Welcome Guest ( Log In | Register )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Spyware, virus, trojan, fake security or privacy alerts? Read the malware cleaning guide.
      
2 Pages V   1 2 >  
 Closed TopicStart new topic
Red Biohazard Screen problem [RESOLVED]
aa2
post May 12 2008, 05:50 PM
Post #1


Member
**
Posts: 13
OS: xp
I HA the red screen that looked lik a biohazard and said somethng like "yur computer is infected" i have run SmitfraudFix in safe mode. it seem 80% hasbee cleaned up, the redbackgrond is gone, but i still have something infected i thnk. NAV or somethin actiig as NAV seems to attempt to email catches email. Also now i cannot rn a scanfrom Sym Client Security the error is "could not start scan. Scan engine returned error 0x20000058"

not sure where to look now, this is a wrk client but setupat home this te Sym clint security.

here i the hijacktis log. and the smit log. Thanks for the help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:27:38 PM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\HijackThis.exe

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1166555549453
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 5933 bytes

Smit log..................

SmitFraudFix v2.320

Scan done at 19:16:13.92, Mon 05/12/2008
Run from C:\Temp\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{C5AF49A2-94F3-42BD-F434-2604812C897D}"="jhsf8d984jief8dsfus98jkefn"

[HKEY_CLASSES_ROOT\CLSID\{C5AF49A2-94F3-42BD-F434-2604812C897D}\InProcServer32]
@="C:\WINDOWS\system32\jfiehayd.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C5AF49A2-94F3-42BD-F434-2604812C897D}\InProcServer32]
@="C:\WINDOWS\system32\jfiehayd.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\privacy_danger\ Deleted
C:\DOCUME~1\BIGDAD~1\FAVORI~1\Error Cleaner.url Deleted
C:\DOCUME~1\BIGDAD~1\FAVORI~1\Privacy Protector.url Deleted
C:\DOCUME~1\BIGDAD~1\FAVORI~1\Spyware?Malware Protection.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Linksys Wireless-G PCI Network Adapter with SpeedBooster - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{27F85A62-A0AF-48C7-97BE-8B25AD35A47F}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{27F85A62-A0AF-48C7-97BE-8B25AD35A47F}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{C5AF49A2-94F3-42BD-F434-2604812C897D}"="jhsf8d984jief8dsfus98jkefn"

[HKEY_CLASSES_ROOT\CLSID\{C5AF49A2-94F3-42BD-F434-2604812C897D}\InProcServer32]
@="C:\WINDOWS\system32\jfiehayd.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C5AF49A2-94F3-42BD-F434-2604812C897D}\InProcServer32]
@="C:\WINDOWS\system32\jfiehayd.dll"



»»»»»»»»»»»»»»»»»»»»»»»» End
Go to the top of the page
 
+Quote Post
Mike
post May 15 2008, 01:35 PM
Post #2


Malware Monger
Group Icon
Posts: 1,628
OS: XP Professional SP3
Hi there aa2,

Please follow my instructions in the order they were given, if you come across something you don't understand or don't feel comfortable doing, don't hesitate to ask and I will get you sorted out thumbsup.gif

Preparation

I will need you to temporarily disable Windows Defender as it could prevent us from making the fixes we need to your computer.

Windows Defender

1. Click on "Tools"
2. Click on "General Settings"
3. Scroll down to "Real-time protection options"
4. Uncheck "Turn on Real-time protection (recommended)"
5. Click "Save"

Your Java is outdated, let's update it now.
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

Step 1. Fixes

Please open HijackThis again and choose "Do a system scan only". Please put a check next to each of the following entries (if still present):

O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll

Now please close all open windows except HJT and press "Fix checked".

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Step 2. Running MalwareByte's Anti-Malware

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 3. Deckards' System Scanner

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Note:These logs may be too large to post in one reply, if so, please post extra.txt in a seperate reply.

In your next reply

Please post the log from vundofix.
Please post the log from MalwareBytes' Anti-Malware.
Please post main.txt and extra.txt from Deckards' System Scanner.

