Task Manager Problem - The Egodktf Toolbar Removal

I'm unable to get into the task manager for some reason. Everytime I try to open it a box that says "Task manager has been disabled by the administrator". However, I am able to open the task manager on other accounts. I am on my PC at home and currently on the administrator account. I've never disabled it myself and neither has anybody else. I accidently got a virus onto my computer and it's been messed up since even after I removed the virus. So if anybody has any suggestions I'd be very grateful. Thank you in advance.

I'd like to remove three toobars that keep showing up whenever I get online. The toolbars are egodktf, Yahoo!, and Zango. Thanks in advance for any help.

<EDIT Posts Merged>

Moved to Virus Spyware & Security forum.

From the other post and this one I would have to say you are dealing with malware.

Please follow these instructions and we will get this sorted out.

Download and rename HijackThis (HJT)

• Double-click on HJTInstall.
• Click on the Install button.
• It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
• Upon install, HijackThis should open for you.
  • Close HijackThis and rename it.
  • Go to C:\Program Files\Trend Micro\HijackThis.exe
  • Right click on HijackThis.exe and select Rename.
  • Type in sniper.exe and press Enter.
  • Right-click on sniper.exe and select Send To > Desktop (create shortcut)
• From the desktop open HiackThis.
• If using Windows Vista, be sure to Run As Administrator
• Click on the Do a system scan and save a log file button
• HijackThis will scan and then a log will open in notepad.
• Copy and then paste the log in your post.
  • Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Even though we have renamed HijackThis to sniper, we will still refer to it as HijackThis or HJT.

Next post please add
Hijackthis log

Here's what came up:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:28 AM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Java\jre1.5.0_05\bin\jucheck.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\SystemErrorFixer\strpmon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BigFix\BigFix.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\McAfee\MSC\mcshell.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O2 - BHO: SXG Advisor - {22E4849D-E499-4701-BB1C-8E8ABAB2EE21} - C:\WINDOWS\dopfwrlqox.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Zango /fleok=1D8A83A5C2E4127C99A96E2A1FBB39BFE4976E26CAED A120180A196D6093 - {E1BACF55-35E1-4E47-9247-2D48660E5545} - C:\Program Files\Zango\bin\10.1.181.0\HostIE.dll (file missing)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Zango - {E1BACF55-35E1-4E47-9247-2D48660E5545} - C:\Program Files\Zango\bin\10.1.181.0\HostIE.dll (file missing)
O3 - Toolbar: The egodktf - {00E1F032-D6AD-40E3-8AAF-ED8CAE5EC678} - C:\WINDOWS\egodktf.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\PCSecureSystem\bm.exe" dm=http://pcsecuresystem.com ad=http://pcsecuresystem.com sd=http://ykeeper.pcsecuresystem.com
O4 - HKLM\..\Run: [ptask] C:\Program Files\PCSecureSystem\ptask.exe
O4 - HKLM\..\Run: [SM_IAN] C:\Program Files\AdvancedCleaner Free\ian_monitor.exe
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\SystemErrorFixer\strpmon.exe" dm=http://systemerrorfixer.com ad=http://systemerrorfixer.com sd=http://inspaid.systemerrorfixer.com
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherDPA] "C:\Program Files\Zango\bin\10.1.181.0\Weather.exe" -auto
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O21 - SSODL: bxsnvqt - {413F3F53-CECE-46E8-BF2B-96F032E8D6F7} - C:\WINDOWS\bxsnvqt.dll
O21 - SSODL: aslpmqk - {FAEB649A-633E-4024-9B3C-D79C59422A8C} - C:\WINDOWS\aslpmqk.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 12632 bytes

Ok, I ran HijackThis but I'm still not sure on what to do next.

There are still some very nasty items to take care of.


Open HJT and select Do a system scan only then place a check mark next to:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O2 - BHO: SXG Advisor - {22E4849D-E499-4701-BB1C-8E8ABAB2EE21} - C:\WINDOWS\dopfwrlqox.dll
O2 - BHO: Zango /fleok=1D8A83A5C2E4127C99A96E2A1FBB39BFE4976E26CAED A120180A196D6093 - {E1BACF55-35E1-4E47-9247-2D48660E5545} - C:\Program Files\Zango\bin\10.1.181.0\HostIE.dll (file missing)
O3 - Toolbar: Zango - {E1BACF55-35E1-4E47-9247-2D48660E5545} - C:\Program Files\Zango\bin\10.1.181.0\HostIE.dll (file missing)
O3 - Toolbar: The egodktf - {00E1F032-D6AD-40E3-8AAF-ED8CAE5EC678} - C:\WINDOWS\egodktf.dll
O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\PCSecureSystem\bm.exe" dm=http://pcsecuresystem.com ad=http://pcsecuresystem.com sd=http://ykeeper.pcsecuresystem.com
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
O21 - SSODL: bxsnvqt - {413F3F53-CECE-46E8-BF2B-96F032E8D6F7} - C:\WINDOWS\bxsnvqt.dll
O21 - SSODL: aslpmqk - {FAEB649A-633E-4024-9B3C-D79C59422A8C} - C:\WINDOWS\aslpmqk.dll

