Win Explorer / taskbar / desktop don't open(RESOLVED)

**bookman** · 18-06-2007

Hi,
I'm hoping you can help me. I managed to download some kind of trojan that seemed to close explorer.exe down all the time whenever it was opened. IE at startup all I see is the wallpaper, no desktop icons, or taskbar stuff. The only way to run things is using cmd via the task manager run command.

Any way, Trend micro housecall managed to find some infected files and specifically hggfgge.dll that was being used by winlogon (identified by using procexp.exe. After a lot of stuffing around I used the repair console to rename the dll file to try and stop it from loading. This still didn't fix the problem.

System restore doesn't work, it sees the restore points reboots but then says it fails to restore. All the programs seem to work, it's just that there's no explorer running!?!

I've tried using SDfix and A2 but they didn't work. Here's the hijack this log. I hope this helps!

Logfile of HijackThis v1.99.1
Scan saved at 12:31:50 AM, on 19/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cmd.exe
C:\temp\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iinet.net.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ati.com/support/driver.html
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C63 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3C 2.EXE /P23 "EPSON Stylus C63 Series" /O6 "USB001" /M "Stylus C63"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SDFix] C:\temp\sd\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: OMNI Todo List.lnk = D:\Downloads\IE\OMNI Todo List.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Mozy Status.lnk = C:\Program Files\Mozy\mozystat.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Mozy Backup Service (mozybackup) - Unknown owner - C:\Program Files\Mozy\mozybackup.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

**Neal** · 18-06-2007

Welcome,

That all sounds very bad alright, go here if you can: http://www.ewido.net/en/onlinescan/ for an online scan.

can you download another browser like firefox or netscape

http://www.mozilla.com/en-US/firefox/

http://browser.netscape.com/

**bookman** · 19-06-2007

Ok. I ran the ewido online scan, and it picked up a few, including a vtsqr.dll. This seems to be the baddie maybe? So I ran that fixed probs in ewido, rebooted again into safe mode, but the problem is still there. Attached the log file

I ran process explorer and killed the threads using the vtsqr.dll and also winwea32.dll and ran hijackthis again. Below is the report.

I could install another web browser, but the web browser isn't the problem, WINDOWS explorer is the problem (ie no taskbar, no desktop, can't click anything, merely use the command line).

Logfile of HijackThis v1.99.1
Scan saved at 10:16:27 AM, on 19/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cmd.exe
C:\temp\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {47573AFA-788F-44C9-8D78-0173A95CB3F2} - C:\WINDOWS\system32\vtsqr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\hggfgge.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C63 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3C 2.EXE /P23 "EPSON Stylus C63 Series" /O6 "USB001" /M "Stylus C63"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SDFix] C:\temp\sd\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: OMNI Todo List.lnk = D:\Downloads\IE\OMNI Todo List.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Mozy Status.lnk = C:\Program Files\Mozy\mozystat.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: hggfgge - hggfgge.dll (file missing)
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: vtsqr - C:\WINDOWS\system32\vtsqr.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winwea32 - C:\WINDOWS\SYSTEM32\winwea32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Mozy Backup Service (mozybackup) - Unknown owner - C:\Program Files\Mozy\mozybackup.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

**Neal** · 19-06-2007

Much more information is in your new log.

Thanks,

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

1. Download this file - COMBOFIX
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Post a new hijackthis log also please like this:

Please go to hijackthis.exe and right click on it and then click on rename and rename it to foolyou.exe, press enter
and post a new log from the newly renamed hijackthis.exe. Sometimes malware hides from hijackthis.exe.

**bookman** · 19-06-2007

It worked. Everything SEEMS right! Where do I donate!?

Vundofix seemed to have a few problems getting rid of the dll files. It never started automatically after rebooting, however after a couple of reboots and manually starting, the files seemed to dissappear, and everything seems normal again.

Do you feel that Kaspersky Internet Security would be a good complete solution against viruses and spy/mal/adware? I'm removing Trend Micro Pc-cillin Internet Security because it didn't pick up the original offending file that introduced this problem. However I've tested on my other pc and found that Kaspersky does pick that particular nasty file up perfectly.

Here's all the logs!