If the logs are too big to fit in only post, please spread them over multiple replies.
Go to the top of the page
 
+Quote Post
aa2
post May 15 2008, 07:40 PM
Post #3


Member
**
Posts: 13
OS: xp
hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:42 PM, on 5/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\msiexec.exe
C:\HijackThis.exe

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [a0c681e5] rundll32.exe "C:\WINDOWS\system32\kjymrfag.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1166555549453
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 6777 bytes
Go to the top of the page
 
+Quote Post
aa2
post May 15 2008, 07:42 PM
Post #4


Member
**
Posts: 13
OS: xp
vundo..


VundoFix V7.0.3

Scan started at 8:50:28 PM 5/15/2008

Listing files found while scanning....

No infected files were found.



mbAM LOG.....
Malwarebytes' Anti-Malware 1.12
Database version: 753

Scan type: Quick Scan
Objects scanned: 45733
Time elapsed: 6 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 16
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 4
Files Infected: 25

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\fccaBQIa.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\kjymrfag.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\fccbXqOF.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4bc01f09-e5c6-452a-a2dc-e7377f7f592d} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4bc01f09-e5c6-452a-a2dc-e7377f7f592d} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fis.amo.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fis.ohb.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85e0b171-04fa-11d1-b7da-00a0c90348a7} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fis.momo.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b9ab28fa-ed73-4e5e-ba11-0925d85120d1} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b9ab28fa-ed73-4e5e-ba11-0925d85120d1} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fccbxqof (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{052c54a4-6cb7-426c-bb6c-c4bd98786e40} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a0c681e5 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{b9ab28fa-ed73-4e5e-ba11-0925d85120d1} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\fccabqia -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\fccabqia -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Antivirus 2008 (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008 (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\Zach\Application Data\Antivirus (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ewxibkpr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rpkbixwe.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fccaBQIa.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\aIQBaccf.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aIQBaccf.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kjymrfag.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\gafrmyjk.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fccbXqOF.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\Temp\7CF28762C38CA0D4.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\AE8AB41F91F72503.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Zachary\Local Settings\Temporary Internet Files\Content.IE5\ZUYS0SUA\hctp[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008\Antvrs.exe (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\MalWarrior 2008\Malwarrior.exe (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\Addy\Local Settings\Temp\csrssc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\fvowketqeoq.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Zachary\Local Settings\Temp\csrssc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\My Mom\Desktop\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\My Mom\Desktop\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\My Mom\Desktop\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Zach\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\My Mom\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Zach\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\My Mom\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Zach\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\My Mom\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.

MAIN TXT....
Deckard's System Scanner v20071014.68
Run by Big Daddy on 2008-05-15 21:37:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-05-16 01:37:22 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-15 21:38:42
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Temp\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/3/9...heckControl.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1166555549453
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SavRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe


--
End of file - 8115 bytes

-- HijackThis Fixed Entries (C:\\backups\) -------------------------------------

backup-20080512-185436-337 O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
R3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>

S1 yzbgqap - c:\windows\system32\yzbgqap.sys
S3 ati2mtaa - c:\windows\system32\drivers\ati2mtaa.sys <Not Verified; ATI Technologies Inc.; ATI Rage 128 Family>
S3 JL2005 (JL2005A Toy Camera) - c:\windows\system32\drivers\toywdm.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-15 21:38:06 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-05-15 15:57:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-04-15 and 2008-05-15 -----------------------------

