Get BullGuard Premium Protection to stay safe from all threats:

  • Credit card frauds and identity theft
  • WannaCry, Petya / Golden Eye Virus and all ransomware
Buy Now 60% off

All icons at my desktop and the taskbar are gone

Posted 8/28/2012 6:11 AM
#94293
User avatar

shannemark Advanced member

Date Joined Nov 2016
Total Posts: 32
kindly help me with my computer. when i open my computer all icons and task bar were gone. i cant shut it down. only thru avr. but when i try to open it in safe mode it works. pls tell me what to do.
here is my combo fix log:
ComboFix 12-08-25.04 - Administrator 8/2012 Tue 11:47:52.17.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.2038.1647 [GMT 8:00]
执行位置: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( 2012-07-28 至 2012-08-28 的新的档案 )))))))))))))))))))))))))))))))
.
.
2012-08-28 03:27 . 2012-08-28 03:27 -------- d-----w- c:\windows\system32\wbem\Repository
2012-08-04 00:59 . 2012-08-04 01:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\dvdcss
2012-07-30 21:52 . 2012-07-30 21:52 103904 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-25 09:48 . 2012-04-19 00:44 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-25 09:48 . 2011-11-21 11:42 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-03 05:46 . 2011-11-22 04:52 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-20 03:29 . 2011-12-02 05:16 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-05-21_03.59.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-22 06:02 . 2012-08-14 02:35 63964 c:\windows\system32\mlfcache.dat
- 2012-01-11 05:38 . 2012-03-21 06:41 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2012-01-11 05:38 . 2012-08-23 00:52 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2012-01-11 05:38 . 2012-08-23 00:52 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2012-01-11 05:38 . 2012-03-21 06:41 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2012-07-20 09:52 . 2012-07-20 09:52 22016 c:\windows\Installer\9dfab.msi
+ 2012-06-22 06:15 . 2012-06-22 06:15 49664 c:\windows\Installer\149ffc1.msi
+ 2012-06-19 05:47 . 2001-08-17 14:36 5632 c:\windows\system32\ptpusb.dll
+ 2012-06-19 05:47 . 2008-04-13 21:42 159232 c:\windows\system32\ptpusd.dll
+ 2012-08-25 09:48 . 2012-08-25 09:48 690888 c:\windows\system32\Macromed\Flash\FlashUtil32_11_4_402_265_Plugin.exe
+ 2012-08-15 02:02 . 2012-08-15 02:02 686792 c:\windows\system32\Macromed\Flash\FlashUtil32_11_3_300_271_ActiveX.exe
+ 2012-08-15 02:02 . 2012-08-15 02:02 466632 c:\windows\system32\Macromed\Flash\FlashUtil32_11_3_300_271_ActiveX.dll
+ 2012-04-19 00:44 . 2012-08-25 09:48 250568 c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
+ 2008-08-13 22:44 . 2012-08-14 01:26 273376 c:\windows\system32\FNTCACHE.DAT
+ 2012-06-15 03:35 . 2012-06-15 05:30 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2012-08-10 06:30 . 2012-08-10 06:30 371272 c:\windows\Installer\{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}\SkypeIcon.exe
+ 2011-04-22 05:26 . 2011-04-22 05:26 688128 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0500000010\9.5.0\JP2KLib.dll
+ 2009-01-18 08:00 . 2009-01-18 08:00 598016 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0500000010\9.5.0\AXSLE.dll
+ 2012-01-03 07:37 . 2012-01-03 07:37 320456 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0500000010\9.5.0\adobearmhelper.exe
+ 2012-01-02 02:07 . 2012-01-02 02:07 843712 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0500000010\9.5.0\adobearm.exe
+ 2012-01-19 01:59 . 2012-08-28 03:28 2344836 c:\windows\system32\Restore\rstrlog.dat
+ 2012-08-25 09:48 . 2012-08-25 09:48 9813704 c:\windows\system32\Macromed\Flash\NPSWF32_11_4_402_265.dll
+ 2012-08-10 06:30 . 2012-08-10 06:30 1648640 c:\windows\Installer\2a66e.msi
+ 2012-07-31 16:18 . 2012-07-31 16:18 5018624 c:\windows\Installer\2106aa6.msp
+ 2011-01-30 13:16 . 2011-01-30 13:16 5713408 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0500000010\9.5.0\AGM.dll
+ 2012-06-22 06:15 . 2012-06-22 06:15 15705600 c:\windows\Installer\149ffc8.msp