ComboFix 07-06-18.2 - C:\temp\dal\ComboFix.exe
"Charles" - 2007-06-19 18:28:27 - Service Pack 2 NTFS [SAFE MODE]

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))) )))))

C:\WINDOWS\system32\winwea32.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\msxml3a.dll

((((((((((((((((((((((((( Files Created from 2007-05-19 to 2007-06-19 )))))))))))))))))))))))))))))))

2007-06-19 18:28 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-19 18:10 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-06-19 17:42 <DIR> d-------- C:\VundoFix Backups
2007-06-19 17:38 <DIR> d-------- C:\temp\dal
2007-06-19 10:05 <DIR> d-------- C:\temp\backups
2007-06-19 09:09 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-06-19 00:25 218,112 --a------ C:\temp\hijackthis.exe
2007-06-18 23:03 <DIR> d-------- C:\temp\sd
2007-06-18 20:47 204,800 --a------ C:\temp\sysclean.exe
2007-06-18 18:41 <DIR> d-------- C:\temp\temp
2007-06-18 18:20 <DIR> d-------- C:\WINDOWS\pss
2007-06-18 17:43 3,454,607 --a------ C:\temp\sysclean.com
2007-06-18 17:43 <DIR> d-------- C:\temp
2007-06-18 16:47 <DIR> d-------- C:\DOCUME~1\Charles\.housecall6.6
2007-06-18 16:14 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-06-18 16:04 <DIR> d--hs---- C:\WINDOWS\CSC
2007-06-18 15:55 <DIR> d-------- C:\Program Files\mIRC
2007-06-18 15:51 19,968 --a------ C:\qcwrp.exe
2007-06-01 17:51 <DIR> d-------- C:\DOCUME~1\Charles\Phone Browser
2007-06-01 17:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Suite
2007-06-01 17:45 <DIR> d-------- C:\Program Files\DIFX
2007-06-01 17:45 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-06-01 17:45 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-06-01 17:45 <DIR> d-------- C:\DOCUME~1\Charles\APPLIC~1\PC Suite
2007-06-01 17:45 <DIR> d-------- C:\DOCUME~1\Charles\APPLIC~1\Nokia
2007-06-01 17:44 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-06-01 17:44 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-06-01 17:44 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-06-01 17:44 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-06-01 17:44 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-06-01 17:44 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2007-06-01 17:44 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-06-01 17:44 <DIR> d-------- C:\Program Files\Nokia
2007-06-01 17:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Installations
2007-05-23 16:58 52,984 --a------ C:\WINDOWS\system32\drivers\mozy.sys
2007-05-23 16:58 <DIR> d-------- C:\Program Files\Mozy
2007-05-23 12:19 <DIR> d-------- C:\DOCUME~1\Charles\logitech
2007-05-23 12:19 <DIR> d-------- C:\DOCUME~1\Charles\browser - logitech
2007-05-23 12:18 <DIR> d-------- C:\Program Files\Common Files\Remote Control USB Driver
2007-05-23 12:18 <DIR> d-------- C:\Program Files\Common Files\Remote Control Software Common
2007-05-23 12:18 <DIR> d-------- C:\DOCUME~1\Charles\APPLIC~1\InstallShield
2007-05-21 17:40 87,808 --a------ C:\WINDOWS\system32\cpwmon2k.dll
2007-05-21 17:40 <DIR> d-------- C:\Program Files\GPLGS
2007-05-21 17:39 <DIR> d-------- C:\Program Files\Acro Software
2007-05-20 09:02 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment

(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))

2007-06-18 08:00:09 -------- d-----w C:\DOCUME~1\Charles\APPLIC~1\Azureus
2007-06-15 10:55:33 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-13 09:54:44 -------- d-----w C:\Program Files\Myob16
2007-05-23 04:18:31 -------- d-----w C:\Program Files\Logitech
2007-05-18 04:49:09 -------- d-----w C:\Program Files\CSI
2007-05-17 10:42:10 -------- d-----w C:\DOCUME~1\Charles\APPLIC~1\Apple Computer
2007-05-16 15:32:55 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-16 04:14:03 -------- d-----w C:\Program Files\TagRename
2007-05-10 10:20:20 -------- d-----w C:\Program Files\EPSON
2007-05-09 11