2008-05-15 21:07:42 0 d-------- C:\Documents and Settings\Big Daddy\Application Data\Malwarebytes
2008-05-15 21:07:04 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-15 21:07:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-15 20:50:28 0 d-------- C:\VundoFix Backups
2008-05-15 20:41:40 0 d-------- C:\Program Files\Common Files\Java
2008-05-15 20:24:14 0 d-------- C:\Documents and Settings\Big Daddy\.SunDownloadManager
2008-05-15 20:23:58 0 d-------- C:\Documents and Settings\Big Daddy\Application Data\Sun
2008-05-15 20:17:10 91264 -----n--- C:\WINDOWS\system32\kjymrfag.dll
2008-05-15 20:16:36 0 d-------- C:\Documents and Settings\Big Daddy\Application Data\Google
2008-05-13 18:36:47 0 d-------- C:\Documents and Settings\Addy\Application Data\Google
2008-05-13 15:52:04 0 d-------- C:\Documents and Settings\Zachary\Application Data\Google
2008-05-13 15:51:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-05-13 15:50:56 0 d-------- C:\Program Files\Google
2008-05-13 15:28:11 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-05-13 09:29:55 0 d-------- C:\Documents and Settings\Zachary\Application Data\Macromedia
2008-05-13 09:29:32 0 d-------- C:\Documents and Settings\Zachary\Application Data\Adobe
2008-05-12 21:33:07 0 d-------- C:\Documents and Settings\Zachary\Application Data\Apple Computer
2008-05-12 21:10:46 0 d-------- C:\Documents and Settings\Zachary\Application Data\ATI
2008-05-12 21:10:44 0 d-------- C:\Documents and Settings\Zachary\Application Data\Sonic
2008-05-12 21:10:16 0 d-------- C:\Documents and Settings\Zachary\Application Data\Identities
2008-05-12 21:09:55 0 d--h----- C:\Documents and Settings\Zachary\Templates
2008-05-12 21:09:55 0 dr------- C:\Documents and Settings\Zachary\Start Menu
2008-05-12 21:09:55 0 dr-h----- C:\Documents and Settings\Zachary\SendTo
2008-05-12 21:09:55 0 dr-h----- C:\Documents and Settings\Zachary\Recent
2008-05-12 21:09:55 0 d--h----- C:\Documents and Settings\Zachary\PrintHood
2008-05-12 21:09:55 1310720 --ah----- C:\Documents and Settings\Zachary\NTUSER.DAT
2008-05-12 21:09:55 0 d--h----- C:\Documents and Settings\Zachary\NetHood
2008-05-12 21:09:55 0 dr------- C:\Documents and Settings\Zachary\My Documents
2008-05-12 21:09:55 0 d--h----- C:\Documents and Settings\Zachary\Local Settings
2008-05-12 21:09:55 0 dr------- C:\Documents and Settings\Zachary\Favorites
2008-05-12 21:09:55 0 d-------- C:\Documents and Settings\Zachary\Desktop
2008-05-12 21:09:55 0 d--hs---- C:\Documents and Settings\Zachary\Cookies
2008-05-12 21:09:55 0 dr-h----- C:\Documents and Settings\Zachary\Application Data
2008-05-12 21:09:55 0 d---s---- C:\Documents and Settings\Zachary\Application Data\Microsoft
2008-05-12 18:57:23 1974 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-12 18:54:36 0 d-------- C:\backups
2008-05-12 09:39:38 0 d-------- C:\Documents and Settings\My Mom\Application Data\TmpRecentIcons
2008-05-11 20:18:23 0 d-------- C:\Documents and Settings\Administrator.SHUTTLEXP\Application Data\Macromedia
2008-05-11 20:17:56 0 d-------- C:\Documents and Settings\Administrator.SHUTTLEXP\Application Data\Adobe
2008-05-11 18:18:01 0 d-------- C:\Documents and Settings\Big Daddy\Application Data\TmpRecentIcons
2008-05-11 18:08:50 0 d-------- C:\WINDOWS\pss
2008-05-11 17:29:08 320640 -----n--- C:\WINDOWS\system32\fccaBQIa.dll
2008-05-11 17:27:29 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-05-11 17:24:09 0 d-------- C:\Documents and Settings\Zach\Application Data\TmpRecentIcons
2008-05-10 23:53:09 0 --a------ C:\WINDOWS\system32\yzbgqap.sys
2008-05-10 23:52:51 1 --a------ C:\WINDOWS\system32\kr_done1de
2008-05-10 23:52:47 29312 -----n--- C:\WINDOWS\system32\fccbXqOF.dll
2008-05-10 10:32:25 0 d-------- C:\Documents and Settings\My Mom\Application Data\Help


-- Find3M Report ---------------------------------------------------------------

2008-05-15 21:35:10 0 d-------- C:\Program Files\Symantec AntiVirus
2008-05-15 20:42:28 0 d-------- C:\Program Files\Java
2008-05-15 20:41:40 0 d-------- C:\Program Files\Common Files
2008-05-13 09:35:59 0 d-------- C:\Program Files\Dl_cats
2008-05-10 23:53:05 577536 --a------ C:\WINDOWS\system32\user32.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 01:04:32 0 d-------- C:\Program Files\iTunes
2008-04-13 01:04:20 0 d-------- C:\Program Files\iPod
2008-04-13 01:03:05 0 d-------- C:\Program Files\QuickTime
2008-02-16 04:02:07 0 --a------ C:\WINDOWS\ativpsrm.bin