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn1\yt.dll" [2012-06-11 1524056]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2011-08-24 1299248]
.
[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-11-22 39408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-07-13 17418928]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-01 141848]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2011-08-01 114992]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Digsby.lnk - c:\program files\Digsby\digsby.exe [2010-3-3 141488]
Feed Notifier.lnk - c:\program files\Feed Notifier\notifier.exe [2012-3-8 58368]
IPMSG for Win32.lnk - c:\program files\IPMsg\ipmsg.exe [2011-11-22 210432]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\IPMsg\\ipmsg.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Searchqu Toolbar\\Datamngr\\ToolBar\\dtUser.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 amdagp8p;AMD NB AGP Bus Filter;c:\windows\system32\drivers\amdagp8p.sys [8/30/2008 12:31 PM 27648]
R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [8/30/2008 12:31 PM 7680]
R0 tmagp;Transmeta TM 8000 AGP Filter Driver;c:\windows\system32\drivers\TMAGP.SYS [8/30/2008 12:32 PM 27648]
R0 ULiAGP;ULi AGP Controller Bus Filter Driver;c:\windows\system32\drivers\ULiAGP.SYS [8/30/2008 12:32 PM 33408]
R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\drivers\AGPKX.SYS [8/30/2008 12:31 PM 45056]
S0 hptpro;hptpro;c:\windows\system32\drivers\hptpro.sys [8/30/2008 12:31 PM 9809]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;"c:\program files\Avira\AntiVir Desktop\sched.exe" --> c:\program files\Avira\AntiVir Desktop\sched.exe [?]
S2 AviraUpgradeService;Avira Upgrade Service;"c:\windows\TEMP\AVSETUP_4f0f7ded\avupgsvc.exe" /TEMPSTART:""c:\windows\TEMP\AVSETUP_4f0f7ded\setup.exe" /NOTEMPCLEANUP /CROSSUPGRADE" --> c:\windows\TEMP\AVSETUP_4f0f7ded\avupgsvc.exe [?]
S2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe [11/21/2011 7:28 PM 81920]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/22/2011 10:24 AM 136176]
S2 HOSTNT;Hostnt;c:\windows\system32\drivers\hostnt.sys [11/21/2011 7:46 PM 4032]
S2 MHDRV;Mhdrv;c:\windows\system32\drivers\mhdrv.sys [11/21/2011 7:46 PM 27696]
S2 Protector by IB Updater;Protector by IB Updater;c:\program files\Protector by IB\ExtensionUpdaterService.exe [5/16/2012 2:03 PM 185856]
S2 RCMHDOG;RCMHDOG;c:\windows\system32\drivers\rcmhdog.sys [11/21/2011 7:46 PM 26060]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/3/2012 1:19 PM 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/19/2012 8:44 AM 250568]
S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe [11/21/2011 7:28 PM 2732032]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/22/2011 10:24 AM 136176]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/7/2012 10:20 AM 113120]
.
‘计划任务’ 文件夹 里的内容
.
2012-08-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-19 09:48]
.
2012-08-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-22 02:24]
.
2012-08-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-22 02:24]
.
2012-08-28 c:\windows\Tasks\User_Feed_Synchronization-{494232BA-F10B-4C2D-910D-DD06DB7D7733}.job
- c:\windows\system32\msfeedssync.exe [2009-03-07 20:31]
.
.
------- 而外的扫描 -------
.
uStart Page = hxxp://start.funmoods.com/?f=1&a=w7th1&chnl=w7th1&cd=2XzutAtN2Y1L1QzutDtDtByEtBtC0A0AtA0AtCyE0CyCtC0BtN0D0TzutBtDtCtBtDyBtCzy&cr=977877310
mStart Page = hxxp://start.funmoods.com/?f=1&a=w7th1&chnl=w7th1&cd=2XzutAtN2Y1L1QzutDtDtByEtBtC0A0AtA0AtCyE0CyCtC0BtN0D0TzutBtDtCtBtDyBtCzy&cr=977877310
uInternet Connection Wizard,ShellNext = hxxp://www.firebirdsql.org//afterinstall
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 124.106.5.2 124.106.6.2
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\obpr90mx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=mkg030&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.funmoods.com/?f=1&a=w7th1&chnl=w7th1&cd=2XzutAtN2Y1L1QzutDtDtByEtBtC0A0AtA0AtCyE0CyCtC0BtN0D0TzutBtDtCtBtDyBtCzy&cr=977877310
