Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Taskbar is missing


  • This topic is locked This topic is locked
7 replies to this topic

#1 bigdeer32

bigdeer32

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 16 December 2008 - 03:38 PM

Ok, I just rebuilt my computer not to long ago, it was a Compaq. Now it has an ECS Elitegroup a740gm-m motherboard, I have Windows xp. The other day I booted up my computer, and noticed my taskbar was missing. I hit the little windows icon on the keyboard, and the start menu did not pop up. I noticed there was an Internet Explorer icon on the desktop, I deleted it, but it came back. I cannot drag icons across the desktop, cannot copy/paste in Firefox, Firefox also has a new search in the searchbar called YOOG. When I hit Ctrl + Alt + Del and go to the Processes tab, none of the process show the User Name. I tried running Malwarebytes' Antimalware but got an error (vbalsgrid6.ocx) Tried running Kaspersky Online Scanner, will not work. Here are my DDS and HJT logs:



DDS (Version 1.0.1) - NTFSx86
Run by Skyler at 14:27:12.61 on Tue 12/16/2008
Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_11

============== Pseudo HJT Report ===============

uStart Page = hxxp://myspace.com/
uURLSearchHooks: {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - c:\program files\aim search\AOLSearch.dll
BHO: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - c:\program files\aim search\AOLSearch.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {8E718888-423F-11D2-876E-00A0C9082467} - c:\windows\system32\msdxm.ocx
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXE
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
Handler: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - c:\windows\system32\msdxm.ocx
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\skyler\applic~1\mozilla\firefox\profiles\kbecmcob.default\
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.myspace.com/
FF - prefs.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2008-12-16 01:45 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-16 01:45 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-16 01:45 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-16 01:37 <DIR> --d----- C:\ComboFix
2008-12-16 00:54 <DIR> --d----- c:\program files\CCleaner
2008-12-16 00:47 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-16 00:34 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-16 00:34 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2008-12-15 14:35 161,792 a------- c:\windows\SWREG.exe
2008-12-15 14:35 98,816 a------- c:\windows\sed.exe
2008-12-15 13:07 131,712 ac------ c:\windows\system32\dllcache\ks.sys
2008-12-15 13:07 131,712 a------- c:\windows\system32\drivers\ks.sys
2008-12-15 13:07 57,856 ac------ c:\windows\system32\dllcache\drmk.sys
2008-12-15 13:07 44,416 ac------ c:\windows\system32\dllcache\stream.sys
2008-12-15 13:07 57,856 a------- c:\windows\system32\drivers\drmk.sys
2008-12-15 13:07 44,416 a------- c:\windows\system32\drivers\stream.sys
2008-12-15 13:07 22,016 a------- c:\windows\system32\wdmaud.drv
2008-12-15 13:07 117,248 ac------ c:\windows\system32\dllcache\ksproxy.ax
2008-12-15 13:07 4,096 ac------ c:\windows\system32\dllcache\ksuser.dll
2008-12-15 13:07 117,248 a------- c:\windows\system32\ksproxy.ax
2008-12-15 13:07 4,096 a------- c:\windows\system32\ksuser.dll
2008-12-15 13:05 37,376 a----r-- c:\windows\system32\drivers\l151x86.sys
2008-12-15 12:33 <DIR> -cd-h--- c:\windows\$MSI30UninstallMSI30-KB884016$
2008-12-15 12:32 593,920 -------- c:\windows\system32\ati2sgag.exe
2008-12-15 12:32 <DIR> --d----- c:\program files\ATI Technologies
2008-12-15 03:13 197,185 a------- c:\windows\nuceqli6.exe
2008-12-15 03:12 16,384 a------- c:\windows\id4.exe
2008-12-15 03:12 16,384 a------- c:\windows\mjctlso010.exe
2008-12-15 03:12 16,384 a------- c:\windows\dlgpn8.exe
2008-12-15 03:12 16,384 a------- c:\windows\kqmmlikgbg033.exe
2008-12-15 02:42 905,544 a------- c:\windows\pkcorwu4.exe
2008-12-15 02:40 56,333 a------- c:\windows\feoclwg328.exe
2008-12-15 02:19 1,807,468 a------- c:\windows\qk62.exe
2008-12-15 02:19 16,384 a------- c:\windows\hbhjhxyk1.exe
2008-12-15 02:19 16,384 a------- c:\windows\frygncyqao0.exe
2008-12-15 02:17 85,538 a------- c:\windows\hpqgg758.exe
2008-12-15 02:15 191,885 a------- c:\windows\jyvbxjnt5.exe
2008-12-15 00:52 9,196,032 -------- c:\windows\system32\RTLCPL.exe
2008-12-15 00:52 2,279,424 -------- c:\windows\system32\drivers\alcxwdm.sys
2008-12-15 00:52 208,896 -------- c:\windows\alcupd.exe
2008-12-15 00:52 156,672 -------- c:\windows\system32\RtlCPAPI.dll
2008-12-15 00:52 141,016 -------- c:\windows\system32\alsndmgr.wav
2008-12-15 00:52 139,264 -------- c:\windows\alcrmv.exe
2008-12-15 00:52 57,344 -------- c:\windows\Alcxmntr.exe
2008-12-14 23:44 21,035 a------- c:\windows\system32\drivers\AegisP.sys