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [03/27/2003 04:34 AM C:\WINDOWS\SOUNDMAN.EXE]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [08/19/2003 02:01 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [06/02/2005 10:21 AM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [06/23/2005 08:27 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 12:50 PM]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [04/22/2005 09:45 AM]
"DLBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [11/09/2004 06:41 PM]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [05/10/2006 11:12 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 08:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [10/24/2003 12:37:56 AM]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

*Newly Created Service* - GTNDIS5



-- End of Deckard's System Scanner: finished at 2008-05-15 21:39:15 ------------


EXTRA TXT....
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.20GHz
CPU 1: Intel® Pentium® 4 CPU 3.20GHz
Percentage of Memory in Use: 24%
Physical Memory (total/avail): 2047.48 MiB / 1551.09 MiB
Pagefile Memory (total/avail): 3945.99 MiB / 3519.48 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1920.7 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 40 GiB total, 7.41 GiB free.
D: is CDROM (No Media)
E: is Fixed (NTFS) - 109.05 GiB total, 85.46 GiB free.

\\.\PHYSICALDRIVE0 - WDC WD1600JD-55FYB0 - 149.05 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 40 GiB - C:
\PARTITION1 - Installable File System - 109.05 GiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: Symantec AntiVirus Corporate Edition v10.0.1.1000 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\WINDOWS\\system32\\dlbtcoms.exe"="C:\\WINDOWS\\system32\\dlbtcoms.exe:*:Enabled:Dell_922 Server"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\DLBTPSWX.EXE"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\DLBTPSWX.EXE:*:Enabled:Dell_922 Printer Status"
"C:\\Program Files\\Microsoft Games\\Age of Empires\\Empires.exe"="C:\\Program Files\\Microsoft Games\\Age of Empires\\Empires.exe:*:Enabled:Age of Empires"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"E:\\Rome - Total War\\RomeTW.exe"="E:\\Rome - Total War\\RomeTW.exe:*:Enabled:Rome: Total War"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Big Daddy\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SHUTTLEXP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Big Daddy
LOGONSERVER=\\SHUTTLEXP
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Sonic Shared;C:\Program Files\ATI Technologies\ATI.ACE\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\BIGDAD~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\BIGDAD~1\LOCALS~1\Temp
USERDOMAIN=SHUTTLEXP
USERNAME=Big Daddy
USERPROFILE=C:\Documents and Settings\Big Daddy
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Big Daddy (admin)
Zach (admin)
Addy (admin)
My Mom (admin)
Zachary (admin)
Administrator.SHUTTLEXP (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> MsiExec.exe /I{219B0DA4-8F1A-499D-8795-4A07C632521E}
--> MsiExec.exe /I{644B991F-B109-4360-9DA3-40CDAD13961C}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 6.0.1 Professional --> MsiExec.exe /I{AC76BA86-1033-0000-7760-000000000001}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{5BF7C81A-DA3B-4DCD-A64C-604862BD6932}
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVIVO Codecs --> MsiExec.exe /X{C941F1F1-25B3-4DF5-83E6-888C51A1AAB6}
Barbarian Invasion --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD69C8CB-6964-432C-98AB-A5A09ED50EEA}\setup.exe" -l0x9
Broadcom Gigabit Integrated Controller --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{BE6890C7-31EF-478C-812E-1E2899ABFCA9}
City of Villains/City of Heroes (remove only) --> "e:\Zach\My Documents\LimeWire\City of Heroes\uninstall.exe"
Dell Photo AIO Printer 922 --> C:\WINDOWS\system32\spool\drivers\w32x86\3\DLBTUNST.EXE -NOLICENSE
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Greetings Workshop --> C:\Program Files\Greetings Workshop\SETUP\setup.exe
HijackThis 2.0.2 --> "C:\Documents and Settings\Big Daddy\Local Settings\Temp\wzb1ad\HijackThis.exe" /uninstall
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Jasc Paint Shop Pro 8 --> MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Linksys Wireless-G PCI Network Adapter with SpeedBooster --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EAE4A00B-D290-4B65-8287-B82A80FC0619}\setup.exe" -l0x9
LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Age of Empires --> C:\Program Files\Microsoft Games\Age of Empires\Uninstal.exe /uninstall
Microsoft Flight Simulator X --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{9527A496-5DF9-412A-ADC7-168BA5379CA6}
Microsoft Kernel-Mode Driver Framework Feature Pack 1.1 --> "C:\WINDOWS\$NtUninstallWdf01001$\spuninst\spuninst.exe"
Microsoft MapPoint North America 2006 --> MsiExec.exe /I{83ED1E80-A1B7-4246-BCF1-AC4A88151A6B}
Microsoft Money 2004 --> MsiExec.exe /I{1D643CD7-4DD6-11D7-A4E0-000874180BB3}
Microsoft Money 2004 System Pack --> MsiExec.exe /I{8C64E145-54BA-11D6-91B1-00500462BE80}
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional Plus 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROPLUS /dll OSETUP.DLL
Microsoft Office Professional Plus 2007 --> MsiExec.exe /X{90120000-0011-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\setupx.exe /uninstall ExtraUninstallID=""
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Rhapsody Player Engine --> MsiExec.exe /I{8A62A068-3FD6-495A-9F66-26FE94F32EC9}
Rome - Total War --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{51D386C4-0227-46A9-AC45-61F0A50E7AFF}\setup.exe" -l0x9 -removeonly
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Excel 2007 (KB946974) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office Publisher 2007 (KB950114) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB934062) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {305D509B-F194-4638-9F0F-D9E4C05F9D33}
Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Security Update for Publisher 2007 (KB936646) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {A32E4BAF-6477-45FA-B8AB-E743FA8D63FF}
Security Update for the 2007 Microsoft Office System (KB936960) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {5E5BD655-7AA9-47F9-BB6D-A1D8CE29AC86}
Security Update for Visio 2007 (KB947590) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
Sonic MyDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5E835305-63BB-4E55-BBB7-EEBBE67774DB}\setup.exe" -l0x9 -L0x9 /SMAINT
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Symantec AntiVirus --> MsiExec.exe /I{3248E093-5288-4CA9-B3AB-11A675FEA1F9}
Update for Office 2007 (KB932080) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {EDC9CA29-6BC1-471C-828C-7A36109005D7}
Update for Office 2007 (KB934391) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {B3091818-7C56-4C45-BE7D-CA23027A5EA5}
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb949037) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {B4F188C6-6DBF-42A5-A8A3-3086D1A384F2}
Update for Outlook 2007 Junk Email Filter (kb950378) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {F6296086-AED5-4EC0-938B-08EA0254F20E}
Update for Word 2007 (KB934173) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {C6A89125-5473-45E3-B413-ED8186437475}
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall


-- Application Event Log -------------------------------------------------------

Event Record #/Type9240 / Error
Event Submitted/Written: 05/15/2008 09:15:08 PM
Event ID/Source: 51 / Symantec AntiVirus
Event Description:
Security Risk Found!Threat: Trojan.Vundo in File: C:\DOCUME~1\MYMOM~1\LOCALS~1\TEMPOR~1\Content.IE5\JVKT92EG\HCTP_1~1 by: Auto-Protect scan. Action: Reboot Required. Action Description: The file was deleted successfully.

Event Record #/Type9239 / Error
Event Submitted/Written: 05/15/2008 09:14:37 PM
Event ID/Source: 5 / Symantec AntiVirus
Event Description:
Threat Found!Threat: Trojan.Vundo in File: C:\Documents and Settings\My Mom\Local Settings\Temporary Internet Files\Content.IE5\JVKT92EG\hctp[1] by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Delete succeeded : Access denied. Action Description: The file was deleted successfully.

Event Record #/Type9238 / Error
Event Submitted/Written: 05/15/2008 09:14:37 PM
Event ID/Source: 46 / Symantec AntiVirus
Event Description:
Security Risk Found!Threat: Trojan.Vundo in File: C:\DOCUME~1\MYMOM~1\LOCALS~1\TEMPOR~1\Content.IE5\JVKT92EG\HCTP_1~1 by: Auto-Protect scan. Action: Clean failed : Quarantine failed. Action Description: The file was deleted successfully.