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=394&systemid=406&sr=0&q=
FF - user.js: extensions.incredibar_i.newTab - false
FF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6OyC0p5zen&loc=IB_TB&i=26&search=
FF - user.js: extensions.incredibar_i.id - c45bc61b000000000000002421aa3a14
FF - user.js: extensions.incredibar_i.instlDay - 15476
FF - user.js: extensions.incredibar_i.vrsn - 1.5.11.14
FF - user.js: extensions.incredibar_i.vrsni - 1.5.11.14
FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.11.1414:03
FF - user.js: extensions.incredibar_i.prtnrId - Incredibar
FF - user.js: extensions.incredibar_i.prdct - incredibar
FF - user.js: extensions.incredibar_i.aflt - orgnl
FF - user.js: extensions.incredibar_i.smplGrp - none
FF - user.js: extensions.incredibar_i.tlbrId - base
FF - user.js: extensions.incredibar_i.instlRef -
FF - user.js: extensions.incredibar_i.dfltLng -
FF - user.js: extensions.incredibar_i.excTlbr - false
FF - user.js: extensions.incredibar_i.ms_url_id -
FF - user.js: extensions.incredibar_i.upn2 - 6OyC0p5zen
FF - user.js: extensions.incredibar_i.upn2n - 92261418233124847
FF - user.js: extensions.incredibar_i.productid - 26
FF - user.js: extensions.incredibar_i.installerproductid - 26
FF - user.js: extensions.incredibar_i.did - 10650
FF - user.js: extensions.incredibar_i.ppd - 27%5F4
FF - user.js: extensions.funmoods.hmpg - true
FF - user.js: extensions.funmoods.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=w7th1&chnl=w7th1&cd=2XzutAtN2Y1L1QzutDtDtByEtBtC0A0AtA0AtCyE0CyCtC0BtN0D0TzutBtDtCtBtDyBtCzy&cr=977877310
FF - user.js: extensions.funmoods.dfltSrch - true
FF - user.js: extensions.funmoods.srchPrvdr - Search
FF - user.js: extensions.funmoods.dnsErr - true
FF - user.js: extensions.funmoods_i.newTab - true
FF - user.js: extensions.funmoods.newTabUrl - hxxp://start.funmoods.com/?f=2&a=w7th1&chnl=w7th1&cd=2XzutAtN2Y1L1QzutDtDtByEtBtC0A0AtA0AtCyE0CyCtC0BtN0D0TzutBtDtCtBtDyBtCzy&cr=977877310
FF - user.js: extensions.funmoods.tlbrSrchUrl -
FF - user.js: extensions.funmoods.id - c45bc61b000000000000002421aa3a14
FF - user.js: extensions.funmoods.instlDay - 15540
FF - user.js: extensions.funmoods.vrsn - 1.5.23.22
FF - user.js: extensions.funmoods.vrsni - 1.5.23.22
FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.23.2211:44
FF - user.js: extensions.funmoods.prtnrId - funmoods
FF - user.js: extensions.funmoods.prdct - funmoods
FF - user.js: extensions.funmoods.aflt - w7th1
FF - user.js: extensions.funmoods_i.smplGrp - none
FF - user.js: extensions.funmoods.tlbrId - base
FF - user.js: extensions.funmoods.instlRef - w7th1
FF - user.js: extensions.funmoods.dfltLng -
FF - user.js: extensions.funmoods.excTlbr - false
FF - user.js: extensions.funmoods.autoRvrt - false
FF - user.js: extensions.funmoods.envrmnt - production
FF - user.js: extensions.funmoods.isdcmntcmplt - true
FF - user.js: extensions.funmoods.mntrvrsn - 1.3.0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-28 11:52
Windows 5.1.2600 Service Pack 3 NTFS
.
扫描被隐藏的进程 。。。
.
扫描被隐藏的启动组 。。。
.
扫描被隐藏的文件 。。。
.
扫描完成
被隐藏的档案: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1757981266-113007714-682003330-500\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (Administrator)
"{9D717F81-9148-4F12-8568-69135F087DB0}"=hex:51,66,7a,6c,4c,1d,3b,1b,91,60,64,
81,78,cb,75,03,9b,65,2d,53,5e,4a,3b,ac
"{336D0C35-8A85-403a-B9D2-65C292C39087}"=hex:51,66,7a,6c,4c,1d,3b,1b,25,13,78,
2f,b5,d0,5d,0c,a7,df,21,82,93,81,d6,9b
.
[HKEY_USERS\S-1-5-21-1757981266-113007714-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,78,c3,57,50,94,ad,38,41,85,3f,9a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,78,c3,57,50,94,ad,38,41,85,3f,9a,\
.
完成时间: 2012-08-28 11:53:50
ComboFix-quarantined-files.txt 2012-08-28 03:53
ComboFix2.txt 2012-08-28 00:54
ComboFix3.txt 2012-08-25 01:57
ComboFix4.txt 2012-08-14 01:54
ComboFix5.txt 2012-08-28 03:47
.
Pre-Run: 105,259,413,504 bytes free
Post-Run: 105,628,831,744 bytes free
.
- - End Of File - - 5DBEB4ED34A7582AC799BA81E05143F7

