonEx.dll 2007-01-22 09:52 51152 C:\WINDOWS\system32\SSMWinlogonEx.dll

R0 m5289;m5289;C:\WINDOWS\system32\DRIVERS\m5289.sys
R0 safemon;System Safety Monitor 2.0 Core Engine;C:\WINDOWS\system32\drivers\safemon.sys
R0 sr;System Restore Filter Driver;C:\WINDOWS\system32\DRIVERS\sr.sys
R0 uliagpkx;ULi AGP Bus Filter Driver;C:\WINDOWS\system32\DRIVERS\agpkx.sys
R1 AFD;AFD Networking Support Environment;C:\WINDOWS\system32\drivers\afd.sys
R1 ANVIOCTL;ANVIOCTL;C:\WINDOWS\system32\DRIVERS\anvioctl.sys
R1 asuskbnt;asuskbnt;C:\WINDOWS\system32\DRIVERS\asuskbnt.sys
R1 cdrbsdrv;cdrbsdrv;C:\WINDOWS\system32\drivers\cdrbsdrv.sys
R1 mnmdd;mnmdd;C:\WINDOWS\system32\drivers\mnmdd.sys
R1 NetBT;NetBios over Tcpip;C:\WINDOWS\system32\DRIVERS\netbt.sys
R1 Npfs;Npfs;C:\WINDOWS\system32\drivers\Npfs.sys
R1 redbook;Digital CD Audio Playback Filter Driver;C:\WINDOWS\system32\DRIVERS\redbook.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment;C:\WINDOWS\system32\drivers\ws2ifsl.sys
R2 ALIEHCD;ULi PCI to USB Enhanced Host Controller;C:\WINDOWS\system32\Drivers\ALIEHCI.sys
R2 ASTRA32;ASTRA32 Kernel Driver 5.2.1.0;\??\C:\Program Files\ASTRA32\ASTRA32.sys
R2 BlueSoleil Hid Service;BlueSoleil Hid Service;C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
R2 BthServ;Bluetooth Support Service;C:\WINDOWS\system32\svchost.exe -k bthsvcs
R2 EIO;EIO;\??\C:\WINDOWS\system32\drivers\EIO.sys
R2 Gizmo Plugin;Gizmo VoIP Service;"C:\Program Files\GizmoPlugin\GizmoPlugin.exe"
R2 lanmanserver;Server;C:\WINDOWS\System32\svchost.exe -k netsvcs
R2 lanmanworkstation;Workstation;C:\WINDOWS\System32\svchost.exe -k netsvcs
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\C:\Program Files\LogMeIn\RaInfo.sys
R2 mple7docserver;Maya 7 PLE Documentation Server;"C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\Wrapper.conf"
R2 SoundMAX Agent Service (default);SoundMAX Agent Service;C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
R2 winmgmt;Windows Management Instrumentation;C:\WINDOWS\system32\svchost.exe -k netsvcs
R3 aliroothub;USB 2.0 Root Hub;C:\WINDOWS\system32\DRIVERS\AliRtHub.sys
R3 Btcsrusb;Bluetooth USB For Bluetooth Service;C:\WINDOWS\system32\Drivers\btcusb.sys
R3 LMImirr;LMImirr;C:\WINDOWS\system32\DRIVERS\LMImirr.sys
R3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\system32\Drivers\RootMdm.sys
R3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
R3 serenum;Serenum Filter Driver;C:\WINDOWS\system32\DRIVERS\serenum.sys
R3 ULI5261;ULi Based Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN.SYS
R3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
R3 wdmaud;Microsoft WINMM WDM Audio Compatibility Driver;C:\WINDOWS\system32\drivers\wdmaud.sys
S0 BTHidMgr;Bluetooth HID Manager Service;C:\WINDOWS\system32\Drivers\BTHidMgr.sys
S1 SABKUTIL;SABKUTIL;\??\C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys
S3 BlueletAudio;Bluetooth Audio Service;C:\WINDOWS\system32\DRIVERS\blueletaudio.sys
S3 BlueletSCOAudio;Bluetooth SCO Audio Service;C:\WINDOWS\system32\DRIVERS\BlueletSCOAudio.sys
S3 BT;Bluetooth PAN Network Adapter;C:\WINDOWS\system32\DRIVERS\btnetdrv.sys
S3 BthEnum;Bluetooth Request Block Driver;C:\WINDOWS\system32\DRIVERS\BthEnum.sys
S3 BTHidEnum;Bluetooth HID Enumerator;C:\WINDOWS\system32\DRIVERS\vbtenum.sys
S3 BthPan;Bluetooth Device (Personal Area Network);C:\WINDOWS\system32\DRIVERS\bthpan.sys
S3 BTHPORT;Bluetooth Port Driver;C:\WINDOWS\system32\Drivers\BTHport.sys
S3 BTHUSB;Bluetooth Radio USB Driver;C:\WINDOWS\system32\Drivers\BTHUSB.sys
S3 BTNetFilter;Bluetooth Network Filter;\??\C:\Program Files\IVT Corporation\BlueSoleil\Device\Win2k\BTNetFilter.sys
S3 dsreader;MaxDrive Driver (dsreader.sys);C:\WINDOWS\system32\Drivers\dsreader.sys
S3 grmnusb;grmnusb;C:\WINDOWS\system32\drivers\grmnusb.sys
S3 HidBth;Microsoft Bluetooth HID Miniport;C:\WINDOWS\system32\DRIVERS\hidbth.sys
S3 HTTPFilter;HTTP SSL;C:\WINDOWS\System32\svchost.exe -k HTTPFilter
S3 IpFilterDriver;IP Traffic Filter Driver;C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
S3 NABTSFEC;NABTS/FEC VBI Codec;C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
S3 nm;Network Monitor Driver;C:\WINDOWS\system32\DRIVERS\NMnt.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 NwlnkFlt;IPX Traffic Filter Driver;C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
S3 PalmUSBD;PalmUSBD;C:\WINDOWS\system32\drivers\PalmUSBD.sys
S3 psdriver;psdriver;\??\C:\Program Files\psdriver\psdriver.sys
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI);C:\WINDOWS\system32\DRIVERS\rfcomm.sys
S3 SABProcEnum;SABProcEnum;\??\C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABProcEnum.sys
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1);C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
S3 VComm;Virtual Serial port driver;C:\WINDOWS\system32\DRIVERS\VComm.sys
S3 VcommMgr;Bluetooth VComm Manager Service;C:\WINDOWS\system32\Drivers\VcommMgr.sys
S3 VHidMinidrv;Bluetooth HID Device Service;C:\WINDOWS\system32\drivers\VHIDMini.sys
S4 ILT;ILT;"C:\WINDOWS\iltxxx.exe"
S4 mnmsrvc;NetMeeting Remote Desktop Sharing;C:\WINDOWS\System32\mnmsrvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs	BthServ