Event Record #/Type9223 / Error
Event Submitted/Written: 05/15/2008 09:01:28 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application explorer.exe, version 6.0.2900.3156, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type9222 / Error
Event Submitted/Written: 05/15/2008 09:01:27 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application explorer.exe, version 6.0.2900.3156, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type18168 / Warning
Event Submitted/Written: 05/15/2008 05:04:09 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type17810 / Warning
Event Submitted/Written: 05/12/2008 08:21:26 PM / 05/12/2008 08:21:53 PM
Event ID/Source: 4 / b57w2k
Event Description:
Broadcom NetXtreme Gigabit Ethernet: The network link is down. Check to make sure the network cable is properly connected.

Event Record #/Type17805 / Warning
Event Submitted/Written: 05/12/2008 07:31:04 PM
Event ID/Source: 57 / Disk
Event Description:
The system failed to flush data to the transaction log. Corruption may occur.

Event Record #/Type17803 / Warning
Event Submitted/Written: 05/12/2008 07:16:22 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type17802 / Error
Event Submitted/Written: 05/12/2008 07:07:42 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}



-- End of Deckard's System Scanner: finished at 2008-05-15 21:39:15 ------------



I THINK THATS ITS!!!
Go to the top of the page
 
+Quote Post
Mike
post May 16 2008, 08:36 AM
Post #5


Malware Monger
Group Icon
Posts: 1,628
OS: XP Professional SP3
Hi there aa2,

Please make sure that windows defender is still disabled for these fixes. I found a few more files that we need to take care of.

First off, I will need you to move Deckards' System Scanner, as it is currently located in a temporary location. Please go to My Computer, open your C:\ drive, Select: New >> Folder and name the folder DSS.
Now either re-download Deckards' System Scanner to that location, or move dss.exe from C:\temp to C:\DSS by dragging it to the folder.

Step 1. Making a Batch File

Open notepad by going to START > RUN and type notepad.exe in the box that appears. In the window that pops up please copy and paste the following
QUOTE
@ECHO off
sc stop yzbgqap
sc delete yzbgqap
exit


In Notepad click on the "File" menu > Save As... Under "File name" type fix.bat and Change "Save as type" to All Files, save it to a place you will remember.



Double click on fix.bat.

Step 2. Running OTMoveIt2

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    CODE
    [kill explorer]
    C:\WINDOWS\system32\kjymrfag.dll
    C:\WINDOWS\system32\tmp.reg
    C:\WINDOWS\system32\fccaBQIa.dll
    C:\WINDOWS\system32\yzbgqap.sys
    C:\WINDOWS\system32\kr_done1de
    C:\WINDOWS\system32\fccbXqOF.dll
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\yzbgqap
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
    [start explorer]

  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step 3. Deckards' System Scanner

Please Re-run Deckards' System Scanner
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open one Notepad main.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt in your next reply.


In your next reply

Please post the log from OTMoveIt2, and main.txt from Deckards' System Scanner, no new Hijack This log please as DSS handles that for us.

If the logs are to big to fit in one reply please spread them out over multiple replies.

This post has been edited by Mike: May 16 2008, 08:37 AM
Go to the top of the page
 
+Quote Post
aa2
post May 17 2008, 09:41 AM
Post #6


Member
**
Posts: 13
OS: xp
OK here it is.

when i ran moveit, it complained about a few files not being there.

Explorer killed successfully
LoadLibrary failed for C:\WINDOWS\system32\kjymrfag.dll
C:\WINDOWS\system32\kjymrfag.dll NOT unregistered.
C:\WINDOWS\system32\kjymrfag.dll moved successfully.
C:\WINDOWS\system32\tmp.reg moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\fccaBQIa.dll
C:\WINDOWS\system32\fccaBQIa.dll NOT unregistered.
C:\WINDOWS\system32\fccaBQIa.dll moved successfully.
C:\WINDOWS\system32\yzbgqap.sys moved successfully.
C:\WINDOWS\system32\kr_done1de moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\fccbXqOF.dll
C:\WINDOWS\system32\fccbXqOF.dll NOT unregistered.
C:\WINDOWS\system32\fccbXqOF.dll moved successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\yzbgqap >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\yzbgqap\\ not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}\\ deleted successfully.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05172008_113705


AND HERE IS MAIN.TXT

Deckard's System Scanner v20071014.68
Run by Big Daddy on 2008-05-17 11:38:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Big Daddy.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:58 AM, on 5/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService