HELP! My cd-drives have been disabled... HijackThis Log included

how you guys doing..
so about a few weeks ago, both my DVD drive and CDRW drive disappeared from My Computer. i havent been able to use them ever since. ive tried NUMEROUS spyware/trojan/virus scans but nothing seems to work...
im not a computer whiz or anything, but i know quite a bit still, so if there is anyone out there who can help me, i will forever be in ur debt.. just guide me thru this whole thing.. coz i need my cd drives

Thanx

oh and i dunno if this will help or not.. but heres my HIJACKTHIS LOG:

Logfile of HijackThis v1.99.1
Scan saved at 12:22:57 PM, on 4/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\AirLink101\WlanUtility\tiwlan.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Fareed Cheema\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2B91E7DA-0139-CAF2-705A-DC5942CF0C87} - (no file)
O2 - BHO: (no name) - {7FBC95AC-6D1C-802E-7EA2-D15AD4E37E39} - (no file)
O2 - BHO: (no name) - {AA1830CA-C235-C43E-1196-378BC88F9E50} - (no file)
O2 - BHO: (no name) - {C72B4089-65FD-6816-11BF-DEB6F68FAA46} - (no file)
O2 - BHO: Class - {CFF78A19-61ED-E7F1-ECDE-FD6257174BC7} - C:\WINDOWS\system32\addnc.dll
O2 - BHO: (no name) - {D3DE3C64-DB27-44BB-D909-411EDCA14227} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [mszf.exe] C:\WINDOWS\system32\mszf.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [atlno32.exe] C:\WINDOWS\atlno32.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [9.tmp] C:\DOCUME~1\FAREED~1\LOCALS~1\Temp\9.tmp.exe
O4 - HKLM\..\Run: [7.tmp] C:\DOCUME~1\FAREED~1\LOCALS~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [9.tmp.exe] C:\DOCUME~1\FAREED~1\LOCALS~1\Temp\9.tmp.exe
O4 - HKLM\..\Run: [7.tmp.exe] C:\DOCUME~1\FAREED~1\LOCALS~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edg...ex-2.0.3.1.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/Activ...veLauncher.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

 

Ok you still got some infections.

Cleaning instructions:

Print these instructions, Internet Explorer must be closed during the cleaning process.

Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html

Move HijackThis into its own folder C:\HJT

Download Intermute CWShredder -> http://cwshredder.net/bin/CWShredder.exe
Save it to your desktop but DO NOT run it yet..

Download About:Buster -> http://www.malwarebytes.org/AboutBuster.zip
Save it to your desktop but DO NOT run it yet..

Download Ewido -> http://www.ewido.net/en/download
Install it and update it, but DO NOT run a scan yet.

Download ATF Cleaner by Atribune to your desktop -> http://www.atribune.org/ccount/click.php?id=1
Do NOT run yet.

Restart your computer to the safe mode (press F8 button when computer is starting and choose the safe mode)

In safe mode, run CWShredder and press Fix

Run AboutBuster
-> Begin Removal
-> OK
-> Yes
-> OK
-> Exit
-> OK.
Scan twice. Logfile "AB Logfile.txt" is automatically saved to AboutBuster's directory (the same directory where AboutBuster.exe is saved)

Fix the following entries with HijackThis, if found (run HijackThis, press "Do a system scan only", close all other windows, checkmark entries and press Fix checked):

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {2B91E7DA-0139-CAF2-705A-DC5942CF0C87} - (no file)
O2 - BHO: (no name) - {7FBC95AC-6D1C-802E-7EA2-D15AD4E37E39} - (no file)
O2 - BHO: (no name) - {AA1830CA-C235-C43E-1196-378BC88F9E50} - (no file)
O2 - BHO: (no name) - {C72B4089-65FD-6816-11BF-DEB6F68FAA46} - (no file)
O2 - BHO: (no name) - {D3DE3C64-DB27-44BB-D909-411EDCA14227} - (no file)
O2 - BHO: Class - {CFF78A19-61ED-E7F1-ECDE-FD6257174BC7} - C:\WINDOWS\system32\addnc.dll
O4 - HKLM\..\Run: [mszf.exe] C:\WINDOWS\system32\mszf.exe
O4 - HKLM\..\Run: [atlno32.exe] C:\WINDOWS\atlno32.exe
O4 - HKLM\..\Run: [9.tmp] C:\DOCUME~1\FAREED~1\LOCALS~1\Temp\9.tmp.exe
O4 - HKLM\..\Run: [7.tmp] C:\DOCUME~1\FAREED~1\LOCALS~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [9.tmp.exe] C:\DOCUME~1\FAREED~1\LOCALS~1\Temp\9.tmp.exe
O4 - HKLM\..\Run: [7.tmp.exe] C:\DOCUME~1\FAREED~1\LOCALS~1\Temp\7.tmp.exe
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/Activ...veLauncher.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB


Delete these files if found:
C:\WINDOWS\system32\addnc.dll
C:\WINDOWS\system32\mszf.exe
C:\WINDOWS\atlno32.exe

Run ATF Cleaner -> Check select all -> Press Empty selected

Run a scan with Ewido, clean what it finds and save the log.

Restart your computer normally.

Post the following logs to here:
-> a new HijackThis log
-> About:Buster log
-> Ewido's log

 

my cd-drives still dont work...
here are the logs you asked me to post up...

HIJACKTHIS LOG


Logfile of HijackThis v1.99.1
Scan saved at 12:25:48 PM, on 4/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Fareed Cheema\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2B91E7DA-0139-CAF2-705A-DC5942CF0C87} - (no file)
O2 - BHO: (no name) - {7FBC95AC-6D1C-802E-7EA2-D15AD4E37E39} - (no file)
O2 - BHO: (no name) - {AA1830CA-C235-C43E-1196-378BC88F9E50} - (no file)
O2 - BHO: (no name) - {C72B4089-65FD-6816-11BF-DEB6F68FAA46} - (no file)
O2 - BHO: (no name) - {CFF78A19-61ED-E7F1-ECDE-FD6257174BC7} - (no file)
O2 - BHO: (no name) - {D3DE3C64-DB27-44BB-D909-411EDCA14227} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe





ABOUT BUSTER LOG


AboutBuster 6.01
Scan started on [4/30/2006] at [12:18:00 PM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
Removed Stream! C:\WINDOWS\Blue Lace 16.bmp:cyprwa
Removed Stream! C:\WINDOWS\clock.avi:vziwzl
Removed Stream! C:\WINDOWS\Rhododendron.bmp:cjyvsx
Removed Stream! C:\WINDOWS\Santa Fe Stucco.bmp:vjjjuh
Removed Stream! C:\WINDOWS\setupapi.log.0.old:ezdbhp
Removed Stream! C:\WINDOWS\Uninstall.ico:hpogfj
Removed Stream! C:\WINDOWS\vbaddin.ini:zqylht
Removed Stream! C:\WINDOWS\_default.pif:bxauoc
Removed Stream! C:\WINDOWS\_default.pif:demizu
Removed Stream! C:\WINDOWS\_default.pif:mrghvn
Removed Stream! C:\WINDOWS\_default.pif:nhrfb
Removed Stream! C:\WINDOWS\_default.pif:vwfwbe
Removed Stream! C:\WINDOWS\_default.pif:xtjasi
-------------------------------------------------------------
Removed File! : C:\WINDOWS\apigy.exe
Removed File! : C:\WINDOWS\appie.dll
Removed File! : C:\WINDOWS\appsg.exe
Removed File! : C:\WINDOWS\appxr.exe
Removed File! : C:\WINDOWS\appyf.exe
Removed File! : C:\WINDOWS\d3nv.exe
Removed File! : C:\WINDOWS\d3ws.exe
Removed File! : C:\WINDOWS\itoik.dat
Removed File! : C:\WINDOWS\javadg.dll
Removed File! : C:\WINDOWS\mfcvc.exe
Removed File! : C:\WINDOWS\mswj.exe
Removed File! : C:\WINDOWS\msxb.exe
Removed File! : C:\WINDOWS\msyy.exe
Removed File! : C:\WINDOWS\netdg32.exe
Removed File! : C:\WINDOWS\nethu32.exe
Removed File! : C:\WINDOWS\netjd32.exe
Removed File! : C:\WINDOWS\ntcn.exe
Removed File! : C:\WINDOWS\rnjnm.dat
Removed File! : C:\WINDOWS\sysqy32.exe
Removed File! : C:\WINDOWS\winrb32.exe
Removed File! : C:\WINDOWS\wintj32.exe
Removed File! : C:\WINDOWS\winww32.exe
Removed File! : C:\WINDOWS\xawgk.dat
Removed File! : C:\WINDOWS\ytara.txt
Removed File! : C:\WINDOWS\yyigq.txt
Removed File! : C:\WINDOWS\system32\addhp32.dll.bak
Removed File! : C:\WINDOWS\system32\addnc.dll.bak
Removed File! : C:\WINDOWS\system32\apijf.exe
Removed File! : C:\WINDOWS\system32\apiuo.exe
Removed File! : C:\WINDOWS\system32\apixe.dll
Removed File! : C:\WINDOWS\system32\apiyy.dll.bak
Removed File! : C:\WINDOWS\system32\apptp32.exe
Removed File! : C:\WINDOWS\system32\appvh32.exe
Removed File! : C:\WINDOWS\system32\crst.exe
Removed File! : C:\WINDOWS\system32\cryl.exe
Removed File! : C:\WINDOWS\system32\d3ev.exe
Removed File! : C:\WINDOWS\system32\d3jy.dll
Removed File! : C:\WINDOWS\system32\ieet32.exe
Removed File! : C:\WINDOWS\system32\iehq.exe
Removed File! : C:\WINDOWS\system32\ipqd.dll
Removed File! : C:\WINDOWS\system32\ipzp32.dll
Removed File! : C:\WINDOWS\system32\mfcew32.exe
Removed File! : C:\WINDOWS\system32\mshb.exe
Removed File! : C:\WINDOWS\system32\syson32.exe
Removed File! : C:\WINDOWS\system32\syspy.exe
Removed File! : C:\WINDOWS\system32\syssh32.exe
-------------------------------------------------------------
Removed Temp Files
Internet Explorer Settings Reset!
------------------------------------------------------