this is also my malwarebytes log:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.28.01

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Administrator :: JOY [administrator]

8/28/2012 11:57:00 AM
mbam-log-2012-08-28 (11-57-00).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 290776
Time elapsed: 24 minute(s), 9 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 12
HKCR\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\escort.escortIEPane.1 (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\escort.escortIEPane (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\funmoodsApp.appCore.1 (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\funmoodsApp.appCore (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\f (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\Typelib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Google\chrome\Extensions\fdloijijlkoblmigdofommgnheckmaki (PUP.Funmoods) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

i try c:\> attrib -s-h s/d/ *.*
here is the log:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>cd c:\

C:\>attrib -s -h /s /d *.*
Access denied - C:\Program Files\Adobe\Reader 9.0\Resource\CMap\Identity-H
Access denied - C:\Program Files\Adobe\Reader 9.0\Resource\CMap\Identity-V
Access denied - C:\Program Files\Adobe\Reader 9.0\Resource\CMap
Access denied - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper
.dll
Access denied - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper
Shim.dll
Access denied - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll
Access denied - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\pdfshell.dll

Access denied - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX
Access denied - C:\Qoobox\BackEnv
Access denied - C:\WINDOWS\Prefetch\ACCOUNT.EXE-11EB9945.pf
Access denied - C:\WINDOWS\Prefetch\ADOBEARM.EXE-2D1B11BF.pf
Access denied - C:\WINDOWS\Prefetch\ASPELL.EXE-2320D1FB.pf
Access denied - C:\WINDOWS\Prefetch\ASWREGSVR.EXE-27360615.pf
Access denied - C:\WINDOWS\Prefetch\ATTRIB.3XE-09E9D153.pf
Access denied - C:\WINDOWS\Prefetch\ATTRIB.3XE-10E166FB.pf
Access denied - C:\WINDOWS\Prefetch\ATTRIB.EXE-39EAFB02.pf
Access denied - C:\WINDOWS\Prefetch\AVAST.SETUP-10F48C5B.pf
Access denied - C:\WINDOWS\Prefetch\AVASTEMUPDATE.EXE-033BD90D.pf
Access denied - C:\WINDOWS\Prefetch\AVASTUI.EXE-0B3C80E5.pf
Access denied - C:\WINDOWS\Prefetch\CF2454.3XE-26BCF719.pf
Access denied - C:\WINDOWS\Prefetch\CHCP.COM-18156052.pf
Access denied - C:\WINDOWS\Prefetch\CHIKKALAUNCHER.EXE-32AB4B6C.pf
Access denied - C:\WINDOWS\Prefetch\CMD.3XE-32EEC145.pf
Access denied - C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Access denied - C:\WINDOWS\Prefetch\COMBOFIX.EXE-3A3A8115.pf
Access denied - C:\WINDOWS\Prefetch\CONIME.EXE-13EEEA1A.pf
Access denied - C:\WINDOWS\Prefetch\CSCRIPT.3XE-1A0F6A51.pf
Access denied - C:\WINDOWS\Prefetch\CSCRIPT.3XE-1AD11928.pf
Access denied - C:\WINDOWS\Prefetch\CSCRIPT.EXE-1C26180C.pf
Access denied - C:\WINDOWS\Prefetch\CTFMON.EXE-0E17969B.pf
Access denied - C:\WINDOWS\Prefetch\DEFRAG.EXE-273F131E.pf
Access denied - C:\WINDOWS\Prefetch\DFRGNTFS.EXE-269967DF.pf
Access denied - C:\WINDOWS\Prefetch\DIGSBY-APP.EXE-1BD802E9.pf
Access denied - C:\WINDOWS\Prefetch\DIGSBY.EXE-2DEEEA8A.pf