Contents of the 'Scheduled Tasks' folder
2007-07-29 23:30:01 C:\WINDOWS\tasks\Advanced WindowsCare V2 Pro.job
2007-07-23 14:26:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-07-30 03:00:10 C:\WINDOWS\tasks\AwcProUpdate.job
2007-07-30 02:44:00 C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
2006-07-24 22:50:44 C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1142207399.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-29 20:19:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2E3186A7-F265-3A88-E262-E59BC981E13B}]
"hahbigofcoddabif"=hex:6a,61,6b,6a,65,69,63,6a,6f,6c,6b,6b,6e,6e,6a,6e,64,6c,61,6a,00,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{491B5CF3-E867-E94D-191C-6E658567F8A8}]
"iakkpgnoliglgkjhnh"=hex:64,61,6e,61,68,62,6a,65,00,c0
"iaoldifdcgeiickglm"=hex:6b,61,6e,61,6f,62,64,6b,63,67,61,61,63,67,63,62,63,61,65,6e,6c,..
"hamlnhadcogofdhn"=hex:69,61,6e,61,62,62,62,67,67,62,66,69,66,65,62,66,64,68,00,00
"eagnpgafmk"=hex:61,62,64,6d,69,6c,6f,63,62,63,61,70,66,67,6d,67,70,69,63,65,65,..
"capkhh"=hex:6f,61,6f,61,6a,6f,68,6e,61,68,6c,62,67,62,6c,68,61,6a,70,62,61,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C8120316-B236-D1D3-A4D1-2ED3420F9DDE}]
"oajdigpekonaiekfgjendcpglkgioo"=hex:63,61,6a,62,6b,66,00,7c
"oafeabdfbehjfmjeobemiimiklhjjo"=hex:6a,61,70,61,68,6a,63,68,61,70,67,67,64,6c,67,64,6e,65,70,64,00,..
"naldoabeeobalmmcencankehgpjn"=hex:6a,61,70,61,68,6a,63,68,61,70,67,67,64,6c,67,64,6e,65,70,64,00,..

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mple7docserver]
"ImagePath"="\"C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe\" -s \"C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\Wrapper.conf\""

Completion time: 2007-07-29 20:20:16
C:\ComboFix-quarantined-files.txt ... 2007-07-29 20:19
C:\ComboFix2.txt ... 2007-07-27 22:50

--- E O F ---


----------



## MFDnNC (Sep 7, 2004)

Fix this with HiJackThis  mark it, close IE, click fix checked

O2 - BHO: (no name) - {023AFF80-311B-48BB-3823-11E4BCC4EF9E} - C:\WINDOWS\system32\qrwpfb.dll (file missing)

Clean








If you feel its is fixed mark it solved via Thread Tools above

Turn off restore points, boot, turn them back on  heres how

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

This clears infected restore points and sets a new, clean one.


----------



## Mrevilbobguy (Jul 26, 2007)

Uh... I would do that... if I could... My computer is now on an infinate loop of restarting. When I turn it on, it goes through all the normal processes, but then, right before it hits the Windows XP loading screen, it gives the "boot in safe mode" screen. It gives five options- none of which work.

-Safe mode
-Safe mode with networking
-Safe mode with command prompt
-Last known good configuration
-Start Windows normally

The top three options bring up a long list of files, then the PC restarts. The bottom two make the Windows loading screen pop up and then it restarts. After it restarts it brings up the same page again.

Any ideas? (I'm really hoping I don't have to reinstall Windows, or worse, lose my files)

Thanks for all your help.
-This message was brought to you by my Wii-


----------



## MFDnNC (Sep 7, 2004)

Do a START- run - sfc /scannow


----------



## Mrevilbobguy (Jul 26, 2007)

But I can't because Windows doesn't load. I can't get past the boot screen.


----------



## MFDnNC (Sep 7, 2004)

Boot from the CD and do a repair install


----------



## Mrevilbobguy (Jul 26, 2007)

How do I do that? (I tried, but I installed another copy of Windows by accident)


----------



## MFDnNC (Sep 7, 2004)

http://www.michaelstevenstech.com/XPrepairinstall.htm


----------