Close all browser windows except for HJT and click Fix checked.

---------------

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)

• Link #1
• Link #2
• Link #3

IMPORTANT - Combofix.exe MUST be saved to your your Desktop.

• Close any open Web browsers. (Firefox, Internet Explorer, etc)
• Close/disable all anti virus and anti malware programs so they do not interfere with Combofix. <-- IMPORTANT
  • Click on this link to see a list of programs that should be disabled. If yours is not listed and you don't know how to disable it, please ask.
• Double click combofix.exe & follow the prompts.
  • From the keyboard select 1 and press Enter
• When finished, it will produce a log for you.
• Post that log in your next reply.

Do not mouseclick combofix's window while it's running.
The scan will temporarily disable your desktop.
If interrupted it may leave your computer frozen.
If this occurs, please reboot to restore the desktop.


---------------

Next post please add
Combofix log

Finished the scan and here's what came up:

ComboFix 08-01-18.5 - Owner 2008-01-19 11:26:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.517 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\My Documents\Mom\Class Reunion\Temporary Internet Files\Content.IE5\51W8D4XE\ComboFix[1].exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Owner Account\Application Data\ShoppingReport
C:\Documents and Settings\Owner Account\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\Owner Account\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\Owner Account\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\Owner Account\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\Owner Account\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\Owner Account\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\Owner Account\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\Documents and Settings\Owner Account\Desktop\Error Cleaner.url
C:\Documents and Settings\Owner Account\Desktop\Privacy Protector.url
C:\Documents and Settings\Owner Account\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Owner Account\Favorites\Error Cleaner.url
C:\Documents and Settings\Owner Account\Favorites\Privacy Protector.url
C:\Documents and Settings\Owner Account\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\Owner\Application Data\DriveCleaner Free
C:\Documents and Settings\Owner\Application Data\DriveCleaner Free\Logs\update.log
C:\Documents and Settings\Owner\Application Data\ShoppingReport
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\Owner\Application Data\ShoppingReport\cs\res2\WhiteList.dbs
C:\Documents and Settings\Owner\Desktop\Error Cleaner.url
C:\Documents and Settings\Owner\Desktop\Privacy Protector.url
C:\Documents and Settings\Owner\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Owner\err.log
C:\Documents and Settings\Owner\Favorites\Error Cleaner.url
C:\Documents and Settings\Owner\Favorites\Privacy Protector.url
C:\Documents and Settings\Owner\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\Owner\ResErrors.log
C:\Program Files\Common Files\drivecleaner free
C:\Program Files\ShoppingReport
C:\Program Files\ShoppingReport\Uninst.exe
C:\WINDOWS\dat.txt
C:\WINDOWS\dopfwrlqox.dll
C:\WINDOWS\egodktf.dll
C:\WINDOWS\hosts
C:\WINDOWS\search_res.txt
D:\Autorun.inf
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete
.
((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))
.
2008-01-19 11:25 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-19 10:08 . 2005-04-13 12:17 <DIR> d-------- C:\Documents and Settings\Owner Account\WINDOWS
2008-01-19 10:08 . 2008-01-19 10:09 <DIR> d-------- C:\Documents and Settings\Owner Account\Application Data\SiteAdvisor
2008-01-19 10:08 . 2005-05-20 04:50 <DIR> d-------- C:\Documents and Settings\Owner Account\Application Data\SampleView
2008-01-19 09:58 . 2008-01-19 09:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-18 23:04 . 2005-04-13 12:17 <DIR> d-------- C:\Documents and Settings\Guest\WINDOWS
2008-01-18 23:04 . 2008-01-18 23:04 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Webroot
2008-01-18 23:04 . 2008-01-18 23:04 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\SiteAdvisor
2008-01-18 23:04 . 2005-05-20 04:50 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\SampleView
2008-01-18 22:00 . 2008-01-19 11:31 10,095 --a------ C:\WINDOWS\system32\Config.MPF
2008-01-18 21:59 . 2008-01-18 21:59 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-01-18 21:57 . 2008-01-18 21:59 <DIR> d-------- C:\Program Files\SiteAdvisor
2008-01-18 21:57 . 2008-01-19 00:15 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SiteAdvisor
2008-01-18 21:57 . 2008-01-18 21:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-01-18 21:53 . 2007-07-24 12:02 33,800 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-01-18 21:52 . 2007-07-21 09:08 201,288 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-01-18 21:52 . 2007-07-13 09:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-01-18 21:52 . 2007-07-24 07:40 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-01-18 21:52 . 2007-07-21 09:08 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-01-18 21:52 . 2007-07-21 09:08 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-01-18 20:22 . 2008-01-18 20:22 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\systemerrorfixer
2008-01-18 20:17 . 2008-01-18 20:17 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\systemerrorfixer
2008-01-18 20:16 . 2008-01-18 22:55 <DIR> d-------- C:\Program Files\SystemErrorFixer
