Desktop does not display upon start up

Unknown · June 2008

Hello everyone. This is my first post on this forum, I wanted to post here because everyone appears to be very knowledgeable and helpful.

In a nutshell, when trying to start windows, I get a blank desktop with one window open. I cannot access or see the icons on the desktop itself. If I go into task managed and runtask "explorer.exe" then everything loads up as it is supposed to. I think I got this virus when I was downloading different freeware programs. I am not computer ignorant but this was the time I didn't scan prior to clicking, and now I'm kicking myself and paying for it.

I followed the steps asked in the stickied thread, and here are my reports.

======

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:22:07, on 22/06/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\explorer.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\conime.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\csrss.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [HWSetup] \HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe"
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [System Guards] C:\Program Files\SystemGuards.com\SystemGuards\SysGuards.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [HFFSRV] c:\windows\hffext\hffsrv.exe
O4 - HKLM\..\Run: [snpstd] C:\Windows\vsnpstd.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O13 - Gopher Prefix:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9195 bytes

=============

Here is what Kapersky reported:

Scan statistics Files scanned 92100 Threat name 2 Infected objects 2 Suspicious objects 0 Duration of the scan 02:59:15
File name Threat name Threats count C:\Program Files\DAEMON Tools Lite\SRSAI.exeInfected: not-a-virus:AdWare.Win32.Shopper.r1

C:\Users\Vega\Desktop\SmitfraudFix\Reboot.exeInfected: not-a-virus:RiskTool.Win32.Reboot.f1
============

If someone could help me out, or point me in the right diection, I would be very greatful! Thank you in advance!

gringo_pr · June 2008

Hello Endymion and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Please do not run any other tool untill instructed to do so!
Please reply to this thread, do not start another!
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

uninstall list

Make an uninstall list using HijackThis To access the Uninstall Manager you would do the following: 1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in your next reply.

:run combofix:

Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the report in your next post:

C:\ComboFix.txt

:information and logs:

In your next post I need the following

1.log from combofix 2.new log from hijackthis (right click run as admin)

Gringo

Endymion · June 2008

Thank you for your help! I followed your instructions and here are the results:
=============

Hijack This Uninstall list:

Activation Assistant for the 2007 Microsoft Office suites
Ad-Aware 2007
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Photoshop 7.0
Adobe Reader 8
AIM 6
ALPS Touch Pad Driver
AppCore
Apple Mobile Device Support
Apple Software Update
AV
AviSynth 2.5
BitLord 1.1
BitPim 1.0.5
Bonjour
Camera Assistant Software for Toshiba
ccCommon
CD Audio Reader Filter (remove only)
CD/DVD Drive Acoustic Silencer
DC-Bass Source 1.1.1
Diablo II
DirectVobSub (remove only)
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DScaler 5 Mpeg Decoders
DVD MovieFactory for TOSHIBA
ffdshow [rev 1324] [2007-07-01]
Google Earth
HijackThis 2.0.2
Intel Matrix Storage Manager
Intel(R) Graphics Media Accelerator Driver
Intel(R) PROSet/Wireless Software
iTunes
Java(TM) 6 Update 4
Java(TM) SE Runtime Environment 6
Learn to Speak German Deluxe 9.5
LimeWire 4.16.6
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
mCore
mHelp
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
mMHouse
Mozilla Firefox (2.0.0.14)
mPfMgr
MSRedist
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
OnlinePlay 1.0
OpenOffice.org 2.4
OpenSource Flash Video Splitter (remove only)
PS3 Video 9 2.25
QuickTime
RealMedia (remove only)
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
Realtek High Definition Audio Driver
reminder
SAMSUNG Mobile USB DRIVER(4.40.7.0) v1.6
SHOUTcast Source (remove only)
SPBBC 32bit
Starcraft
SUPERAntiSpyware Free Edition
SystemGuards 1.1.0.0
Texas Instruments PCIxx21/x515/xx12 drivers.
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA DVD PLAYER
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Flash Cards Support Utility
TOSHIBA Hardware Setup
TOSHIBA Recovery Disc Creator
Toshiba Registration
TOSHIBA SD Memory Utilities
TOSHIBA Software Modem
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
TVersity Codec Pack 1.1
TVersity Media Server 0.9.11.4 beta
VideoLAN VLC media player 0.8.6d
Videora iPod Converter 3.07
Viewpoint Media Player
Windows Live installer
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
WinRAR archiver
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger

=============

Combo fix log:

ComboFix 08-06-20.4 - Vega 2008-06-27 21:43:18.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.942 [GMT -7:00]
Running from: C:\Users\Vega\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-28 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-27 14:12

d

w C:\Users\Vega\AppData\Roaming\LimeWire
2008-06-27 06:22

d

w C:\Users\Vega\AppData\Roaming\OpenOffice.org2
2008-06-21 07:48

d

w C:\ProgramData\Microsoft Help
2008-06-21 07:47

d

w C:\Program Files\MSBuild
2008-06-21 04:58

d

w C:\Users\Vega\AppData\Roaming\Yahoo!
2008-06-21 04:58

d

w C:\ProgramData\Yahoo!
2008-06-21 04:51

d

w C:\Program Files\Yahoo!
2008-06-19 22:50

d

w C:\Program Files\Camera Assistant Software for Toshiba
2008-06-19 05:45

d

w C:\Users\Vega\AppData\Roaming\InstallShield
2008-06-18 01:06

d

w C:\ProgramData\PrevxCSI
2008-06-18 01:00 691 ----a-w C:\Users\Vega\AppData\Roaming\GetValue.vbs
2008-06-18 01:00 5,752 ----a-w C:\Windows\System32\tmp.reg
2008-06-18 01:00 35 ----a-w C:\Users\Vega\AppData\Roaming\SetValue.bat
2008-06-17 14:56

d--h--w C:\Program Files\InstallShield Installation Information
2008-06-17 14:56

d

w C:\Program Files\Spybot - Search & Destroy
2008-06-16 06:58

d

w C:\Program Files\AceBIT
2008-06-15 00:15

d

w C:\Program Files\Diablo II
2008-06-14 23:41

d

w C:\Program Files\OpenOffice.org 2.4
2008-06-14 23:40

d

w C:\Program Files\Java
2008-06-12 23:32

d

w C:\ProgramData\Spybot - Search & Destroy
2008-06-12 06:50

d

w C:\ProgramData\SUPERAntiSpyware.com
2008-06-12 06:17

d

w C:\Users\Vega\AppData\Roaming\SUPERAntiSpyware.com
2008-06-12 06:17

d

w C:\Program Files\SUPERAntiSpyware
2008-06-12 06:16

d

w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-12 05:32

d

w C:\Program Files\Trend Micro
2008-06-10 15:59 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF
2008-06-10 15:59 123,952 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS
2008-06-10 15:59 10,671 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT
2008-06-10 15:59

d

w C:\ProgramData\Symantec
2008-06-10 15:59

d

w C:\Program Files\Symantec
2008-06-10 15:59

d

w C:\Program Files\Norton Internet Security
2008-06-10 15:59

d

w C:\Program Files\Common Files\Symantec Shared
2008-06-10 15:26

d

w C:\Program Files\ffdshow
2008-06-10 15:22

d

w C:\Program Files\TVersity Codec Pack
2008-06-10 15:22

d

w C:\Program Files\DScaler5
2008-06-10 15:20

d

w C:\Program Files\TVersity
2008-06-01 21:00

d

w C:\Program Files\RealMedia
2008-06-01 21:00

d

w C:\Program Files\OpenSource Flash Video Splitter
2008-06-01 21:00

d

w C:\Program Files\CD Audio Reader Filter
2008-06-01 20:59

d

w C:\Program Files\SHOUTcast Source
2008-06-01 20:58

d

w C:\Program Files\DSP-worx
2008-06-01 20:57

d

w C:\Program Files\DirectVobSub
2008-06-01 20:47

d

w C:\Users\Vega\AppData\Roaming\DivX
2008-06-01 20:46

d

w C:\Program Files\DivX
2008-05-31 08:09 43,520 ----a-w C:\Windows\System32\CmdLineExt03.dll
2008-05-29 16:35 86,528 ----a-w C:\Windows\System32\VACFix.exe
2008-05-26 22:44