Access denied - C:\WINDOWS\Prefetch\ERUNT.3XE-0A71A476.pf
Access denied - C:\WINDOWS\Prefetch\EXCEL.EXE-34CB65E9.pf
Access denied - C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Access denied - C:\WINDOWS\Prefetch\FINDSTR.EXE-0CA6274B.pf
Access denied - C:\WINDOWS\Prefetch\FIREFOX.EXE-28641590.pf
Access denied - C:\WINDOWS\Prefetch\FLASHPLAYERUPDATESERVICE.EXE-34BC5027.pf
Access denied - C:\WINDOWS\Prefetch\FLASHUTIL32_11_3_300_271_PLUG-0BD4341A.pf
Access denied - C:\WINDOWS\Prefetch\GOOGLECRASHHANDLER.EXE-2AE91E26.pf
Access denied - C:\WINDOWS\Prefetch\GOOGLEUPDATE.EXE-1E123D86.pf
Access denied - C:\WINDOWS\Prefetch\GOOGLEUPDATERSERVICE.EXE-3AB369BE.pf
Access denied - C:\WINDOWS\Prefetch\GREP.3XE-0FD7DFD4.pf
Access denied - C:\WINDOWS\Prefetch\GREP.3XE-254D6273.pf
Access denied - C:\WINDOWS\Prefetch\GREP.EXE-3309531C.pf
Access denied - C:\WINDOWS\Prefetch\GROOVEMONITOR.EXE-2606717A.pf
Access denied - C:\WINDOWS\Prefetch\GRPCONV.EXE-111CD845.pf
Access denied - C:\WINDOWS\Prefetch\GSAR.3XE-03FC2EDD.pf
Access denied - C:\WINDOWS\Prefetch\GSAR.3XE-1971B17C.pf
Access denied - C:\WINDOWS\Prefetch\HANDLE.3XE-09E29954.pf
Access denied - C:\WINDOWS\Prefetch\HANDLE.3XE-10DA2EFC.pf
Access denied - C:\WINDOWS\Prefetch\HELPER.EXE-0415776D.pf
Access denied - C:\WINDOWS\Prefetch\HELPSVC.EXE-2878DDA2.pf
Access denied - C:\WINDOWS\Prefetch\HIDEC.3XE-111262DC.pf
Access denied - C:\WINDOWS\Prefetch\HIDEC.3XE-2D8618DD.pf
Access denied - C:\WINDOWS\Prefetch\HPGS2WND.EXE-06AC8C27.pf
Access denied - C:\WINDOWS\Prefetch\HPGS2WNF.EXE-0E86C34B.pf
Access denied - C:\WINDOWS\Prefetch\IEXPLORE.EXE-0A31FE70.pf
Access denied - C:\WINDOWS\Prefetch\IEXPLORE.EXE-12915967.pf
Access denied - C:\WINDOWS\Prefetch\IEXPLORE.EXE-12BBAE74.pf
Access denied - C:\WINDOWS\Prefetch\IGFXPERS.EXE-2C07C174.pf
Access denied - C:\WINDOWS\Prefetch\IGFXSRVC.EXE-2FB63FE8.pf
Access denied - C:\WINDOWS\Prefetch\IMAPI.EXE-0BF740A4.pf
Access denied - C:\WINDOWS\Prefetch\IMJPMIG.EXE-03882F7A.pf
Access denied - C:\WINDOWS\Prefetch\INSTALL_FLASHPLAYER11X32_MSSD-32F9B3BC.pf
Access denied - C:\WINDOWS\Prefetch\INSTALL_FLASHPLAYER11X32_MSSD-39F4B374.pf
Access denied - C:\WINDOWS\Prefetch\INSTALL_FLASH_PLAYER.EXE-0854CAC8.pf
Access denied - C:\WINDOWS\Prefetch\IPMSG.EXE-26141277.pf
Access denied - C:\WINDOWS\Prefetch\JAVA.EXE-0C263507.pf
Access denied - C:\WINDOWS\Prefetch\JUSCHED.EXE-0F4A509D.pf
Access denied - C:\WINDOWS\Prefetch\Layout.ini
Access denied - C:\WINDOWS\Prefetch\LOGON.SCR-151EFAEA.pf
Access denied - C:\WINDOWS\Prefetch\LOGONUI.EXE-0AF22957.pf
Access denied - C:\WINDOWS\Prefetch\MBAM.EXE-0BEE0439.pf
Access denied - C:\WINDOWS\Prefetch\MSFEEDSSYNC.EXE-25E13438.pf
Access denied - C:\WINDOWS\Prefetch\NIRCMD.3XE-0A841DB5.pf
Access denied - C:\WINDOWS\Prefetch\NIRCMD.3XE-117BB35D.pf
Access denied - C:\WINDOWS\Prefetch\NIRCMD.EXE-2C39EF53.pf
Access denied - C:\WINDOWS\Prefetch\NIRCMDC.3XE-03B38F81.pf
Access denied - C:\WINDOWS\Prefetch\NIRKMD.3XE-071472EF.pf
Access denied - C:\WINDOWS\Prefetch\NOTEPAD.EXE-189578DA.pf
Access denied - C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf
Access denied - C:\WINDOWS\Prefetch\NOTIFIER.EXE-2A3EC002.pf
Access denied - C:\WINDOWS\Prefetch\NS10.TMP-3A74FA7F.pf
Access denied - C:\WINDOWS\Prefetch\NS11.TMP-1489E333.pf