2008-01-18 20:16 . 2008-01-18 20:16 <DIR> d-------- C:\Program Files\Common Files\SystemErrorFixer
2008-01-18 20:00 . 2008-01-18 20:00 <DIR> d--hs---- C:\PCSecureSystem
2008-01-18 19:59 . 2008-01-18 20:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PCSecureSystem
2008-01-18 19:59 . 2008-01-18 19:59 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-01-18 19:59 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-01-18 19:43 . 2008-01-18 16:43 323,584 --a------ C:\WINDOWS\bxsnvqt.dll
2008-01-18 19:43 . 2008-01-18 16:43 217,088 --a------ C:\WINDOWS\aslpmqk.dll
2008-01-18 19:43 . 2008-01-18 16:43 81,920 --a------ C:\WINDOWS\fknxwqf.exe
2008-01-13 00:03 . 2008-01-13 00:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Zango
2007-12-19 22:33 . 2005-05-26 00:00 475,136 --a------ C:\WINDOWS\lk_c4.dll
2007-12-19 22:33 . 2005-05-26 00:00 399,872 --a------ C:\WINDOWS\c4dstand.dll
2007-12-19 22:33 . 2006-11-13 08:40 50 --a------ C:\WINDOWS\app.ini
2007-12-19 22:32 . 2007-12-19 22:33 <DIR> d-------- C:\Program Files\LKMH
2007-12-19 22:32 . 2006-06-07 15:19 1,644,032 --a------ C:\WINDOWS\LKMHDemo.exe
2007-12-19 22:32 . 2001-01-25 02:12 98,304 --a------ C:\WINDOWS\system32\tsccvid.dll
2007-12-19 22:32 . 2006-11-13 11:32 3,362 --a------ C:\WINDOWS\LKMHDemo.ini
2007-12-19 22:32 . 2005-05-26 00:00 2,238 --a------ C:\WINDOWS\LK.ico
2007-12-19 22:32 . 2007-12-19 22:33 304 --a------ C:\WINDOWS\LKMH_Demo_Cfg.ini
2007-12-19 22:31 . 2007-12-19 22:31 <DIR> d-------- C:\Program Files\Common Files\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-19 16:23 --------- d-----w C:\Program Files\Google
2008-01-19 04:55 --------- d-----w C:\Program Files\McAfee
2008-01-19 04:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-01-19 04:08 --------- d-----w C:\Program Files\GameHouse
2008-01-19 04:07 --------- d-----w C:\Program Files\Symantec
2008-01-19 04:07 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-19 04:02 --------- d-----w C:\Program Files\Norton AntiVirus
2008-01-19 04:02 --------- d-----w C:\Program Files\Common Files\McAfee
2008-01-19 04:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-19 03:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-13 22:22 2,634 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-12-28 19:51 --------- d-----w C:\Program Files\Lexmark X1100 Series
2007-12-20 04:27 --------- d-----w C:\Program Files\Total Seminars
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"Spyware Cleaner"="C:\Program Files\Spyware Cleaner\SpywareCleaner.exe" [ ]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 18:04 5562368]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 13:00 15360]
"WeatherDPA"="C:\Program Files\Zango\bin\10.1.181.0\Weather.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe" [2008-01-19 10:09 171448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 12:04 59392]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe" [2005-08-26 18:14 36975]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 16:04 135168]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOL SP Scheduler.exe" [2004-03-19 15:17 78960]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.e xe" [2001-07-09 12:50 155648]
"CHotkey"="zHotkey.exe" [2004-05-17 19:30 543232 C:\WINDOWS\zHotkey.exe]
"ShowWnd"="ShowWnd.exe" [2003-09-19 10:09 36864 C:\WINDOWS\ShowWnd.exe]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24 32768]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 18:45 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"Mixersel"="C:\Program Files\Realtek\InstallShield\mixersel.exe" [2003-11-10 19:23 369664]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-12-01 13:00 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-12-01 12:55 126976]
"SoundMan"="SOUNDMAN.EXE" [2004-10-21 16:20 77824 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-21 19:44 2744832 C:\WINDOWS\ALCWZRD.EXE]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 04:43 57344]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-06-30 08:10 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36 256576]
"ptask"="C:\Program Files\PCSecureSystem\ptask.exe" [ ]
"SM_IAN"="C:\Program Files\AdvancedCleaner Free\ian_monitor.exe" [ ]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 15:57 36640]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-10 13:00 388608]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 18:04 5562368]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
"bxsnvqt"= {D7F29AAC-5C4C-49DE-9460-A6C94A02E2E9} - C:\WINDOWS\bxsnvqt.dll [2008-01-18 16:43 323584]
"aslpmqk"= {91FBE482-9E09-4A9F-A376-9C8479FC82EC} - C:\WINDOWS\aslpmqk.dll [2008-01-18 16:43 217088]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{0143afe1-c919-11d9-8c27-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder
"2008-01-10 12:58:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2005-09-10 15:21:12 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2005-09-10 15:21:12 C:\WINDOWS\Tasks\ISP signup reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2008-01-19 03:50:57 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-19 03:50:56 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-01-19 17:35:01 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
************************************************** ************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 11:37:20
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\bxsnvqt.dll
.
Completion time: 2008-01-19 11:39:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-19 17:39:08
.
2008-01-09 16:21:25 --- E O F ---

