Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

TR/VUNDO.GEN [RESOLVED]

Started by Mike R , Apr 27 2008 09:24 AM

  • This topic is locked This topic is locked

#1
Mike R
Posted 27 April 2008 - 09:24 AM

Mike R

    New Member

  • Member
  • Pip
  • 6 posts
AntiVir is picking up the specific instances in the WINNT/SYSTEM32 folder as well as the TEMPORARY INTERNET FILES/IE5 folder. Below are HJT and VirtumundoBeGone logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:17:17 AM, on 4/27/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
D:\program files\a-squared free\a2service.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
D:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\HPCD-W~1\DirectCD\directcd.exe
C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02F2D039-E98A-4FDF-A2A1-13C339799879} - C:\WINNT\system32\ljJYPjih.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DirectCD\directcd.exe
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O6 "USB001" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: ISSHS.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cp...ddObjSigned.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1140929957520
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1140930095799
O16 - DPF: {CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA} (Java Plug-in 1.4.2_12) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.5.0_07) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/RACtrl.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\program files\a-squared free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - D:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 8471 bytes

****************


[04/27/2008, 1:12:43] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Michael Rulison\Desktop\VirtumundoBeGone.exe" )
[04/27/2008, 1:12:50] - Detected System Information:
[04/27/2008, 1:12:50] - Windows Version: 5.0.2195, Service Pack 4
[04/27/2008, 1:12:50] - Current Username: Michael Rulison (Admin)
[04/27/2008, 1:12:50] - Windows is in SAFE mode.
[04/27/2008, 1:12:50] - Searching for Browser Helper Objects:
[04/27/2008, 1:12:50] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/27/2008, 1:12:50] - BHO 2: {1827766B-9F49-4854-8034-F6EE26FCB1EC} ()
[04/27/2008, 1:12:50] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/27/2008, 1:12:50] - No filename found. Continuing.
[04/27/2008, 1:12:50] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[04/27/2008, 1:12:50] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/27/2008, 1:12:50] - BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[04/27/2008, 1:12:50] - BHO 6: {D2376FB3-3D0D-414D-83AA-3AD6AD6B111F} ()
[04/27/2008, 1:12:50] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/27/2008, 1:12:50] - Checking for HKLM\...\Winlogon\Notify\fccdbBrR
[04/27/2008, 1:12:50] - Found: HKLM\...\Winlogon\Notify\fccdbBrR - This is probably Virtumundo.
[04/27/2008, 1:12:50] - Assigning {D2376FB3-3D0D-414D-83AA-3AD6AD6B111F} MSEvents Object
[04/27/2008, 1:12:51] - BHO list has been changed! Starting over...
[04/27/2008, 1:12:51] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/27/2008, 1:12:51] - BHO 2: {1827766B-9F49-4854-8034-F6EE26FCB1EC} ()
[04/27/2008, 1:12:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/27/2008, 1:12:51] - No filename found. Continuing.
[04/27/2008, 1:12:51] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[04/27/2008, 1:12:51] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/27/2008, 1:12:51] - BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[04/27/2008, 1:12:51] - BHO 6: {D2376FB3-3D0D-414D-83AA-3AD6AD6B111F} (MSEvents Object)
[04/27/2008, 1:12:51] - ALERT: Found MSEvents Object!
[04/27/2008, 1:12:51] - BHO 7: {D4BE979D-4385-4ED5-859B-9C62E6B65EC8} ()
[04/27/2008, 1:12:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/27/2008, 1:12:51] - Checking for HKLM\...\Winlogon\Notify\ljJYPjih
[04/27/2008, 1:12:51] - Key not found: HKLM\...\Winlogon\Notify\ljJYPjih, continuing.
[04/27/2008, 1:12:51] - BHO 8: {E3215F20-3212-11D6-9F8B-00D0B743919D} ()
[04/27/2008, 1:12:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/27/2008, 1:12:51] - No filename found. Continuing.
[04/27/2008, 1:12:51] - Finished Searching Browser Helper Objects
[04/27/2008, 1:12:51] - *** Detected MSEvents Object
[04/27/2008, 1:12:51] - Trying to remove MSEvents Object...
[04/27/2008, 1:12:52] - Terminating Process: IEXPLORE.EXE
[04/27/2008, 1:12:53] - Terminating Process: RUNDLL32.EXE
[04/27/2008, 1:12:53] - Disabling Automatic Shell Restart
[04/27/2008, 1:12:53] - Terminating Process: EXPLORER.EXE
[04/27/2008, 1:12:53] - Suspending the NT Session Manager System Service
[04/27/2008, 1:12:54] - Terminating Windows NT Logon/Logoff Manager
[04/27/2008, 1:12:54] - Re-enabling Automatic Shell Restart
[04/27/2008, 1:12:54] - File to disable: C:\WINNT\system32\fccdbBrR.dll
[04/27/2008, 1:12:54] - Renaming C:\WINNT\system32\fccdbBrR.dll -> C:\WINNT\system32\fccdbBrR.dll.vir
[04/27/2008, 1:12:54] - File successfully renamed!
[04/27/2008, 1:12:54] - Removing HKLM\...\Browser Helper Objects\{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}
[04/27/2008, 1:12:54] - Removing HKCR\CLSID\{D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}
[04/27/2008, 1:12:54] - Adding Kill Bit for ActiveX for GUID: {D2376FB3-3D0D-414D-83AA-3AD6AD6B111F}
[04/27/2008, 1:12:54] - Deleting ATLEvents/MSEvents Registry entries
[04/27/2008, 1:12:54] - Removing HKLM\...\Winlogon\Notify\fccdbBrR
[04/27/2008, 1:12:54] - Searching for Browser Helper Objects:
[04/27/2008, 1:12:54] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/27/2008, 1:12:54] - BHO 2: {1827766B-9F49-4854-8034-F6EE26FCB1EC} ()
[04/27/2008, 1:12:55] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/27/2008, 1:12:55] - No filename found. Continuing.
[04/27/2008, 1:12:55] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[04/27/2008, 1:12:55] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/27/2008, 1:12:55] - BHO 5: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[04/27/2008, 1:12:55] - BHO 6: {D4BE979D-4385-4ED5-859B-9C62E6B65EC8} ()
[04/27/2008, 1:12:55] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/27/2008, 1:12:55] - Checking for HKLM\...\Winlogon\Notify\ljJYPjih
[04/27/2008, 1:12:55] - Key not found: HKLM\...\Winlogon\Notify\ljJYPjih, continuing.
[04/27/2008, 1:12:55] - BHO 7: {E3215F20-3212-11D6-9F8B-00D0B743919D} ()
[04/27/2008, 1:12:55] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/27/2008, 1:12:55] - No filename found. Continuing.
[04/27/2008, 1:12:55] - Finished Searching Browser Helper Objects
[04/27/2008, 1:12:55] - Finishing up...
[04/27/2008, 1:12:55] - A restart is needed.
[04/27/2008, 1:13:04] - Attempting to Restart via STOP error (Blue Screen!)