d

w C:\Program Files\Red Kawa
2008-05-23 20:08

d

w C:\ProgramData\TEMP
2008-05-21 02:57 94,208 ----a-w C:\Windows\DIIUnin.exe
2008-05-21 02:57 2,829 ----a-w C:\Windows\DIIUnin.pif
2008-05-19 04:40 82,944 ----a-w C:\Windows\System32\IEDFix.exe
2008-05-19 04:40 82,944 ----a-w C:\Windows\System32\404Fix.exe
2008-05-13 01:53 524,288 ----a-w C:\Windows\System32\DivXsm.exe
2008-05-13 01:53 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2008-05-13 01:51 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-05-13 01:51 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-05-13 01:49 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
2008-05-13 01:49 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll
2008-05-10 06:40

d

w C:\Users\Vega\AppData\Roaming\teamspeak2
2008-05-10 03:30 14,848 ----a-w C:\Windows\System32\wshrm.dll
2008-05-10 01:21 113,664 ----a-w C:\Windows\system32\drivers\rmcast.sys
2008-05-07 21:50

d

w C:\ProgramData\Lavasoft
2008-05-07 21:49

d

w C:\Program Files\Lavasoft
2008-04-26 08:02 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2008-04-25 04:23 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-04-25 04:23 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-04-25 04:23 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-04-25 04:22 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2006-11-02 12:50 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-03-04 14:58 1232896]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2007-01-22 08:59 417792]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 05:34 2159104 C:\Windows\System32\oobefldr.dll]
"WeatherEye"="C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2008-02-01 17:17 4487064]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-03-12 18:00 2321600]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 18:43 4670704]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-06 13:50 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-09-03 03:39 4702208 C:\Windows\RtHDVCpl.exe]
"KeNotify"="C:\Program Files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-06 17:14 34352]
"HWSetup"="\HWSetup.exe" [ ]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-03-22 21:42 438272]
"NDSTray.exe"="NDSTray.exe" []
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007-09-26 01:14 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007-09-26 01:14 154136]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-09-26 01:14 129560]
"Camera Assistant Software"="C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" [2007-05-22 10:50 413696]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 11:39 411192]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-12-07 17:49 55416]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2007-06-15 22:01 448080]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 17:32 538744]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2006-09-10 23:21 180224]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2007-01-08 23:23 191552]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 14:59 115816]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"System Guards"="C:\Program Files\SystemGuards.com\SystemGuards\SysGuards.exe" [2007-11-08 16:07 638976]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"HFFSRV"="c:\windows\hffext\hffsrv.exe" [ ]
"snpstd"="C:\Windows\vsnpstd.exe" [2005-10-11 20:54 339968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2007-01-08 23:23 191552]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.i420"= i420vfw.dll
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\Windows\pss\Adobe Gamma Loader.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Vega^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Users\Vega\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\Windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Vega^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=C:\Users\Vega\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=C:\Windows\pss\OpenOffice.org 2.4.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a

2008-03-12 18:00 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a

2008-03-06 13:50 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a

2008-02-13 16:09 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a

2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a

2008-05-28 10:33 1506544 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a

2006-11-02 05:36 201728 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a

2007-08-30 18:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo!MessengerForVista]
--a