Access denied - C:\WINDOWS\Prefetch\NSB.TMP-35532715.pf
Access denied - C:\WINDOWS\Prefetch\NSF.TMP-19007368.pf
Access denied - C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf
Access denied - C:\WINDOWS\Prefetch\ONENOTEM.EXE-157A39AC.pf
Access denied - C:\WINDOWS\Prefetch\PEV.3XE-21FD478C.pf
Access denied - C:\WINDOWS\Prefetch\PEV.3XE-358EBDB6.pf
Access denied - C:\WINDOWS\Prefetch\PEV.EXE-0806C34B.pf
Access denied - C:\WINDOWS\Prefetch\PEV.EXE-0CE2BF4A.pf
Access denied - C:\WINDOWS\Prefetch\PING.EXE-31216D26.pf
Access denied - C:\WINDOWS\Prefetch\PLUGIN-CONTAINER.EXE-15EDC9DD.pf
Access denied - C:\WINDOWS\Prefetch\PV.3XE-1C242CC7.pf
Access denied - C:\WINDOWS\Prefetch\READER_SL.EXE-2B4EA1CB.pf
Access denied - C:\WINDOWS\Prefetch\REGEDIT.EXE-1B606482.pf
Access denied - C:\WINDOWS\Prefetch\REGSVR32.EXE-25EEFE2F.pf
Access denied - C:\WINDOWS\Prefetch\RMBR.3XE-3AAE61A2.pf
Access denied - C:\WINDOWS\Prefetch\RTHDCPL.EXE-06918CFA.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-11D01D9A.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-17947D5D.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-1EE676D0.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-2576181F.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-356C8F20.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-3596C059.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-3B11B44F.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-42BD096B.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-44A0B4BC.pf
Access denied - C:\WINDOWS\Prefetch\RUNDLL32.EXE-451FC2C0.pf
Access denied - C:\WINDOWS\Prefetch\RUNONCE.EXE-2803F297.pf
Access denied - C:\WINDOWS\Prefetch\SED.3XE-35CB81F4.pf
Access denied - C:\WINDOWS\Prefetch\SED.3XE-370DAEC3.pf
Access denied - C:\WINDOWS\Prefetch\SED.EXE-0F4B402F.pf
Access denied - C:\WINDOWS\Prefetch\SF.BIN-1A60157B.pf
Access denied - C:\WINDOWS\Prefetch\SF.BIN-1D520004.pf
Access denied - C:\WINDOWS\Prefetch\SORT.EXE-194AE83C.pf
Access denied - C:\WINDOWS\Prefetch\SSMYPICS.SCR-01C62024.pf
Access denied - C:\WINDOWS\Prefetch\SSTEXT3D.SCR-17B3B9DD.pf
Access denied - C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf
Access denied - C:\WINDOWS\Prefetch\SWEETIM.EXE-114201E6.pf
Access denied - C:\WINDOWS\Prefetch\SWREG.3XE-20CC4D60.pf
Access denied - C:\WINDOWS\Prefetch\SWREG.3XE-2965A2D9.pf
Access denied - C:\WINDOWS\Prefetch\SWREG.EXE-0F8682E2.pf
Access denied - C:\WINDOWS\Prefetch\SWSC.3XE-256BB068.pf
Access denied - C:\WINDOWS\Prefetch\SWSC.3XE-3AE13307.pf
Access denied - C:\WINDOWS\Prefetch\SWSC.EXE-17AFBFBF.pf
Access denied - C:\WINDOWS\Prefetch\SWXCACLS.3XE-2D6ED659.pf
Access denied - C:\WINDOWS\Prefetch\SWXCACLS.3XE-392ED218.pf
Access denied - C:\WINDOWS\Prefetch\TINTSETP.EXE-39BF0732.pf
Access denied - C:\WINDOWS\Prefetch\UPDATER.EXE-23F4D955.pf
Access denied - C:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Access denied - C:\WINDOWS\Prefetch\WINWORD.EXE-07381162.pf
Access denied - C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf
Access denied - C:\WINDOWS\Prefetch\WSCNTFY.EXE-1B24F5EB.pf
Access denied - C:\WINDOWS\Prefetch\WUAUCLT.EXE-399A8E72.pf
Access denied - C:\WINDOWS\system32\Macromed\Flash\Flash32_11_3_300_271.ocx
Unable to change attribute - C:\pagefile.sys