2008-12-14 23:44 465,664 a------- c:\windows\system32\drivers\rtl8190p.sys
2008-12-14 23:44 38,144 a------- c:\windows\system32\drivers\EAPPkt.sys
2008-12-14 23:44 20,480 a------- c:\windows\system32\drivers\WLNdis50.sys
2008-12-14 23:44 <DIR> --d----- c:\program files\TRENDnet
2008-12-14 23:37 <DIR> --d----- c:\program files\VIA
2008-12-14 23:36 553 -----r-- c:\windows\USetup.iss
2008-12-14 23:34 <DIR> --d----- c:\program files\Realtek
2008-12-14 23:34 315,392 a------- c:\windows\HideWin.exe
2008-12-14 23:34 520,192 -----r-- c:\windows\RtlExUpd.dll
2008-12-14 23:34 9,096 a----r-- c:\windows\system32\drivers\amdide.sys
2008-12-14 22:40 <DIR> --d----- c:\program files\Trend Micro
2008-12-14 22:30 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2008-12-14 15:43 1,639 a--sh--- c:\windows\system32\GroupPolicy000.dat
2008-12-14 15:42 373,760 a--sh--- c:\windows\system32\B6.tmp
2008-12-14 15:42 135,168 a------- c:\windows\system32\dpvoice32.dll
2008-12-14 15:35 <DIR> --d----- c:\program files\IDT
2008-12-08 16:47 <DIR> --d----- c:\docume~1\skyler\applic~1\OpenOffice.org
2008-12-08 16:45 <DIR> --d----- c:\program files\JRE
2008-12-08 16:45 <DIR> --d----- c:\program files\OpenOffice.org 3
2008-12-07 21:25 <DIR> --ds---- c:\documents and settings\skyler\UserData
2008-12-03 19:36 <DIR> --d----- c:\docume~1\skyler\applic~1\LimeWire
2008-12-03 18:24 171,280 a------- c:\windows\system32\jit.dll
2008-12-03 18:24 46,352 a------- c:\windows\setdebug.exe
2008-12-03 18:24 7,315 a------- c:\windows\system32\javasup.vxd
2008-12-03 15:25 1,172 a------- c:\windows\mozver.dat
2008-12-03 10:04 991,232 a------- c:\windows\system32\esent.dll
2008-12-03 09:52 221,184 a------- c:\windows\system32\wmpns.dll
2008-12-02 23:11 159,232 ac------ c:\windows\system32\dllcache\CEWMDM.dll
2008-12-02 21:58 <DIR> --d----- c:\program files\common files\Software Update Utility
2008-12-02 21:58 <DIR> --d----- c:\program files\AIM Search
2008-12-02 21:58 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Viewpoint
2008-12-02 21:58 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\acccore
2008-12-02 21:58 <DIR> --d----- c:\program files\common files\AOL
2008-12-02 21:58 <DIR> --d----- c:\program files\AIM6
2008-12-02 21:57 386 a---h--- C:\IPH.PH
2008-12-02 21:57 22,752 a------- c:\windows\system32\spupdsvc.exe
2008-12-02 21:38 361,984 ac------ c:\windows\system32\dllcache\qmgr.dll
2008-12-02 21:38 331,776 ac------ c:\windows\system32\dllcache\winhttp.dll
2008-12-02 21:38 17,408 ac------ c:\windows\system32\dllcache\qmgrprxy.dll
2008-12-02 21:38 331,776 a------- c:\windows\system32\winhttp.dll
2008-12-02 21:38 17,408 a------- c:\windows\system32\qmgrprxy.dll
2008-12-02 21:38 7,680 -c------ c:\windows\system32\dllcache\bitsprx2.dll
2008-12-02 21:38 7,168 -c------ c:\windows\system32\dllcache\bitsprx3.dll
2008-12-02 21:38 7,680 -------- c:\windows\system32\bitsprx2.dll
2008-12-02 21:38 7,168 -------- c:\windows\system32\bitsprx3.dll
2008-12-02 20:34 0 a------- c:\windows\ativpsrm.bin
2008-12-02 20:34 307,200 a----r-- c:\windows\system32\atiiiexx.dll
2008-12-02 20:34 13,052 a----r-- c:\windows\atiogl.xml
2008-12-02 20:34 421,888 a----r-- c:\windows\system32\ATIDEMGX.dll
2008-12-02 20:34 7,167 a----r-- c:\windows\system32\atifglpf.xml
2008-12-02 20:34 887,724 a----r-- c:\windows\system32\ativva6x.dat
2008-12-02 20:34 3,107,788 a----r-- c:\windows\system32\ativva5x.dat
2008-12-02 20:34 3,107,788 a----r-- c:\windows\system32\ativvaxx.dat
2008-12-02 20:34 174,819 a----r-- c:\windows\system32\atiicdxx.dat
2008-12-02 19:34 213,528 a------- c:\windows\system32\wuaucpl.cpl
2008-12-02 19:34 186,136 a------- c:\windows\system32\wuaueng1.dll
2008-12-02 19:34 167,704 a------- c:\windows\system32\wuauclt1.exe
2008-12-02 19:16 185,624 ac------ c:\windows\system32\dllcache\iuengine.dll
2008-12-02 19:16 185,624 a------- c:\windows\system32\iuengine.dll
2008-12-02 18:24 <DIR> --d----- c:\windows\LastGood.Tmp
2008-12-02 18:23 <DIR> --d----- c:\windows\system32\Tools
2008-12-02 18:23 4,864 a----r-- c:\windows\system32\drivers\PortIo.sys
2008-12-02 18:17 <DIR> --d----- c:\documents and settings\Skyler
2008-12-02 18:16 8,192 a------- c:\windows\REGLOCS.OLD
2008-12-02 18:13 13,463,552 ac------ c:\windows\system32\dllcache\hwxjpn.dll
2008-12-02 18:12 <DIR> --dsh--- c:\documents and settings\all users.windows\DRM
2008-12-02 18:10 47,104 ac------ c:\windows\system32\dllcache\srdiag.exe
2008-12-02 18:09 <DIR> --d----- c:\program files\Online Services
2008-12-02 18:09 <DIR> --d----- c:\program files\Messenger
2008-12-02 18:09 272,896 ac------ c:\windows\system32\dllcache\pinball.exe
2008-12-02 18:08 1,809,944 ac------ c:\windows\system32\dllcache\wuaueng.dll
2008-12-02 12:42 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-02 12:42 73,728 a------- c:\windows\system32\javacpl.cpl