2008-04-29 12:39 204800 C:\Users\Vega\AppData\Local\Yahoo!\Messenger for Vista\Yahoo.Messenger.YmApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7AA13C4F-0A11-4D67-9940-EE10CAA56087}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{648C9174-7F28-4F81-B4FD-3FEF4E88AAF1}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{CB1F8674-E61B-417A-95A5-922459E9A143}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{FD287652-B2B2-48B9-A2E6-776BC4AF5332}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{A48D1643-2022-42C7-B91D-1D9CECE89BF6}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"TCP Query User{743B6962-C48E-4F16-A4CA-6AB66AF2DE5E}C:\\program files\\bitlord\\bitlord.exe"= UDP:C:\program files\bitlord\bitlord.exe:BitLord
"UDP Query User{BC3F259E-7B2F-4D1F-A06B-DCC74EAB425B}C:\\program files\\bitlord\\bitlord.exe"= TCP:C:\program files\bitlord\bitlord.exe:BitLord
"TCP Query User{A966408F-59A9-45CD-9E43-1A638392F8A7}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{F9F81C2C-6FF3-4D9B-B611-98031C5BF960}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"{744255E6-3A52-4253-8541-5045A4AC599E}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{368EB9B7-C82E-4DD5-AE8B-77FC34D123CE}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{21AE2CE4-1A79-43B2-99D3-8F4B46970261}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{4DFAC86D-C3C8-4286-9F6A-759A06A55762}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{EA6E57F3-0C79-49EB-8FEC-959B31DDDC58}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{2332F80B-04C2-474A-A610-8283A10EE63C}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{21C44569-3FD3-4BBB-89BB-51B2AA18319F}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{50B7E96F-73DA-405B-A1B7-348F7BE0B456}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{07F9BE25-F93F-46A7-B763-B2A92C6AE91B}"= UDP:C:\Program Files\TVersity\Media Server\TVersity.exe:TVersity Media Server
"{63AFC8F1-BD54-4699-A30B-021792FC5C5D}"= TCP:C:\Program Files\TVersity\Media Server\TVersity.exe:TVersity Media Server
"TCP Query User{297BBE89-4239-45CD-949E-6FA39DC329E5}C:\\users\\vega\\appdata\\local\\yahoo!\\messenger for vista\\yahoo.messenger.ymapp.exe"= UDP:C:\users\vega\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe:yahoo.messenger.ymapp.exe
"UDP Query User{9FBDC895-D59C-40F6-9EC9-038C0854F8D3}C:\\users\\vega\\appdata\\local\\yahoo!\\messenger for vista\\yahoo.messenger.ymapp.exe"= TCP:C:\users\vega\appdata\local\yahoo!\messenger for vista\yahoo.messenger.ymapp.exe:yahoo.messenger.ymapp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080603.001\IDSvix86.sys [2008-02-14 02:51]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-09-26 01:14]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-10-30 19:55]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{26d7070a-eed1-11dc-95f9-001b38b62fda}]
\shell\AutoRun\command - F:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{26d7070e-eed1-11dc-95f9-001b38b62fda}]
\shell\AutoRun\command - G:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{acbcdabb-eaa7-11dc-8522-806e6f6e6963}]
\shell\AutoRun\command - E:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9e88b6e-f0e5-11dc-80bb-001b38b62fda}]
\shell\AutoRun\command - I:\LaunchEAW.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-06-24 03:00:37 C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Vega.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeB/TASK:
"2008-06-27 09:15:31 C:\Windows\Tasks\User_Feed_Synchronization-{748A3738-E032-446A-B637-2B983F45FD59}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 21:46:52
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i????????K?e??? ??????8???p?????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-27 21:48:03
ComboFix-quarantined-files.txt 2008-06-28 04:47:52

The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.

227 --- E O F --- 2008-06-12 10:03:50
============

I disabled all anti malware programs as you requested. I notice symantec appeared in the list above, I am not sure if that is good or not? I did shut down everything however.

Thanks again

gringo_pr · June 2008

Hello Endymion

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

BitLord
LimeWire

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

References for the risk of these programs can be found in these links:

http://www.microsoft.com/windows/ie/community/columns/protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm

I would recommend that you uninstall LimeWire,BitLord, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{26d7070a-eed1-11dc-95f9-001b38b62fda}]
\shell\AutoRun\command - F:\SETUP.EXE

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{26d7070e-eed1-11dc-95f9-001b38b62fda}]
\shell\AutoRun\command - G:\SETUP.EXE

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{acbcdabb-eaa7-11dc-8522-806e6f6e6963}]
\shell\AutoRun\command - E:\SETUP.EXE

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{b9e88b6e-f0e5-11dc-80bb-001b38b62fda}]
\shell\AutoRun\command - I:\LaunchEAW.exe

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

: Malwarebytes' Anti-Malware :

Please downloadMalwarebytes' Anti-Malware to your desktop.

[*]Double-click mbam-setup.exe and follow the prompts to install the program.
[*]At the end, be sure a checkmark is placed next to

Update Malwarebytes' Anti-Malware
and Launch Malwarebytes' Anti-Malware

[*] then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select Perform full scan, then click Scan.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Be sure that everything is checked, and click Remove Selected.
[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

If you accidently close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

:information and logs:

In your next post I need the following

1.log from combofix 2.log from MBAM 3.new log from hijackthis (right click run as admin)

Gringo

gringo_pr · July 2008

Hello Endymion

: three day bump :

It has been three days since my last post.

do you still need help with this?
do you need more time?
are you having problems following my instructions?
if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

gringo_pr · July 2008

This topic is now closed due to inactivity. If you wish to reopen your topic, please send a Private Message (PM) to Trogan with a link to your thread.

If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

If you are not the user who started this thread, you must start your own Thread instead

Desktop does not display upon start up

Comments