C:\>
Posted 8/28/2012 6:31 AM
#94295
User avatar

shannemark Advanced member

Date Joined Nov 2016
Total Posts: 32
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:30:24 PM, on 8/28/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Feed Notifier\notifier.exe
C:\Program Files\IPMsg\ipmsg.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Protector by IB\ExtensionUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\HijackThis.exe

R3 - URLSearchHook: YTNavAssistPlugin Class - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7529.1424\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Digsby.lnk = C:\Program Files\Digsby\digsby.exe
O4 - Startup: Feed Notifier.lnk = C:\Program Files\Feed Notifier\notifier.exe
O4 - Startup: IPMSG for Win32.lnk = C:\Program Files\IPMsg\ipmsg.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Unknown owner - C:\Program Files\Avira\AntiVir Desktop\sched.exe (file missing)
O23 - Service: Avira AntiVir Guard (AntiVirService) - Unknown owner - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (file missing)
O23 - Service: Avira Upgrade Service (AviraUpgradeService) - Unknown owner - C:\WINDOWS\TEMP\AVSETUP_4f0f7ded\avupgsvc.exe (file missing)
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - Firebird Project - C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - Firebird Project - C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Protector by IB Updater - Unknown owner - C:\Program Files\Protector by IB\ExtensionUpdaterService.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 10863 bytes
Posted 8/28/2012 10:31 AM
#94296
User avatar

Advanced member

Right. SweetIM, again.

In Safe Mode with Networking, so you can access the internet.
Install Malwarebytes and either disable your antivirus protection and enable the protection from Malwarebytes, or vice-versa. Run a full scan and fix all the issues found (you need to check the boxes before you press Remove Selected): http://www.malwarebytes.org
Then download and run Unhide, to restore the hidden fileshttp://www.bleepingcomputer.com/forums/topic405109.html
Lastly, run a full scan with Avast.

The above will remove the infection, but please get back to us with the logs and also let us know if you have any more issues with the computer afterwards.