==================== Find3M ====================

2008-12-03 18:24 2,678 a------- c:\windows\java\packages\data\1B5BJTVH.DAT
2008-12-03 18:23 2,678 a------- c:\windows\java\packages\data\LFZZDZ9V.DAT
2008-12-03 18:23 2,678 a------- c:\windows\java\packages\data\T3LNJDJX.DAT
2008-12-03 18:23 2,678 a------- c:\windows\java\packages\data\SCTVD3FD.DAT
2008-12-03 18:23 2,678 a------- c:\windows\java\packages\data\6DBVJDF5.DAT
2008-12-02 18:29 71,627 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-02 18:12 558,142 a------- c:\windows\java\packages\OD37RJTV.ZIP
2008-12-02 18:12 155,995 a------- c:\windows\java\packages\STRB7JD7.ZIP
2008-12-02 18:10 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 14:27:23.86 ===============





==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9
AIM 6
AIM Search
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
CCleaner (remove only)
Download Updater (AOL LLC)
ECO Bar
HijackThis 2.0.2
Java™ 6 Update 11
Java™ 6 Update 7
LimeWire 4.18.8
Malwarebytes' Anti-Malware
Microsoft Office Excel Viewer 2003
Mozilla Firefox (2.0.0.18)
OpenOffice.org 3.0
Realtek AC'97 Audio
Realtek High Definition Audio Driver
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB914798)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Spybot - Search & Destroy
TRENDnet TEW-641PC/TEW-643PI Wireless Cardbus/PCI Adapter
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.0 (KB884016)
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB918439
Windows XP Hotfix - KB918899
Windows XP Hotfix - KB925486

==== Event Viewer Messages ===================


==== End Of File ===========================





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:36:03 PM, on 12/16/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\TRENDnet\TEW-641PC_TEW-643PI\WlanCU.exe
C:\WINDOWS\System32\wpabaln.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - S-1-5-21-507921405-920026266-839522115-1004 Startup: AutorunsDisabled (User '?')
O4 - Startup: AutorunsDisabled
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Wireless Configuration Utility.lnk = C:\Program Files\TRENDnet\TEW-641PC_TEW-643PI\WlanCU.exe
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O24 - Desktop Component 0: (no name) - http://cdn-www.rsportscars.com/images/suba...ont-quarter.jpg

--
End of file - 3428 bytes

BC AdBot (Login to Remove)

 


#2 bigdeer32

bigdeer32
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 18 December 2008 - 04:30 AM

OK, Im sorry but i has been a while since i posted and nobody has helped, so i was browsing the internet to see if anyone else had the same problems, and somebody was told to enable all the disabled start up items, so they could help more or something, so here is a new HJT log with all the disabled start up items re-enabled. OK, well it wouldnt let me re-enable "reboot.exe" it it cannot find the path, which I went to it, and it is there.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:30:13, on 12/18/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRAM FILES\RISING\RAV\ravmond.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Rising\Rav\Ravmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Skyler\Desktop\autoruns.exe

R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-21-507921405-920026266-839522115-1004\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - S-1-5-21-507921405-920026266-839522115-1004 Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User '?')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Wireless Configuration Utility.lnk = C:\Program Files\TRENDnet\TEW-641PC_TEW-643PI\WlanCU.exe
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe

--
End of file - 3605 bytes

#3 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 AM

Posted 22 December 2008 - 10:06 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files before we run OTScanIt. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
  • If you use any other browsers, select them appropriately from the top and empty all items.
Download and Run OTScanIt
Download OTScanIt by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Check the Scan all users box at the top left.
  • Click the Extras button under "Additional Scans".
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt folder and named OTScanIt.txt.
Download and Run Scan with GMER
We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close all other running programs. There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>.
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • Click OK.
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode
Important!:Please do not select the Show all checkbox during the scan..

In your next reply include:
-the OTScanIt log (attached)
-the GMER log (pasted directly into your reply)

Please also tell me of any changes you have made to your computer since your topic was started.

If you do not make a reply in 5 days, we will need to close your topic.

With Regards,
The Panda

Important Note to Other Users Reading this Topic: The instructions provided in this topic below this point are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed.

#4 bigdeer32

bigdeer32
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 23 December 2008 - 02:44 AM

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-23 01:33:10
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.) ZwAssignProcessToJobObject [0xF777AEE8]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.) ZwCreateKey [0xF777AC77]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.) ZwCreateThread [0xF777AD71]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.) ZwDebugActiveProcess [0xF777AE84]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.) ZwDeleteKey [0xF777ACC2]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.) ZwDeleteValueKey [0xF777ACA9]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.) ZwLoadDriver [0xF777AD3F]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.) ZwLockVirtualMemory [0xF777AE52]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.) ZwOpenSection [0xF777AD8A]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.) ZwProtectVirtualMemory [0xF777AE39]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.) ZwQueryValueKey [0xF777AECF]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.) ZwQueueApcThread [0xF777AE07]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.) ZwReadVirtualMemory [0xF777AE20]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.) ZwRenameKey [0xF777ACDB]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.) ZwRequestWaitReplyPort [0xF777AEB6]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.) ZwRestoreKey [0xF777AD0D]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.) ZwSetContextThread [0xF777ADD5]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.) ZwSetSecurityObject [0xF777ACF4]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.) ZwSetSystemInformation [0xF777AE6B]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.) ZwSetValueKey [0xF777AC90]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.) ZwSuspendProcess [0xF777ADEE]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.) ZwSuspendThread [0xF777ADBC]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.) ZwSystemDebugControl [0xF777AE9D]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.) ZwTerminateProcess [0xF777AD26]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.) ZwTerminateThread [0xF777ADA3]
SSDT \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.) ZwWriteVirtualMemory [0xF777AD58]