EWIDO LOG

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:39:44 PM, 4/30/2006
+ Report-Checksum: AD19649C

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{0DC9678A-0260-8CEB-0563-594D9FB02903} -> Adware.CoolWebSearch : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{251F1678-C6A5-89D9-D60F-44823539572A} -> Adware.CoolWebSearch : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{3EB3C3B8-C6A3-A391-CE99-432056782D22} -> Adware.CoolWebSearch : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{4B49C233-41E6-542A-7DCB-BB3C0869BABE} -> Adware.CoolWebSearch : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{68761E0C-A678-2B1F-4293-E427E94D1A2D} -> Adware.CoolWebSearch : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{6E3BDCC0-A228-DCB8-7E88-ECF18F0D9B1C} -> Adware.CoolWebSearch : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{6F8F6D52-E43E-F6A7-3704-C2291FA9AAF6} -> Adware.CoolWebSearch : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{73374308-91E6-5E66-411F-8EDBA399652C} -> Adware.CoolWebSearch : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{77115206-4277-3228-99E2-2B93995F46A4} -> Adware.CoolWebSearch : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{8EDA2BD3-6A45-E3A2-BF45-6B2B79D7BCFF} -> Adware.CoolWebSearch : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{99FA4172-70BA-F5F0-EB8D-3E910E0ADD26} -> Adware.CoolWebSearch : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{B85FFBF7-B2D8-D30A-8289-46564A899064} -> Adware.CoolWebSearch : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{E0AB80CE-D9B6-AA3C-04B0-CAB826F2291F} -> Adware.CoolWebSearch : Cleaned without backup
HKLM\SOFTWARE\Microsoft\VisualStudio\Analyzer\Events\{6C736D71-BCBF-11D0-8A23-00AA00B58E10} -> Adware.CoolWebSearch : Cleaned without backup
HKU\S-1-5-21-854245398-630328440-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2B91E7DA-0139-CAF2-705A-DC5942CF0C87} -> Adware.CoolWebSearch : Cleaned without backup
HKU\S-1-5-21-854245398-630328440-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7FBC95AC-6D1C-802E-7EA2-D15AD4E37E39} -> Adware.CoolWebSearch : Cleaned without backup
HKU\S-1-5-21-854245398-630328440-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AA1830CA-C235-C43E-1196-378BC88F9E50} -> Adware.CoolWebSearch : Cleaned without backup
HKU\S-1-5-21-854245398-630328440-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C72B4089-65FD-6816-11BF-DEB6F68FAA46} -> Adware.CoolWebSearch : Cleaned without backup
HKU\S-1-5-21-854245398-630328440-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CFF78A19-61ED-E7F1-ECDE-FD6257174BC7} -> Adware.CoolWebSearch : Cleaned without backup
HKU\S-1-5-21-854245398-630328440-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D3DE3C64-DB27-44BB-D909-411EDCA14227} -> Adware.CoolWebSearch : Cleaned without backup
:mozilla.14:C:\Documents and Settings\Fareed Cheema\Application Data\Mozilla\Firefox\Profiles\2xzcg3wd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned without backup
:mozilla.20:C:\Documents and Settings\Fareed Cheema\Application Data\Mozilla\Firefox\Profiles\2xzcg3wd.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned without backup
:mozilla.33:C:\Documents and Settings\Fareed Cheema\Application Data\Mozilla\Firefox\Profiles\2xzcg3wd.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned without backup
:mozilla.43:C:\Documents and Settings\Fareed Cheema\Application Data\Mozilla\Firefox\Profiles\2xzcg3wd.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned without backup
:mozilla.67:C:\Documents and Settings\Fareed Cheema\Application Data\Mozilla\Firefox\Profiles\2xzcg3wd.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned without backup
:mozilla.68:C:\Documents and Settings\Fareed Cheema\Application Data\Mozilla\Firefox\Profiles\2xzcg3wd.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned without backup
C:\ntdetect.hta -> Downloader.Inor.cj : Cleaned without backup
C:\WINDOWS\Downloaded Program Files\int_ver34.ocx.tcf -> Dialer.VB.j : Cleaned without backup
C:\WINDOWS\system32\winrun.exe.tcf -> Downloader.Small.bnz : Cleaned without backup


::Report End

 

Ok, please post a new HijackThis log to here. (the previous one was taken before Ewido scan)

 

heres the HJT log now


Logfile of HijackThis v1.99.1
Scan saved at 2:22:05 PM, on 5/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AirLink101\WlanUtility\tiwlan.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Fareed Cheema\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2B91E7DA-0139-CAF2-705A-DC5942CF0C87} - (no file)
O2 - BHO: (no name) - {7FBC95AC-6D1C-802E-7EA2-D15AD4E37E39} - (no file)
O2 - BHO: (no name) - {AA1830CA-C235-C43E-1196-378BC88F9E50} - (no file)
O2 - BHO: (no name) - {C72B4089-65FD-6816-11BF-DEB6F68FAA46} - (no file)
O2 - BHO: (no name) - {CFF78A19-61ED-E7F1-ECDE-FD6257174BC7} - (no file)
O2 - BHO: (no name) - {D3DE3C64-DB27-44BB-D909-411EDCA14227} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

 

Ok, we'll just have to clean it manually then....

Press Start
-> Run
-> Write this to the field: regedit.exe
-> Press OK

At first, you should take a backup of your registry:
-> (In regedit) select My Computer right-click it and press Export
-> Name it to RegBackup and save it to the C:\

Then go: (in regedit)
->HKEY_LOCAL_MACHINE
->Software
->Microsoft
->Windows
->CurrentVersion
->Explorer
->Browser Helper Objects

-> Search the following entries and delete those:
{2B91E7DA-0139-CAF2-705A-DC5942CF0C87}
{7FBC95AC-6D1C-802E-7EA2-D15AD4E37E39}
(AA1830CA-C235-C43E-1196-378BC88F9E50}
{C72B4089-65FD-6816-11BF-DEB6F68FAA46}
{CFF78A19-61ED-E7F1-ECDE-FD6257174BC7}
{D3DE3C64-DB27-44BB-D909-411EDCA14227}
-> Close Regedit

Post a new HjT log.

Have you deleted Trendmicro antivirus & firewall ?

 

no i havent deleted trend micro firewall, but ive disabled it...

and i tried to delete thos registry keys but theres an error message
"error while deleting key"

i dunno what to do...

 

Hi fred_82k and sorry for the delay.

Ok we'll have to use a stronger tool....

1. Download Avenger -> http://swandog46.geekstogo.com/avenger.zip and unzip it to desktop
2. Copy all text in quote box below to Notepad (starting from
registry keys to delete

Notice: This script is for this user. If you aren't that user, DON'T follow these instructions, because they might harm your system

3. Now, open The Avenger
->"Below Script file to execute" select "Input Script Manually".
->Now click magnifying glass which opens a new window "View/edit script".
-> Paste the text you earlier copied to Notepad here
-> Click Done.
-> Now click green light in order to start script.
-> Click "Yes" .

4.Avenger will do the following
-> Reboot your computer.
-> While booting, it will open a dos prompt, it's normal
-> After reboot it will create a logfile which should open . This log is in C:\avenger.txt
-> Avenger has created a backup here -> C:\avenger\backup.zip.

5. Copy/paste contents of avenger.txt along with a fresh HjT-log.

 

NO LUCK!!


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ubycuvfp

*******************

Script file located at: \??\C:\Program Files\hansogmg.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Registry key HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{2B91E7DA-0139-CAF2-705A-DC5942CF0C87} not found!
Deletion of registry key HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{2B91E7DA-0139-CAF2-705A-DC5942CF0C87} failed!
Status: 0xc0000034



Registry key HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{7FBC95AC-6D1C-802E-7EA2-D15AD4E37E39} not found!
Deletion of registry key HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{7FBC95AC-6D1C-802E-7EA2-D15AD4E37E39} failed!
Status: 0xc0000034



Registry key HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{AA1830CA-C235-C43E-1196-378BC88F9E50} not found!
Deletion of registry key HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{AA1830CA-C235-C43E-1196-378BC88F9E50} failed!
Status: 0xc0000034



Registry key HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{C72B4089-65FD-6816-11BF-DEB6F68FAA46} not found!
Deletion of registry key HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{C72B4089-65FD-6816-11BF-DEB6F68FAA46} failed!
Status: 0xc0000034



Registry key HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{CFF78A19-61ED-E7F1-ECDE-FD6257174BC7} not found!
Deletion of registry key HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{CFF78A19-61ED-E7F1-ECDE-FD6257174BC7} failed!
Status: 0xc0000034



Registry key HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{D3DE3C64-DB27-44BB-D909-411EDCA14227} not found!
Deletion of registry key HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{D3DE3C64-DB27-44BB-D909-411EDCA14227} failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.


Logfile of HijackThis v1.99.1
Scan saved at 1:57:30 PM, on 5/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AirLink101\WlanUtility\tiwlan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Fareed Cheema\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2B91E7DA-0139-CAF2-705A-DC5942CF0C87} - (no file)
O2 - BHO: (no name) - {7FBC95AC-6D1C-802E-7EA2-D15AD4E37E39} - (no file)
O2 - BHO: (no name) - {AA1830CA-C235-C43E-1196-378BC88F9E50} - (no file)
O2 - BHO: (no name) - {C72B4089-65FD-6816-11BF-DEB6F68FAA46} - (no file)
O2 - BHO: (no name) - {CFF78A19-61ED-E7F1-ECDE-FD6257174BC7} - (no file)
O2 - BHO: (no name) - {D3DE3C64-DB27-44BB-D909-411EDCA14227} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

 

Ok sorry, my bad .

Do this (with the right script)

1. Copy all text in quote box below to Notepad (starting from
registry keys to delete

Notice: This script is for this user. If you aren't that user, DON'T follow these instructions, because they might harm your system

2. Now, open The Avenger
->"Below Script file to execute" select "Input Script Manually".
->Now click magnifying glass which opens a new window "View/edit script".
-> Paste the text you earlier copied to Notepad here
-> Click Done.
-> Now click green light in order to start script.
-> Click "Yes" .

3.Avenger will do the following
-> Reboot your computer.
-> While booting, it will open a dos prompt, it's normal
-> After reboot it will create a logfile which should open . This log is in C:\avenger.txt
-> Avenger has created a backup here -> C:\avenger\backup.zip.

4. Copy/paste contents of avenger.txt along with a fresh HjT-log.

And enable your trend micro firewall and install an antivirus.

These are good (free) antiviruses:
AVG Antivirus --> http://www.grisoft.com
Avast --> http://www.avast.com

 

ok so that worked.. BUT my i still cant see my CD drives..
here are the new logs:




Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\chgdefyq

*******************

Script file located at: \??\C:\jpbqnhdg.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2B91E7DA-0139-CAF2-705A-DC5942CF0C87} deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7FBC95AC-6D1C-802E-7EA2-D15AD4E37E39} deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA1830CA-C235-C43E-1196-378BC88F9E50} deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C72B4089-65FD-6816-11BF-DEB6F68FAA46} deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CFF78A19-61ED-E7F1-ECDE-FD6257174BC7} deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3DE3C64-DB27-44BB-D909-411EDCA14227} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.




Logfile of HijackThis v1.99.1
Scan saved at 2:25:17 PM, on 5/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\AirLink101\WlanUtility\tiwlan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Fareed Cheema\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.3.1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

 

Ok, you're clean now and we can focus on the cd drive problem

But you should enable/install a firewall and install an antivirus...

Did you install/remove any software when the drives disappeared?

Or did you install some new components to your pc?

Or did you change some settings (eg. bios)?