You did not remove SweetIM when you contacted us previously either...
Andreea-Luciana Ostache
Support Team Leader
[url]support@bullguard.com[/url]
www.bullguard.com

Download the Free Trial version of BullGuard Internet Security 16

You have a BullGuard related problem? Post your question on these forums, contact Support or contact me on Twitter!
Posted 8/29/2012 1:26 AM
#94297
User avatar

shannemark Advanced member

Date Joined Nov 2016
Total Posts: 32
i run the malwarebytes today here is my log:
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.28.01

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Administrator :: JOY [administrator]

8/29/2012 8:46:13 AM
mbam-log-2012-08-29 (08-46-13).txt

Scan type: Full scan (C:\|D:\|H:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 291145
Time elapsed: 24 minute(s), 26 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
Posted 8/29/2012 1:32 AM
#94298
User avatar

shannemark Advanced member

Date Joined Nov 2016
Total Posts: 32
Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/forums/topic405109.html

Program started at: 08/29/2012 09:23:21 AM
Windows Version: Windows XP

Please be patient while your files are made visible again.

Processing the A:\ drive
Finished processing the A:\ drive. 0 files processed.

Processing the C:\ drive
Finished processing the C:\ drive. 79990 files processed.

Processing the D:\ drive
Finished processing the D:\ drive. 49667 files processed.

Processing the H:\ drive
Finished processing the H:\ drive. 244 files processed.

The C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingcomputer.com/forums/topic405109.html

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
* HidNoChangingWallPaperden policy was found and deleted!
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
* Start_ShowPrinters was set to 0! It was set back to 1!
* Start_ShowSetProgramAccessAndDefaults was set to 0! It was set back to 1!
* Start_ShowNetConn was set to 0! It was set back to 1!

Restarting Explorer.exe in order to apply changes.

Program finished at: 08/29/2012 09:30:00 AM
Execution time: 0 hours(s), 6 minute(s), and 39 seconds(s)
Posted 8/29/2012 5:33 AM
#94300
User avatar

shannemark Advanced member

Date Joined Nov 2016
Total Posts: 32
i run my avast antivirus

this is the infected files i found:

A0044008.exe C:\System Volume Information\ _restore {D9350BC7.291
A0044009.exe C:\System Volume Information\ _restore {D9350BC7.291
A0044010.exe C:\System Volume Information\ _restore {D9350BC7.291
incredibar.dll.vir C:\Qoobox\Quarantine\C\Program Files\Incredibar.com
incredibartlbr.dll.vir C:\Qoobox\Quarantine\C\Program Files\Incredibar.com
Posted 8/30/2012 5:49 AM
#94307
User avatar

Advanced member

And how is the computer doing now?
Andreea-Luciana Ostache
Support Team Leader
[url]support@bullguard.com[/url]
www.bullguard.com

Download the Free Trial version of BullGuard Internet Security 16

You have a BullGuard related problem? Post your question on these forums, contact Support or contact me on Twitter!
Posted 8/30/2012 9:13 AM
#94309
User avatar

shannemark Advanced member

Date Joined Nov 2016
Total Posts: 32
system is still very slow. sometimes it hang up.
is there any way i can do for my computer
Posted 9/1/2012 6:16 AM
#94314
User avatar

Advanced member

Because you had a lot of infections for a long time, it's a good thing if you run a sfc /scannow command in command prompt (it will ask you for the CD to repair files that it can't restore).

Also, although I generally recommend against using registry cleaners because they can remove valid registry keys, install CCleaner from here http://www.piriform.com/ccleaner/download/standard and run it to remove your temporary files and obsolete registry keys.

I would also have a look at the event logs and see what errors your computer has. It's good to address those issues whenever possible.

Last but not least, make sure you that the latest updates for Windows, Java, Adobe Flash Player, your internet browser and all other programs you use.
Andreea-Luciana Ostache
Support Team Leader
[url]support@bullguard.com[/url]
www.bullguard.com

Download the Free Trial version of BullGuard Internet Security 16

You have a BullGuard related problem? Post your question on these forums, contact Support or contact me on Twitter!
  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Friday, July 21, 2017, 4:51 PM (GMT +2)
There are a total of 61,305 posts in 13,482 threads.
In the last 3 days there were 0 new threads and 1 reply posts.

Who's online

This forum has 38,065 registered members. Please welcome our newest member, vladtc.
There are currently no users on-line.
We use cookies to ensure that we give you the best experience on our website. By continuing to browse, we are assuming that you have no objection in accepting cookies. You can change your cookie settings at any time.