---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!_abnormal_termination + 92 804DE644 1 Byte [ E8 ]
.text ntoskrnl.exe!_abnormal_termination + 94 804DE646 2 Bytes [ 77, F7 ]
.text ntoskrnl.exe!_abnormal_termination + 43A 804DE9EC 12 Bytes [ EE, AD, 77, F7, BC, AD, 77, ... ]

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT Ntfs.sys[ntoskrnl.exe!MmFlushImageSection] [B050CB40] \SystemRoot\system32\drivers\HookSys.sys (Hooksys/Beijing Rising Information Technology Co., Ltd.)
IAT Ntfs.sys[ntoskrnl.exe!IoCheckShareAccess] [B050CAC0] \SystemRoot\system32\drivers\HookSys.sys (Hooksys/Beijing Rising Information Technology Co., Ltd.)
IAT Ntfs.sys[ntoskrnl.exe!SeAccessCheck] [B050CBB4] \SystemRoot\system32\drivers\HookSys.sys (Hooksys/Beijing Rising Information Technology Co., Ltd.)
IAT \SystemRoot\System32\Drivers\Fastfat.SYS[ntoskrnl.exe!SeAccessCheck] [B050CBB4] \SystemRoot\system32\drivers\HookSys.sys (Hooksys/Beijing Rising Information Technology Co., Ltd.)
IAT \SystemRoot\System32\Drivers\Fastfat.SYS[ntoskrnl.exe!IoCheckShareAccess] [B050CAC0] \SystemRoot\system32\drivers\HookSys.sys (Hooksys/Beijing Rising Information Technology Co., Ltd.)
IAT \SystemRoot\System32\Drivers\Fastfat.SYS[ntoskrnl.exe!MmFlushImageSection] [B050CB40] \SystemRoot\system32\drivers\HookSys.sys (Hooksys/Beijing Rising Information Technology Co., Ltd.)
IAT \SystemRoot\System32\win32k.sys[ntoskrnl.exe!KeAddSystemServiceTable] [F777B05F] \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.)
IAT \SystemRoot\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [F777B6E0] \SystemRoot\system32\drivers\HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.)

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.)
Device \FileSystem\Fastfat \FatCdrom HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.)
Device \Driver\Tcpip \Device\Ip HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.)
Device \Driver\Tcpip \Device\Tcp HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.)
Device \FileSystem\Rdbss \Device\FsWrap HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.)
Device \Driver\Tcpip \Device\Udp HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.)
Device \Driver\Tcpip \Device\RawIp HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.)
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.)
Device \Driver\Tcpip \Device\IPMULTICAST HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.)
Device \FileSystem\MRxSmb \Device\LanmanRedirector HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.)
Device \FileSystem\Fastfat \Fat HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.)
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.)
Device \FileSystem\Cdfs \Cdfs HOOKHELP.sys (HookHelp/Beijing Rising Information Technology Co., Ltd.)

---- EOF - GMER 1.0.14 ----



The only Change I have made was, I downloaded Divx player because WMP wont open, it says low memory.

Attached Files



#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 AM

Posted 23 December 2008 - 04:00 AM

Hello.

Please delete the current copy of ComboFix on your desktop.

Download and Run ComboFix with CFScript
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    http://www.bleepingcomputer.com/forums/t/187070/taskbar-is-missing/
    
    Collect::
    c:\windows\dlgpn8.exe
    c:\windows\feoclwg328.exe
    c:\windows\frygncyqao0.exe
    c:\windows\hbhjhxyk1.exe
    c:\windows\hpqgg758.exe
    c:\windows\id4.exe
    c:\windows\jyvbxjnt5.exe
    c:\windows\kqmmlikgbg033.exe
    c:\windows\mjctlso010.exe
    c:\windows\nuceqli6.exe
    c:\windows\pkcorwu4.exe
    c:\windows\qk62.exe
    
    Suspect::
    c:\combofix.txt
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe

  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Upload Samples Collected by ComboFix
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.
With Regards,
The Panda

Edited by PropagandaPanda, 23 December 2008 - 04:02 AM.


#6 bigdeer32

bigdeer32
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 23 December 2008 - 08:15 AM

Ok, first I could not copy the script because I cannot copy anything from my browser. 2nd I cannot drag anything on my desktop. I carefully typed the script into notepad and saved it, but it would not allow me to drag it. I tried going into a folder and it will not let me drag in a folder either.

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 AM

Posted 23 December 2008 - 07:33 PM

Hello.

In that case, just double click ComboFix.exe to run it.

With Regards,
The Panda

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 AM

Posted 30 December 2008 - 07:42 AM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users