31 -------- d-----w C:\Program Files\Common Files\Ahead
2007-05-09 11:20:48 -------- d-----w C:\DOCUME~1\Charles\APPLIC~1\Ahead
2007-05-09 11:20:02 -------- d-----w C:\Program Files\Nero
2007-05-09 09:59:16 -------- d-----w C:\Program Files\MYOB
2007-05-07 11:01:06 -------- d-----w C:\Program Files\Common Files\stardock
2007-05-07 10:55:08 -------- d-----w C:\Program Files\Stardock
2007-05-06 14:02:06 -------- d-----w C:\Program Files\Diskeeper Corporation
2007-05-06 10

21 -------- d-----w C:\DOCUME~1\Charles\APPLIC~1\Activision
2007-05-06 09:49:08 -------- d-----w C:\Program Files\DAEMON Tools
2007-05-06 09:46:57 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-05-06 07:04:28 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-05-06 06:50:47 -------- d-----w C:\DOCUME~1\Charles\APPLIC~1\Command & Conquer 3 Tiberium Wars
2007-05-06 06:50:22 -------- d--h--r C:\DOCUME~1\Charles\APPLIC~1\SecuROM
2007-05-06 06:03:19 -------- d-----w C:\Program Files\Trend Micro
2007-05-06 05:37:10 -------- d-----w C:\Program Files\K-Lite Codec Pack
2007-05-06 03:04:07 -------- d-----w C:\Program Files\Azureus
2007-05-05 15:04:34 -------- d-----w C:\Program Files\Microsoft Works
2007-05-05 14:10:29 -------- d-----w C:\Program Files\Microsoft ActiveSync
2007-05-05 14:09:48 -------- d-----w C:\Program Files\Microsoft.NET
2007-05-05 13:54:46 -------- d-----w C:\Program Files\QuickTime
2007-05-05 13:54:26 -------- d-----w C:\Program Files\MSN Messenger
2007-05-05 13:43:44 -------- d-----w C:\Program Files\Common Files\Logitech
2007-05-04 19

46 -------- d-----w C:\Program Files\Common Files\ODBC
2007-05-04 19

42 -------- d-----w C:\Program Files\Common Files\SpeechEngines
2007-05-04 16:36:48 -------- d-----w C:\Program Files\Online Services
2007-05-04 14:12:41 -------- d-----w C:\Program Files\Simpli Software
2007-05-04 14:08:37 -------- d-----w C:\Program Files\Lavalys
2007-05-04 13:57:50 -------- d-----w C:\DOCUME~1\Charles\APPLIC~1\Logitech
2007-05-04 13:12:35 -------- d-----w C:\DOCUME~1\Charles\APPLIC~1\ATI
2007-05-04 12:01:54 -------- d-----w C:\Program Files\ATI Technologies
2007-05-04 12:00:44 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-04 11:55:57 14,656 ----a-w C:\WINDOWS\gdrv.sys
2007-05-04 11:48:48 -------- d-----w C:\Program Files\Realtek
2007-05-04 11:47:36 -------- d-----w C:\Program Files\Marvell
2007-05-04 11:43:57 -------- d-----w C:\Program Files\Intel
2007-05-04 11:35:10 -------- d-----w C:\Program Files\microsoft frontpage
2007-05-04 11:34:56 0 --sha-r C:\MSDOS.SYS
2007-05-04 11:34:56 0 --sha-r C:\IO.SYS
2007-05-04 11:34:56 0 ----a-w C:\CONFIG.SYS
2007-05-04 11:34:56 0 ----a-w C:\AUTOEXEC.BAT
2007-05-04 11:33:42 -------- d--h--w C:\Program Files\WindowsUpdate
2007-05-04 11:32:37 -------- d-----w C:\Program Files\Common Files\MSSoap
2007-05-04 11:32:26 -------- d-----w C:\Program Files\Movie Maker
2007-05-04 11:31:28 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-05-04 11:30:54 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-05-04 11:30:42 -------- d-----w C:\Program Files\Messenger
2007-05-04 11:30:36 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-05-04 11:30:25 -------- d-----w C:\Program Files\Windows NT
2007-04-25 14

15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:14:43 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 14:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 14:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 14:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 14:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 14:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 14:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 14:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 14:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-15 21:31:18 86,073 ----a-w C:\WINDOWS\system32\usrfaxa.dll
2007-04-15 21:31:18 8,192 ----a-w C:\WINDOWS\system32\tsbyuv.dll
2007-04-15 21:31:18 8,192 ----a-w C:\WINDOWS\system32\streamci.dll
2007-04-15 21:31:18 77,891 ----a-w C:\WINDOWS\system32\usrmlnka.exe
2007-04-15 21:31:18 77,890 ----a-w C:\WINDOWS\system32\usrdpa.dll
2007-04-15 21:31:18 77,883 ----a-w C:\WINDOWS\system32\usrrtosa.dll
2007-04-15 21:31:18 72,192 ----a-w C:\WINDOWS\system32\sprio800.dll
2007-04-15 21:31:18 70,656 ----a-w C:\WINDOWS\system32\sprio600.dll
2007-04-15 21:31:18 69,700 ----a-w C:\WINDOWS\system32\usrshuta.exe
2007-04-15 21:31:18 69,699 ----a-w C:\WINDOWS\system32\usrcoina.dll
2007-04-15 21:31:18 69,632 ----a-w C:\WINDOWS\system32\spnike.dll
2007-04-15 21:31:18 61,508 ----a-w C:\WINDOWS\system32\usrprbda.exe
2007-04-15 21:31:18 61,500 ----a-w C:\WINDOWS\system32\usrcntra.dll
2007-04-15 21:31:18 55,296 ----a-w C:\WINDOWS\system32\dvdplay.exe
2007-04-15 21:31:18 53,305 ----a-w C:\WINDOWS\system32\usrlbva.dll
2007-04-15 21:31:18 52,736 ----a-w C:\WINDOWS\system32\wzcsapi.dll
2007-04-15 21:31:18 52,224 ----a-w C:\WINDOWS\system32\dmutil.dll
2007-04-15 21:31:18 49,211 ----a-w C:\WINDOWS\system32\usrvpa.dll
2007-04-15 21:31:18 49,211 ----a-w C:\WINDOWS\system32\usrsdpia.dll
2007-04-15 21:31:18 49,209 ----a-w C:\WINDOWS\system32\usrv80a.dll
2007-04-15 21:31:18 476,160 ----a-w C:\WINDOWS\system32\wzcsvc.dll
2007-04-15 21:31:18 47,616 ----a-w C:\WINDOWS\system32\iyuv_32.dll
2007-04-15 21:31:18 47,104 ----a-w C:\WINDOWS\system32\cnbjmon.dll
2007-04-15 21:31:18 45,116 ----a-w C:\WINDOWS\system32\usrvoica.dll
2007-04-15 21:31:18 41,019 ----a-w C:\WINDOWS\system32\usrsvpia.dll
2007-04-15 21:31:18 35,328 ----a-w C:\WINDOWS\system32\pid.dll
2007-04-15 21:31:18 323,641 ----a-w C:\WINDOWS\system32\usrdtea.dll
2007-04-15 21:31:18 3,200 ----a-w C:\WINDOWS\system32\wowfax.dll
2007-04-15 21:31:18 20,992 ----a-w C:\WINDOWS\system32\hid.dll
2007-04-15 21:31:18 17,408 ----a-w C:\WINDOWS\system32\msyuv.dll
2007-04-15 21:31:18 157,696 ----a-w C:\WINDOWS\system32\paqsp.dll
2007-04-15 21:31:18 15,360 ----a-w C:\WINDOWS\system32\pjlmon.dll
2007-04-15 21:31:18 147,968 ----a-w C:\WINDOWS\system32\mdwmdmsp.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{CCF4A8FD-85B4-41BD-9D7B-AD50F8879A18}=C:\WINDOWS\system32\vtsqr.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 17:21 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 C:\WINDOWS\SkyTel.exe]
"Alcmtr"="ALCMTR.EXE" [2005-05-03 18:43 C:\WINDOWS\Alcmtr.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-22 23:25 C:\WINDOWS\KHALMNPR.Exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-05-05 00:37]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-01-23 14:26]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-04 06:29]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\runonce]
"ShowDeskFix"=regsvr32 /s /n /i:u shell32

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
"{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"="C:\PROGRA~1\COMMON~1\stardock\MCPC ore.dll" [2005-05-10 13:31]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggfgge]
hggfgge.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
NtmlSvc

Contents of the 'Scheduled Tasks' folder
2007-05-15 20:05:00 C:\WINDOWS\tasks\=mininova.org=_The_Italian_Job_(2 003)_-_DVDrip_-_TJ.job
2007-05-19 10:10:17 C:\WINDOWS\tasks\Azureus.job
2007-05-29 18:27:00 C:\WINDOWS\tasks\Eragon.2006.PROPER.DVDRip.XviD_FL AiTE.job
2007-05-15 18:05:00 C:\WINDOWS\tasks\Law.And.Order.Criminal.Intent.S06 E21.HDTV.XViD-NoTV.job
2007-05-12 18:47:00 C:\WINDOWS\tasks\Law.And.Order.S17E21.HDTV.XviD-LOL.job
2007-06-06 18:57:00 C:\WINDOWS\tasks\Naughty.Book.Worms.7.XXX.DVDRip.X viD-Pr0nStarS.job
2007-05-15 19:05:00 C:\WINDOWS\tasks\Oceans_11_Eleven_-_Proper_DVD_rip_[XviD].avi_+{mininova.org}+.job
2007-06-07 18:14:00 C:\WINDOWS\tasks\Stephen.Kings.Riding.The.Bullet.2 004.DVDRip.XviD.iNTERNAL-PorphyriA.job
2007-06-03 18:55:00 C:\WINDOWS\tasks\Teen.****.Holes.8.XXX.DVDRip.XviD-Pr0nStarS[1].job

************************************************** ************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-19 18:32:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

************************************************** ************************

Completion time: 2007-06-19 18:34:55 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-19 18:34

--- E O F ---

VundoFix V6.5.1

Checking Java version...

Scan started at 5:42:27 PM 19/06/2007

Listing files found while scanning....

C:\WINDOWS\system32\hggfgge.dll
C:\WINDOWS\system32\rqstv.bak1
C:\WINDOWS\system32\rqstv.ini
C:\WINDOWS\system32\vtsqr.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\rqstv.bak1
C:\WINDOWS\system32\rqstv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqstv.ini
C:\WINDOWS\system32\rqstv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtsqr.dll
C:\WINDOWS\system32\vtsqr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.1

Checking Java version...

Scan started at 5:57:01 PM 19/06/2007

Listing files found while scanning....

C:\windows\system32\rqstv.ini
C:\WINDOWS\system32\vtsqr.dll

Beginning removal...

Attempting to delete C:\windows\system32\rqstv.ini
C:\windows\system32\rqstv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtsqr.dll
C:\WINDOWS\system32\vtsqr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\rqstv.ini
C:\windows\system32\rqstv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtsqr.dll
C:\WINDOWS\system32\vtsqr.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.1

Checking Java version...

Scan started at 6:17:06 PM 19/06/2007

Listing files found while scanning....

No infected files were found.

Logfile of HijackThis v1.99.1
Scan saved at 6:38:02 PM, on 19/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Mozy\mozybackup.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Mozy\mozystat.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\msiexec.exe
C:\temp\foolyou.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {CCF4A8FD-85B4-41BD-9D7B-AD50F8879A18} - C:\WINDOWS\system32\vtsqr.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: OMNI Todo List.lnk = D:\Downloads\IE\OMNI Todo List.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Mozy Status.lnk = C:\Program Files\Mozy\mozystat.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: hggfgge - hggfgge.dll (file missing)
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Mozy Backup Service (mozybackup) - Unknown owner - C:\Program Files\Mozy\mozybackup.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

**Neal** · 19-06-2007

Run hijackthis and click on scan only button and put checks next to these:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {CCF4A8FD-85B4-41BD-9D7B-AD50F8879A18} - C:\WINDOWS\system32\vtsqr.dll (file missing)

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O20 - Winlogon Notify: hggfgge - hggfgge.dll (file missing)

Close all windows and browsers even this one and click on fix checked

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):

DELETE FILES:

ALCMTR.EXE
hggfgge.dll

Reboot normal mode and post a new hijackthis log and tell me how things are now.

If you are wanting to donate there is a link at the bottom of my signature.

Thanks.

**bookman** · 20-06-2007

Hi,
Done all that here's the log.

Logfile of HijackThis v1.99.1
Scan saved at 9:03:13 AM, on 20/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Mozy\mozybackup.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Mozy\mozystat.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\temp\foolyou.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: OMNI Todo List.lnk = D:\Downloads\IE\OMNI Todo List.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Mozy Status.lnk = C:\Program Files\Mozy\mozystat.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Mozy Backup Service (mozybackup) - Unknown owner - C:\Program Files\Mozy\mozybackup.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

**Neal** · 20-06-2007

That's a clean log.

Everything OK?

**bookman** · 20-06-2007

Yep everythings seems fine. Waddya reckon with using Kaspersky Internet Security now to guard against virus spy/mal/adware? My trend micro one did stuff all on this one!!!

**Neal** · 20-06-2007

Kaspersky is top notch program.

If you are no longer having any more trouble here is some preventative measures for you.

Be sure to re-hide hidden files/folders if you were asked to unhide them

Here are some preventive measures you can take to keep your computer from getting infected again. also keep all these and Ad-awareSE and SpybotS&D updated.

http://www.d-a-l.com/help/showthread.php?t=32403

Flush your restore points in ME and XP, by turning System Restore off and then back on.
This will create a fresh restore point.

Explained Here:
Windows XP: http://vil.nai.com/vil/SystemHelpDoc...ysRestore.aspx

Explained Here
Microsoft ME:
http://service1.symantec.com/SUPPORT...rc=sec_doc_nam

RegProtect

This small registry protection tool will save you hours of heartache by notifying you when some program good or bad is trying to access your registry.

You have the option of allowing(good) items or blocking(bad)items.

http://www.diamondcs.com.au/index.php?page=regprot

To reduce the re-infection potential for malware and protect yourself against spyware, here are a few helpful suggestions:

1. Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft. This will patch many of the security holes through which attackers can gain access to your computer. You CANNOT complete this update using an alternate browser.
http://v5.windowsupdate.microsoft.co....aspx?ln=en-us

http://www.microsoft.com/windows/ie/default.asp

2. Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching, there are a some good free Antivirus programs that are decent, including AVG and Avast!.
AVG: http://free.grisoft.com/doc/1

Avast: http://www.avast.com/eng/avast_4_home.html

3. In addtion to using Ad-aware consider using another free malware scanning/removal program:
Windows Defender

http://www.microsoft.com/athome/secu...e/default.mspx

4. Consider using a free firewall if you are not already using one. Some good free ones are:
Kerio
http://www.sunbelt-software.com/Kerio.cfm

Zone Labs Personal Firewall:
Zone Labs

5. Consider using an alternate free browser for general web surfing but you must use IE for windows update.
Mozilla Firefox: www.mozilla.org/products/firefox/

6. Consider increasing your browser security by using these programs:
SpywareGuard will protect your homepage from being hijacked: http://www.javacoolsoftware.com/spywareguard.html
SpywareBlaster will increase browser protection by blocking Thousands of known malware sites by adding them to IE's restricted sites zone. Download it here:

http://www.javacoolsoftware.com/spywareblaster.html

If you use SpywareBlaster, you can also use a customblocklist to add even more entries into IE restricted sites zone. Go to this site for the current list and how to use instructions: http://customblockinglist.cjb.net/

IE-SPYAD is similar in that it adds thousands more known malware sites to IE's restricted zone. Download it here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm

Block access to Untrustworthy Sites

You can prevent your computer from visiting a myriad of untrustworthy sites and ad-servers by installing a customised hosts file. One of the best available is the: MVPS Hosts File. Simply follow the instructions to install the file in the correct location. This will not only make surfing safer but will improve website load times and block popups from many of the large ad-servers.

*Remember just like your primary anti-virus software, it is important to keep all of these programs up-to-date and use them on a regular basis. It's Free

Win Explorer / taskbar / desktop don't open(RESOLVED)

Win Explorer / taskbar / desktop don't open(RESOLVED)

Similar Threads

My computer goes to desktop - no taskbar and nothing opens!

Can't open desktop icons (RESOLVED)

Taskbar and All Desktop Icons Disappeared

explorer.exe (start taskbar and desktop not loading or keeps 'refresing' itself)

taskbar, regedit, msconfig not staying open