You have Combofix installed incorrectly.

Go to C:\Documents and Settings\Owner\My Documents\Mom\Class Reunion\Temporary Internet Files\Content.IE5\51W8D4XE\ComboFix[1].exe and delete everything to do with Combofix.

Then get another copy of it and follow the instructions by letting it install to the desktop.

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)

• Link #1
• Link #2
• Link #3

IMPORTANT - Combofix.exe MUST be saved to your your Desktop.

---------------

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.

• Click Start , then Run
• Type notepad.exe in the Run Box.

2. Copy the red text below by highlighting all the text and pressing Ctrl+C

Folder::
C:\Documents and Settings\Owner\Application Data\systemerrorfixer
C:\Documents and Settings\All Users\Application Data\systemerrorfixer
C:\Program Files\SystemErrorFixer
C:\Program Files\Common Files\SystemErrorFixer
C:\PCSecureSystem
C:\Documents and Settings\Owner\Application Data\PCSecureSystem
C:\Documents and Settings\All Users\Application Data\SalesMon

File::
C:\WINDOWS\bxsnvqt.dll
C:\WINDOWS\aslpmqk.dll
C:\WINDOWS\fknxwqf.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ptask"=-
"SM_IAN"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
"bxsnvqt"=-
"aslpmqk"=-

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to freeze

----------

After Combofix is done and the computer has been restarted, run a new Hijackthis scan and post the log in the next peply.

----------

Next post
Combofix log
New Hijackthis log

I don't know how to get to 'C:\Documents and Settings\Owner\My Documents\Mom\Class Reunion\Temporary Internet Files\Content.IE5\51W8D4XE\ComboFix[1].exe'. I got into my documents but couldn't find it anywhere.

Actually it is in the temporary files so you will have to run a cleaner to get rid of it.

Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

• Click Options...
• Move the arrow down to Standard CleanUp!
• Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
• Click OK

Click the CleanUp! button to start the program. Reboot/logoff when prompted.

Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility

You should be OK now to install the new version.

I'm still not entirely clear on the whole temporary internet files thing. Will the CleanUp affect the files on my desktop in any way. I have a bunch of folders on here with pictures and I want to make sure they won't get deleted.

No it will not effect anything like that. It just cleans up clutter that windows collects. It can also help to speed up a computers performance as all of the temp. files make an OS work slower.

Ok, I ran CleanUp. Now which of the three links you gave should I use? So far I've only used the first one and I ended up with Log I posted before