************

Thanks,
Mike
  • 0

Advertisements

#2
Essexboy
Posted 27 April 2008 - 09:59 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi lets see what I can do :)

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.



Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {02F2D039-E98A-4FDF-A2A1-13C339799879} - C:\WINNT\system32\ljJYPjih.dll
O2 - BHO: (no name) - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - (no file)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINNT\system32\ljJYPjih.dll
Purity
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

FINALLY FOR NOW

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
Mike R
Posted 27 April 2008 - 01:37 PM

Mike R

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thanks for your assistance.

Ran HJT as requested to remove 3 objects.

Ran OTMoveIt2 as requested. Files could not seem to be moved (see log below). Rebooted as requested by OTMoveIt2, and upon reboot a log was produced (see below).

Ran DSS. Both requested files below.

****************
DllUnregisterServer procedure not found in C:\WINNT\system32\ljJYPjih.dll
C:\WINNT\system32\ljJYPjih.dll NOT unregistered.
File move failed. C:\WINNT\system32\ljJYPjih.dll scheduled to be moved on reboot.
< Purity >

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04272008_145732
****************
DllUnregisterServer procedure not found in C:\WINNT\system32\ljJYPjih.dll
C:\WINNT\system32\ljJYPjih.dll NOT unregistered.
File move failed. C:\WINNT\system32\ljJYPjih.dll scheduled to be moved on reboot.
< Purity >

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04272008_145732

Files moved on Reboot...
DllUnregisterServer procedure not found in C:\WINNT\system32\ljJYPjih.dll
C:\WINNT\system32\ljJYPjih.dll NOT unregistered.
File move failed. C:\WINNT\system32\ljJYPjih.dll scheduled to be moved on reboot.
****************
Deckard's System Scanner v20071014.68
Run by Michael Rulison on 2008-04-27 15:15:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Michael Rulison.exe) -------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:17:17 PM, on 4/27/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
D:\program files\a-squared free\a2service.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
D:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
D:\SmartDraw 7\Messages\SDNotify.exe
C:\PROGRA~1\HPCD-W~1\DirectCD\directcd.exe
C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\Documents and Settings\Michael Rulison\Desktop\dss.exe
D:\PROGRA~1\HIJACK~1\Michael Rulison.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1D8E4D0D-581D-4C8E-820F-5CDA0F9B3A64} - C:\WINNT\system32\ljJYPjih.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DirectCD\directcd.exe
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O6 "USB001" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: ISSHS.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cp...ddObjSigned.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1140929957520
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1140930095799
O16 - DPF: {CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA} (Java Plug-in 1.4.2_12) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.5.0_07) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/RACtrl.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\program files\a-squared free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - D:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 8127 bytes

-- HijackThis Fixed Entries (D:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20060524-174450-960 O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
backup-20080427-140529-373 O2 - BHO: (no name) - {02F2D039-E98A-4FDF-A2A1-13C339799879} - C:\WINNT\system32\ljJYPjih.dll
backup-20080427-140543-422 O2 - BHO: (no name) - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - (no file)
backup-20080427-140543-551 O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
backup-20080427-145427-591 O2 - BHO: (no name) - {A7993BAF-9C90-4303-8CA9-920DA215AFA8} - C:\WINNT\system32\ljJYPjih.dll

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - "D:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe",2


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 drvmcdb - c:\winnt\system32\drivers\drvmcdb.sys <Not Verified; VERITAS Software, Inc.; >
R1 AFS2K - c:\winnt\system32\drivers\afs2k.sys <Not Verified; Oak Technology Inc.; AFS>
R1 Cdudf - c:\winnt\system32\drivers\cdudf.sys <Not Verified; Adaptec; DirectCD>
R1 hpcd2k - c:\winnt\system32\drivers\hpcd2k.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R1 pwd_2K - c:\winnt\system32\drivers\pwd_2k.sys <Not Verified; Adaptec; DirectCD>
R1 UdfReadr - c:\winnt\system32\drivers\udfreadr.sys <Not Verified; Adaptec; UDF Reader Driver>
R3 mmc_2K - c:\winnt\system32\drivers\mmc_2k.sys <Not Verified; Adaptec; DirectCD>

S0 szkg - c:\winnt\system32\drivers\szkg.sys (file missing)
S3 Eplpdx02 - c:\winnt\system32\drivers\eplpdx02.sys <Not Verified; MK Systems CO., LTD.; MK Systems LPT I/O Driver for Windows2000>
S3 PLCNDIS5 (PLCNDIS5 NDIS Protocol Driver) - c:\winnt\system32\plcndis5.sys <Not Verified; Intellon, Inc.; PCAUSA Rawether for Windows>
S3 SCPNDIS5 (SCPNDIS5 NDIS Protocol Driver) - c:\program files\netgear wgx102 configuration utility\scpndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 TIEHDUSB - c:\winnt\system32\drivers\tiehdusb.sys <Not Verified; Texas Instruments Incorporated; Texas Instruments Incorporated Educational Handheld Device>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (AntiVir PersonalEdition Classic Scheduler) - c:\program files\antivir personaledition classic\sched.exe <Not Verified; Avira GmbH; AntiVir Workstation>
R2 EPSONStatusAgent2 (EPSON Printer Status Agent2) - c:\program files\common files\epson\ebapi\sagent2.exe <Not Verified; SEIKO EPSON CORPORATION; EPSON Bidirectional Printer>
R2 ScReadSpool (SolidPDFConverterReadSpool) - d:\program files\soliddocuments\solidconverterpdf\scpdf\solidpdfservice.exe <Not Verified; VoyagerSoft, LLC; Solid Converter PDF>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: SMC EZ Card 10/100 (SMC1244TX V2)
Device ID: PCI\VEN_1317&DEV_0985&SUBSYS_EC021113&REV_11\2&EBB567F&0&60
Manufacturer: SMC
Name: SMC EZ Card 10/100 (SMC1244TX V2)
PNP Device ID: PCI\VEN_1317&DEV_0985&SUBSYS_EC021113&REV_11\2&EBB567F&0&60
Service: FastNIC

Class GUID: {4D36E978-E325-11CE-BFC1-08002BE10318}
Description: Communications Port
Device ID: ROOT\*PNP0501\1_0_17_2_0_0
Manufacturer: (Standard port types)
Name: Communications Port (COM3)
PNP Device ID: ROOT\*PNP0501\1_0_17_2_0_0
Service: Serial


-- Scheduled Tasks -------------------------------------------------------------

2008-04-27 15:14:31 432 --a------ C:\WINNT\Tasks\Symantec NetDetect.job
2008-04-27 15:07:26 458 --a------ C:\WINNT\Tasks\SDMsgUpdate (SD).job
2008-04-07 18:24:33 284 --a------ C:\WINNT\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-03-27 and 2008-04-27 -----------------------------

2008-04-27 01:04:19 829844 ---h----- C:\WINNT\ShellIconCache
2008-04-26 23:30:29 0 d-------- C:\VundoFix Backups
2008-04-26 22:33:55 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_41c.dat
2008-04-26 22:33:29 527795 --ahs---- C:\WINNT\system32\hijPYJjl.ini2
2008-04-26 22:33:23 283136 --a------ C:\WINNT\system32\ljJYPjih.dll
2008-04-13 12:32:21 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-13 11:56:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-07 18:24:31 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_434.dat
2008-04-04 19:08:05 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-04 19:07:39 4212 --ah----- C:\WINNT\system32\zllictbl.dat
2008-04-04 19:07:11 11264 --a------ C:\WINNT\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2008-04-04 19:04:46 0 d-a------ C:\WINNT\system32\ZoneLabs
2008-04-04 19:03:26 0 d-a------ C:\WINNT\Internet Logs


-- Find3M Report ---------------------------------------------------------------

2008-04-22 21:53:31 0 d-------- C:\Documents and Settings\Michael Rulison\Application Data\SolidDocuments
2008-04-20 11:06:35 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-20 11:06:19 0 d-------- C:\Program Files\Symantec
2008-04-20 11:04:04 0 d-a------ C:\Program Files\Common Files
2008-04-13 11:54:57 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-13 11:50:30 0 d-------- C:\Documents and Settings\Michael Rulison\Application Data\Lavasoft
2008-03-22 11:02:33 0 d-------- C:\Program Files\Java
2008-03-07 00:28:07 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_3c4.dat
2008-02-17 16:18:35 453 --a------ C:\WINNT\PowerReg.dat
2008-02-09 15:55:11 3460 --a------ C:\WINNT\unins000.dat
2008-02-09 15:54:02 691545 --a------ C:\WINNT\unins000.exe
2008-02-09 15:23:34 1 --a------ C:\WINNT\system32\FlashPaper2PrinterPort


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D8E4D0D-581D-4C8E-820F-5CDA0F9B3A64}]
04/26/08 10:33p 283136 --a------ C:\WINNT\system32\ljJYPjih.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [11/02/04 05:59p]
"Adaptec DirectCD"="C:\PROGRA~1\HPCD-W~1\DirectCD\directcd.exe" [03/22/06 12:35p]
"HP CD-Writer"="C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe" [10/12/00 12:14a]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [04/16/08 08:23p]
"EPSON Stylus Photo 820 Series"="C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S0EIC1.exe" [04/10/02 04:00a]
"Synchronization Manager"="mobsync.exe" [06/19/03 04:05p C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/08 04:25a]
"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/13/08 11:11p]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [03/21/05 03:13p C:\WINNT\system32\CTFMON.EXE]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/27/07 08:21p]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\Michael Rulison\Start Menu\Programs\Startup\
ISSHS.exe [5/22/2007 4:19:13 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"=0 (0x0)
"DisableLockWorkstation"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoClose"=0 (0x0)
"NoLogoff"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ActiveSync]
WcesWlgn.dll 06/26/06 05:12p 14120 C:\WINNT\system32\WcesWlgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINNT\system32\ljJYPjih

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"




-- Hosts -----------------------------------------------------------------------

127.0.0.1 localhost #***Inserted By STOPzilla***
127.0.0.1 0websearch.com # ***Inserted By STOPzilla***
127.0.0.1 2005-search.com # ***Inserted By STOPzilla***
127.0.0.1 600pics.com # ***Inserted By STOPzilla***
127.0.0.1 a1.interclick.com # ***Inserted By STOPzilla***
127.0.0.1 absolutepics.net # ***Inserted By STOPzilla***
127.0.0.1 ad.yieldmanager.com # ***Inserted By STOPzilla***
127.0.0.1 alex.fileburst.com # ***Inserted By STOPzilla***
127.0.0.1 all-tgp.org # ***Inserted By STOPzilla***
127.0.0.1 all-websearch.com # ***Inserted By STOPzilla***

149 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-27 15:20:27 ------------

****************
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows 2000 Professional (build 2195) SP 4.0
Architecture: X86; Language: English

CPU 0: Intel Pentium II processor
Percentage of Memory in Use: 85%
Physical Memory (total/avail): 383.55 MiB / 56.96 MiB
Pagefile Memory (total/avail): 945.05 MiB / 605.62 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1981.7 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 6 GiB total, 0.95 GiB free.
D: is Fixed (FAT32) - 27.93 GiB total, 21.8 GiB free.
E: is Removable (No Media)
F: is CDROM (No Media)
G: is CDROM (Unformatted)
H: is Removable (FAT)

\\.\PHYSICALDRIVE0 - WDC AC36400L - 6.01 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 6 GiB - C:

\\.\PHYSICALDRIVE1 - WDC WD300BB-00AUA1 - 27.95 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 27.95 GiB - D:

\\.\PHYSICALDRIVE2 - IOMEGA ZIP 100 SCSI Disk Device

\\.\PHYSICALDRIVE3 - 128MB HardDrive USB Device - 117.66 MiB - 1 partition
\PARTITION0 (bootable) - MS-DOS V4 Huge - 124.73 MiB - H:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Michael Rulison\Application Data
CLASSPATH=.;D:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MRULISON-HOME
ComSpec=C:\WINNT\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Michael Rulison
LOGONSERVER=\\MRULISON-HOME
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;D:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=D:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=MRULISON-HOME
USERNAME=Michael Rulison
USERPROFILE=C:\Documents and Settings\Michael Rulison
windir=C:\WINNT


-- User Profiles ---------------------------------------------------------------

Michael Rulison (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
a-squared Free 2.0 --> "D:\Program Files\a-squared Free\unins000.exe"
a-squared HiJackFree 3.0 --> "D:\Program Files\a-squared HiJackFree\unins000.exe"
Acerose Password Vault --> D:\PROGRA~1\ACEROSE\UNINSTAL.EXE D:\PROGRA~1\ACEROSE\INSTALL.LOG
Active Desktop Calendar 6.1 --> "D:\Program Files\XemiComputers\Active Desktop Calendar\unins000.exe"
Active Ports --> C:\WINNT\unvise32.exe D:\Program Files\Active Ports\uninstal.log
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adaptec DirectCD --> C:\WINNT\IsUninst.exe -f"C:\Program Files\Adaptec\DirectCD\DCDUnins.isu" -cC:\PROGRA~1\HPCD-W~1\DirectCD\Dcduhlp.dll
Adobe Flash Player ActiveX --> C:\WINNT\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINNT\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINNT\system32\Macromed\SHOCKW~1\Install.log
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
AMP Calendar --> "D:\Program Files\AMP Calendar\uninstall.exe"
AnswerWorks 4.0 Runtime - English --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}\setup.exe" -l0x9 -removeonly
AOL Instant Messenger --> D:\Program Files\AIM\uninstll.exe -LOG= D:\Program Files\AIM\install.log -OEM=
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ArcSoft PhotoImpression 3.0 --> C:\WINNT\IsUninst.exe -f"D:\Program Files\ArcSoft\PhotoImpression\Uninst.isu"
Audacity 1.2.6 --> "D:\Program Files\Audacity\unins000.exe"
Avery Wizard 3.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{6B10045E-6789-49C4-BFED-52575F5B76BF}
Avira AntiVir Personal – Free Antivirus --> C:\Program Files\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
CCleaner (remove only) --> "D:\Program Files\CCleaner\uninst.exe"
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
Chikrii Softlab TeX2Word --> C:\Program Files\TeX2Word\uninstall.exe
Citrix Presentation Server Client - Web Only --> MsiExec.exe /X{23E8D2D6-F7C8-4A35-816C-6C914EE0A601}
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Creative PCI Audio Drivers --> C:\PROGRA~1\Creative\Audio\CTSetup\ctsetup.exe -u -3
EasyCleaner --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F5346614-B7C4-4E94-826A-E2363155233D}\setup.exe" -l0x9 -removeonly
EPSON Printer Software --> C:\WINNT\system32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
ESSBrwr --> MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
ESSCT --> MsiExec.exe /I{8BB4B58A-A402-4DE8-8FCD-287E60B88DD8}
ESSEMAIL --> MsiExec.exe /I{FEDE2483-87B7-44C1-A5BB-D75AEB8B6340}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESShelp --> MsiExec.exe /I{87843A41-7808-4F2E-B13F-25C1E67CF2FD}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSSONIC --> MsiExec.exe /I{4F677FC7-7AA8-412B-A957-F13CBE1C7331}
ESSTOOLS --> MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
essvatgt --> MsiExec.exe /I{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}
essvcpt --> MsiExec.exe /I{D1973749-F5E7-40EB-B528-F2B78685B9FF}
ESSvpaht --> MsiExec.exe /I{A5B3EB8A-4071-42F0-8E8E-7A8342AA8E69}
ESSvpot --> MsiExec.exe /I{48C82F7A-F100-4DAB-A310-8E18BF2159E1}
Free Window Registry Repair --> D:\PROGRA~1\FREEWI~1\UNWISE.EXE D:\PROGRA~1\FREEWI~1\INSTALL.LOG
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar4.dll"
Graphmatica --> D:\Program Files\Graphmatica\uninstall.exe
HandWallet --> D:\Program Files\Microsoft ActiveSync\HandWallet\Uninstall.exe HandWallet
HijackThis 2.0.2 --> "D:\Program Files\HiJackThis\HijackThis.exe" /uninstall
HLPIndex --> MsiExec.exe /I{38441BE7-79B0-42B8-8297-833704F949FE}
HLPSFO --> MsiExec.exe /I{8DD94CA3-BCD2-49C0-B537-F3B5D95FF0C8}
HP CD-Writer --> C:\Program Files\HP CD-Writer\hpremove.exe
HP Photo and Imaging 1.0 - Scanjet 3500c Series --> MsiExec.exe /I{B8E952E3-A823-443A-8493-39A0CCE0E3EB}
HP Simple Backup 4.2 (OEM) --> C:\WINNT\IsUninst.exe -f"C:\Program Files\HP CD-Writer\HP Simple Backup\DeIsL1.isu" -cC:\PROGRA~1\HPCD-W~1\HPSIMP~1\System\UNINST.DLL
Ink Monitor --> C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe -U
iTunes --> MsiExec.exe /I{ABCE1C63-56ED-41FF-BEAF-57321F70DC49}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Juice 2.2 --> D:\Program Files\Juice\uninst.exe
Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_460007_1f334fe0\Setup.exe /APR-REMOVE
KSU --> MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
LADSPA_plugins-win-0.4.15 --> "D:\Program Files\Audacity\Plug-Ins\unins000.exe"
LimeWire 4.12.11 --> "D:\Program Files\LimeWire\uninstall.exe"
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.80 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Macromedia Dreamweaver 8 --> MsiExec.exe /I{0837A661-FEC3-48B3-876C-91E7D32048A9}
Macromedia Extension Manager --> MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Fireworks 8 --> MsiExec.exe /I{4C24A8C1-7CFA-4650-AF15-732F5BD7B46D}
Macromedia Flash 8 --> MsiExec.exe /I{2BD5C305-1B27-4D41-B690-7A61172D2FEB}
Macromedia Flash 8 Video Encoder --> MsiExec.exe /X{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}
Macromedia Flash Player 8 Plugin --> MsiExec.exe /X{91057632-CA70-413C-B628-2D3CDBBB906B}
Macromedia FlashPaper 2 --> MsiExec.exe /X{F977FD4B-C9A6-4BAA-B4BB-DE3023288253}
MathType 5 --> "D:\Program Files\MathType\Setup.exe" -R
Messier --> D:\Program Files\Messier\uninstall.exe
MetaFrame Presentation Server Web Client for Win32 --> C:\WINNT\system32\ctxsetup.exe /uninst C:\PROGRA~1\Citrix\icaweb32\uninst.inf
Microsoft .NET Framework 2.0 Service Pack 1 --> MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft ActiveSync 4.0 --> MsiExec.exe /I{B208806F-A231-4FA0-AB3F-5C1B8979223E}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
MSXML 4.0 SP2 (KB925672) --> MsiExec.exe /I{A9CF9052-F4A0-475D-A00F-A8388C62DD63}
MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MyCD 2.5 --> C:\WINNT\IsUninst.exe -f"C:\Program Files\HP CD-Writer\HP MyCD\DeIsL1.isu" -cC:\PROGRA~1\HPCD-W~1\HPMYCD~1\System\UNINST.DLL
NETGEAR XE102 Powerline Ethernet Adapter --> MsiExec.exe /X{AF79DFD1-04C2-4CE5-9C8F-F60CA3CF01A7}
NightCal 0.7.2a --> "D:\Program Files\NightCal\uninstall.exe"
Norton WMI Update --> MsiExec.exe /X{1526D87C-A955-4FAB-BF18-697BA457E352}
Notifier --> MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
OfotoXMI --> MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
OTtBP --> MsiExec.exe /I{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}
OTtBPSDK --> MsiExec.exe /I{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}
pdfFactory Pro --> C:\WINNT\system32\spool\DRIVERS\W32X86\3\fppinst2.exe /uninstall
Pixie 3.1 (remove only) --> "D:\Program Files\Nattyware\Pixie\uninstall.exe"
QuickTime --> MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Registry Mechanic 5.2 --> "D:\Program Files\Registry Mechanic\unins000.exe"
Scientific Notebook --> C:\WINNT\uninst.exe -fd:\scinotebook\DeIsL2.isu
SFR --> MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SHASTA --> MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
ShortKeys Lite --> D:\PROGRA~1\SHORTK~1\UNWISE.EXE D:\PROGRA~1\SHORTK~1\INSTALL.LOG
SKIN0001 --> MsiExec.exe /I{FDF9943A-3D5C-46B3-9679-586BD237DDEE}
SKINXSDK --> MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
SmartDraw 7 --> D:\SMARTD~2\UNWISE.EXE D:\SMARTD~2\install.log
SolidConverterPDF --> MsiExec.exe /I{9BC76CCE-A9EC-4A3A-9B51-D823805E1D1F}
Sound Blaster PCI128 Drivers Online Help --> C:\WINNT\IsUninst.exe -f"C:\Program Files\CREATIVE\AUDIO\HELP\SBPCIDRV.isu"
Spybot - Search & Destroy --> "D:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINNT\unins000.exe"
SpywareBlaster 4.0 --> "D:\Program Files\SpywareBlaster\unins000.exe"
SymmTime --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CE33741B-7899-4938-A3C0-E1CBC116F6A3}\Setup.exe"
Tetris --> "D:\Program Files\Tetris\unins000.exe"
TI CellSheet Converter --> MsiExec.exe /I{A33D4D1A-6577-47EB-94B8-CAF0FE2E5A26}
TI Connect 1.6 --> MsiExec.exe /I{A8B94669-8654-4126-BD28-D0D2412CDED6}
TI Package Explorer --> MsiExec.exe /I{8A6B2F1E-6CC8-4C32-8655-8555268C5380}
Time Zone Data Update Tool for Microsoft Office Outlook --> MsiExec.exe /X{95120000-0038-0409-0000-0000000FF1CE}
TurboTax Deluxe 2005 --> D:\Program Files\TurboTax\Deluxe 2005\TaxUnst.EXE "D:\Program Files\TurboTax\Deluxe 2005\Uninstall.log" -NoGui
TurboTax Deluxe 2007 --> D:\Program Files\TurboTax\Deluxe 2007\TaxUnst.EXE "D:\Program Files\TurboTax\Deluxe 2007\Uninstall.log" -NoGui
TurboTax Deluxe Deduction Maximizer 2006 --> D:\Program Files\TurboTax\Deluxe 2006\TaxUnst.EXE "D:\Program Files\TurboTax\Deluxe 2006\Uninstall.log" -NoGui
TurboTax ItsDeductible 2006 --> MsiExec.exe /X{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}
VPRINTOL --> MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
Weather Pulse 2.05 build 28 --> "D:\Program Files\Weather Pulse\unins000.exe"
Weather Watcher --> "D:\Program Files\Weather Watcher\unins000.exe"
WexTech AnswerWorks --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}\SETUP.EXE" -l0x9 -eliminate
WGX102 Configuration Utility --> C:\WINNT\IsUninst.exe -f"C:\Program Files\Netgear WGX102 Configuration Utility\Uninst.isu"
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Media Player system update (9 Series) --> C:\PROGRA~1\WINDOW~2\setup_wm.exe /Uninstall
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip 11.1 --> MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}
WIRELESS --> MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}
Yahoo! Install Manager --> C:\WINNT\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
ZoneAlarm --> D:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type7400 / Warning
Event Submitted/Written: 04/27/2008 00:39:53 PM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
TR/Vundo.GenC:\WINNT\system32\ljJYPjih.dll

Event Record #/Type7399 / Warning
Event Submitted/Written: 04/27/2008 00:39:48 PM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
TR/Vundo.GenC:\WINNT\system32\ljJYPjih.dll

Event Record #/Type7398 / Warning
Event Submitted/Written: 04/27/2008 00:38:49 PM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
TR/Vundo.GenC:\WINNT\system32\ljJYPjih.dll

Event Record #/Type7397 / Warning
Event Submitted/Written: 04/27/2008 00:38:44 PM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
TR/Vundo.GenC:\WINNT\system32\ljJYPjih.dll

Event Record #/Type7396 / Warning
Event Submitted/Written: 04/27/2008 00:38:38 PM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
TR/Vundo.GenC:\WINNT\system32\ljJYPjih.dll



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type13008 / Error
Event Submitted/Written: 04/27/2008 03:07:39 PM / 04/27/2008 03:07:40 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
szkg

Event Record #/Type13004 / Error
Event Submitted/Written: 04/27/2008 03:03:53 PM / 04/27/2008 03:04:56 PM
Event ID/Source: 36 / Serial
Event Description:
While validating that \Device\Serial1 was really a serial port, the contents of the divisor latch register was identical to the interrupt enable and the receive registers.
The device is assumed not to be a serial port and will be deleted.

Event Record #/Type13001 / Error
Event Submitted/Written: 04/27/2008 02:42:46 PM / 04/27/2008 02:42:52 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
szkg

Event Record #/Type12997 / Error
Event Submitted/Written: 04/27/2008 02:39:27 PM / 04/27/2008 02:40:27 PM
Event ID/Source: 36 / Serial
Event Description:
While validating that \Device\Serial1 was really a serial port, the contents of the divisor latch register was identical to the interrupt enable and the receive registers.
The device is assumed not to be a serial port and will be deleted.

Event Record #/Type12984 / Error
Event Submitted/Written: 04/27/2008 02:20:09 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
szkg



-- End of Deckard's System Scanner: finished at 2008-04-27 15:20:27 ------------

*********************
  • 0

#4
Essexboy
Posted 27 April 2008 - 03:25 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
It's one of those stubborn ones again :) During the Combofix portion you will lose your desktop for a while

Download and run ERUNT http://www.larsheder...nline.de/erunt/

Start ERUNT, confirm the Welcome message.

Type in the name of a restore folder where the backed up registry
files should be saved, or click "..." to browse your computer's drives
and select a folder. You can also simply leave the default, which is a
folder named ERDNT inside your Windows folder, the advantage being
that you have access to this folder from the Windows Recovery Console
in case Windows does not boot anymore.


Next, select the backup options:

- System registry:

- Current user registy: .

- Other open user registries:

Click "OK" and wait until the backup process is complete. (Note that
depending on your system configuration this may take some time, and
that the first bar is NOT a progress bar, just an indicator that the
program is still running.) The ERDNT program for later restoration of
the registry is automatically copied to the restore folder.

WARNING these fixes are designed for this user only and may cause damage if run on an uninfected machine

REGISTRY FIX

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop Posted Image

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

THEN

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
szkg

File::
c:\winnt\system32\drivers\szkg.sys 
C:\WINNT\system32\hijPYJjl.ini2
C:\WINNT\system32\ljJYPjih.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D8E4D0D-581D-4C8E-820F-5CDA0F9B3A64}]

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#5
Mike R
Posted 27 April 2008 - 04:55 PM

Mike R

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
OK - requested tasks completed. Here are the logs:

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

ComboFix 08-04-26.5 - Michael Rulison 04/27/2008 18:16:36.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.196 [GMT -4:00]
Running from: C:\Documents and Settings\Michael Rulison\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Michael Rulison\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\winnt\system32\drivers\szkg.sys
C:\WINNT\system32\hijPYJjl.ini2
C:\WINNT\system32\ljJYPjih.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\RECYCLER\desktopA.sys
C:\WINNT\Downloaded Program Files\ODCTOOLS
C:\WINNT\system32\dllcache\spoolsv.exe
C:\WINNT\system32\hijPYJjl.ini
C:\WINNT\system32\hijPYJjl.ini2
C:\WINNT\system32\ljJYPjih.dll
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SZKG
-------\Service_szkg


((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.

2008-04-27 17:59 . 08-04-27 18:00 <DIR> d-------- C:\Program Files\ERUNT
2008-04-27 15:14 . 08-04-27 15:14 <DIR> d-------- C:\Deckard
2008-04-27 14:11 . 08-04-27 14:11 <DIR> d-------- C:\_OTMoveIt
2008-04-27 01:04 . 08-04-27 15:01 829,844 ---h----- C:\WINNT\ShellIconCache
2008-04-26 23:30 . 08-04-26 23:30 <DIR> d-------- C:\VundoFix Backups
2008-04-24 22:40 . 08-04-24 22:40 40,448 --a------ C:\WINNT\system32\fccdbBrR.dll.vir
2008-04-13 12:32 . 08-04-13 12:49 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-13 11:56 . 08-04-13 12:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-04 19:08 . 08-04-04 19:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-04 19:07 . 08-03-13 23:11 75,248 --a------ C:\WINNT\zllsputility.exe
2008-04-04 19:07 . 04-04-27 04:40 11,264 --a------ C:\WINNT\system32\SpOrder.dll
2008-04-04 19:07 . 08-04-04 19:11 4,212 --ah----- C:\WINNT\system32\zllictbl.dat
2008-04-04 19:04 . 08-04-04 19:07 <DIR> d-a------ C:\WINNT\system32\ZoneLabs
2008-04-04 19:04 . 08-03-13 23:11 1,086,952 --a------ C:\WINNT\system32\zpeng24.dll
2008-04-04 19:04 . 08-04-27 18:35 352,918 --a------ C:\WINNT\system32\vsconfig.xml
2008-04-04 19:03 . 08-04-27 18:35 <DIR> d-a------ C:\WINNT\Internet Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 05:13 1,439,232 ----a-w C:\WINNT\Internet Logs\xDB17.tmp
2008-04-27 05:05 64,512 ----a-w C:\WINNT\Internet Logs\xDB15.tmp
2008-04-27 05:05 1,436,160 ----a-w C:\WINNT\Internet Logs\xDB16.tmp
2008-04-23 01:54 94,720 ----a-w C:\WINNT\Internet Logs\xDB14.tmp
2008-04-23 01:53 --------- d-----w C:\Documents and Settings\Michael Rulison\Application Data\SolidDocuments
2008-04-20 15:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-20 15:06 --------- d-----w C:\Program Files\Symantec
2008-04-20 15:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-20 14:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-20 03:16 58,368 ----a-w C:\WINNT\Internet Logs\xDB13.tmp
2008-04-19 03:07 36,352 ----a-w C:\WINNT\Internet Logs\xDB12.tmp
2008-04-18 03:44 54,272 ----a-w C:\WINNT\Internet Logs\xDB10.tmp
2008-04-18 03:44 1,409,536 ----a-w C:\WINNT\Internet Logs\xDB11.tmp
2008-04-17 03:52 26,624 ----a-w C:\WINNT\Internet Logs\xDBE.tmp
2008-04-17 03:52 1,406,464 ----a-w C:\WINNT\Internet Logs\xDBF.tmp
2008-04-16 11:48 76,800 ----a-w C:\WINNT\Internet Logs\xDBC.tmp
2008-04-16 11:48 1,405,952 ----a-w C:\WINNT\Internet Logs\xDBD.tmp
2008-04-14 03:33 80,384 ----a-w C:\WINNT\Internet Logs\xDBB.tmp
2008-04-13 15:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-13 15:50 --------- d-----w C:\Documents and Settings\Michael Rulison\Application Data\Lavasoft
2008-04-13 05:00 51,712 ----a-w C:\WINNT\Internet Logs\xDB9.tmp
2008-04-13 05:00 1,357,824 ----a-w C:\WINNT\Internet Logs\xDBA.tmp
2008-04-12 02:39 75,264 ----a-w C:\WINNT\Internet Logs\xDB8.tmp
2008-04-10 03:29 1,341,952 ----a-w C:\WINNT\Internet Logs\xDB7.tmp
2008-04-09 03:53 112,128 ----a-w C:\WINNT\Internet Logs\xDB5.tmp
2008-04-09 03:53 1,339,904 ----a-w C:\WINNT\Internet Logs\xDB6.tmp
2008-04-07 03:29 82,432 ----a-w C:\WINNT\Internet Logs\xDB3.tmp
2008-04-07 03:29 1,334,272 ----a-w C:\WINNT\Internet Logs\xDB4.tmp
2008-04-05 03:43 123,904 ----a-w C:\WINNT\Internet Logs\xDB1.tmp
2008-04-05 03:43 1,308,672 ----a-w C:\WINNT\Internet Logs\xDB2.tmp
2008-03-22 15:02 --------- d-----w C:\Program Files\Java
2008-03-19 09:26 1,644,080 ----a-w C:\WINNT\system32\WIN32K.SYS
2008-02-19 17:08 236,304 ----a-w C:\WINNT\system32\GDI32.DLL
2008-02-15 15:17 575,488 ----a-w C:\WINNT\system32\WININET.DLL
2008-02-15 13:24 96,528 ----a-w C:\WINNT\system32\dnsrslvr.dll
2008-02-09 19:54 691,545 ----a-w C:\WINNT\unins000.exe
2006-07-23 13:14 563,712 ----a-w C:\Documents and Settings\Michael Rulison\gotomypc_370.exe
2006-07-07 17:10 563,712 ----a-w C:\Documents and Settings\Michael Rulison\370_gotomypc.exe
2006-02-25 16:14 271 ---h--w C:\Program Files\desktop.ini
2006-02-25 16:14 21,952 ---h--w C:\Program Files\folder.htt
2003-03-28 19:37 38,757 ----a-r C:\WINNT\inf\FASTNIC.SYS
2001-05-08 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

------- Sigcheck -------

05-03-21 15:13 11264 ab176f2171db704d51b8809e8a5c38bd C:\WINNT\system32\CTFMON.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [05-03-21 15:13 11264 C:\WINNT\system32\CTFMON.EXE]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-07-27 20:21 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [04-11-02 17:59 218240]
"Adaptec DirectCD"="C:\PROGRA~1\HPCD-W~1\DirectCD\directcd.exe" [06-03-22 12:35 1249280]
"HP CD-Writer"="C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe" [00-10-12 00:14 36864]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [08-04-16 20:23 262401]
"EPSON Stylus Photo 820 Series"="C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S0EIC1.exe" [02-04-10 04:00 74240]
"Synchronization Manager"="mobsync.exe" [03-06-19 16:05 111376 C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [08-02-22 04:25 144784]
"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [08-03-13 23:11 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 16:05 186640]

C:\Documents and Settings\Michael Rulison\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]
ISSHS.exe [2007-05-22 16:19:13 167424]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"= 0 (0x0)
"DisableLockWorkstation"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ActiveSync]
WcesWlgn.dll 06-06-26 17:12 14120 C:\WINNT\system32\WcesWlgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

R1 Cdudf;Cdudf;C:\WINNT\system32\drivers\Cdudf.sys [06-03-22 12:37 ]
R1 hpcd2k;hpcd2k;C:\WINNT\system32\drivers\hpcd2k.sys [00-10-23 00:23 ]
R3 NtApm;NT Apm/Legacy Interface Driver;C:\WINNT\system32\DRIVERS\NtApm.sys [99-09-25 06:36 ]
R3 s3m;s3m;C:\WINNT\system32\DRIVERS\s3m.sys [99-11-19 10:20 ]
S3 FastNIC;SMC EZ Card 10/100 (SMC1244TX V2);C:\WINNT\system32\DRIVERS\FastNIC.sys [03-03-28 15:37 ]
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;C:\WINNT\system32\PLCNDIS5.SYS [02-09-09 14:53 ]
S3 SCPNDIS5;SCPNDIS5 NDIS Protocol Driver;C:\PROGRA~1\NETGEA~1\SCPNDIS5.SYS [03-04-11 13:17 ]

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2008-04-07 22:24:33 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-27 19:07:26 C:\WINNT\Tasks\SDMsgUpdate (SD).job"
- D:\SmartDraw 7\Messages\SDNotify.exeQ-PSD -V760 -SSDU.ini -A -Mhttp://www.smartdraw.com/msgs/messagecheck.aspx -D0 -T
"2008-04-27 22:14:01 C:\WINNT\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 18:36:59
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-27 18:47:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-27 22:47:27

Pre-Run: 916,557,824 bytes free
Post-Run: 779,485,184 bytes free

159 --- E O F --- 2008-04-16 04:01:14

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:00 PM, on 4/27/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
D:\program files\a-squared free\a2service.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\regsvc.exe
D:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\HPCD-W~1\DirectCD\directcd.exe
C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\explorer.exe
D:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DirectCD\directcd.exe
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O6 "USB001" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: ISSHS.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cp...ddObjSigned.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1140929957520
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1140930095799
O16 - DPF: {CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA} (Java Plug-in 1.4.2_12) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.5.0_07) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/RACtrl.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\program files\a-squared free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - D:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 8418 bytes

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
  • 0

#6
Essexboy
Posted 28 April 2008 - 12:27 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Thats better :) a few more bits and bobs to go, then a registry sweep :)

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

THEN

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\WINNT\system32\fccdbBrR.dll.vir
C:\WINNT\inf\FASTNIC.SYS
C:\WINNT\inf\wbfirdma.sys
C:\Program Files\folder.htt

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

FINALLY FOR NOW

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Logs required : Combofix, MBAM and how is your system running now ?
  • 0

#7
Mike R
Posted 29 April 2008 - 06:46 AM

Mike R

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Performed the requested procedures.
Attached below are the requested logs.

System is running much better. The only apparent remaining problem is the way that IE behaves. When I open IE initially, or open a subsequent new IE window, the window opens immediately, but the content will not seem to appear until I (for example) mouseover the app in the taskbar, right click, and then the contents will load. I don't actually have to select anything after right clicking, just the right click itself is sufficient to cause the contents to load. Hmmmmm :)

*************************

ComboFix 08-04-26.5 - Michael Rulison 2008-04-29 0:08:04.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.222 [GMT -4:00]
Running from: C:\Documents and Settings\Michael Rulison\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Michael Rulison\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Program Files\folder.htt
C:\WINNT\inf\FASTNIC.SYS
C:\WINNT\inf\wbfirdma.sys
C:\WINNT\system32\fccdbBrR.dll.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\folder.htt
C:\WINNT\inf\FASTNIC.SYS
C:\WINNT\inf\wbfirdma.sys
C:\WINNT\system32\fccdbBrR.dll.vir

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.

2008-04-28 21:30 . 08-03-25 02:37 69,632 --a------ C:\WINNT\system32\javacpl.cpl
2008-04-28 21:27 . 08-04-28 21:27 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-27 17:59 . 08-04-27 18:00 <DIR> d-------- C:\Program Files\ERUNT
2008-04-27 15:14 . 08-04-27 15:14 <DIR> d-------- C:\Deckard
2008-04-27 14:11 . 08-04-27 14:11 <DIR> d-------- C:\_OTMoveIt
2008-04-27 01:04 . 08-04-28 20:54 919,124 ---h----- C:\WINNT\ShellIconCache
2008-04-26 23:30 . 08-04-26 23:30 <DIR> d-------- C:\VundoFix Backups
2008-04-13 12:32 . 08-04-13 12:49 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-13 11:56 . 08-04-13 12:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-04 19:08 . 08-04-04 19:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-04 19:07 . 08-03-13 23:11 75,248 --a------ C:\WINNT\zllsputility.exe
2008-04-04 19:07 . 04-04-27 04:40 11,264 --a------ C:\WINNT\system32\SpOrder.dll
2008-04-04 19:07 . 08-04-04 19:11 4,212 --ah----- C:\WINNT\system32\zllictbl.dat
2008-04-04 19:04 . 08-04-04 19:07 <DIR> d-a------ C:\WINNT\system32\ZoneLabs
2008-04-04 19:04 . 08-03-13 23:11 1,086,952 --a------ C:\WINNT\system32\zpeng24.dll
2008-04-04 19:04 . 08-04-29 00:19 352,918 --a------ C:\WINNT\system32\vsconfig.xml
2008-04-04 19:03 . 08-04-29 00:23 <DIR> d-a------ C:\WINNT\Internet Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 01:30 --------- d-----w C:\Program Files\Java
2008-04-29 00:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-29 00:54 45,056 ----a-w C:\WINNT\Internet Logs\xDB18.tmp
2008-04-27 05:13 1,439,232 ----a-w C:\WINNT\Internet Logs\xDB17.tmp
2008-04-27 05:05 64,512 ----a-w C:\WINNT\Internet Logs\xDB15.tmp
2008-04-27 05:05 1,436,160 ----a-w C:\WINNT\Internet Logs\xDB16.tmp
2008-04-23 01:54 94,720 ----a-w C:\WINNT\Internet Logs\xDB14.tmp
2008-04-23 01:53 --------- d-----w C:\Documents and Settings\Michael Rulison\Application Data\SolidDocuments
2008-04-20 15:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-20 15:06 --------- d-----w C:\Program Files\Symantec
2008-04-20 14:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-20 03:16 58,368 ----a-w C:\WINNT\Internet Logs\xDB13.tmp
2008-04-19 03:07 36,352 ----a-w C:\WINNT\Internet Logs\xDB12.tmp
2008-04-18 03:44 54,272 ----a-w C:\WINNT\Internet Logs\xDB10.tmp
2008-04-18 03:44 1,409,536 ----a-w C:\WINNT\Internet Logs\xDB11.tmp
2008-04-17 03:52 26,624 ----a-w C:\WINNT\Internet Logs\xDBE.tmp
2008-04-17 03:52 1,406,464 ----a-w C:\WINNT\Internet Logs\xDBF.tmp
2008-04-16 11:48 76,800 ----a-w C:\WINNT\Internet Logs\xDBC.tmp
2008-04-16 11:48 1,405,952 ----a-w C:\WINNT\Internet Logs\xDBD.tmp
2008-04-14 03:33 80,384 ----a-w C:\WINNT\Internet Logs\xDBB.tmp
2008-04-13 15:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-13 15:50 --------- d-----w C:\Documents and Settings\Michael Rulison\Application Data\Lavasoft
2008-04-13 05:00 51,712 ----a-w C:\WINNT\Internet Logs\xDB9.tmp
2008-04-13 05:00 1,357,824 ----a-w C:\WINNT\Internet Logs\xDBA.tmp
2008-04-12 02:39 75,264 ----a-w C:\WINNT\Internet Logs\xDB8.tmp
2008-04-10 03:29 1,341,952 ----a-w C:\WINNT\Internet Logs\xDB7.tmp
2008-04-09 03:53 112,128 ----a-w C:\WINNT\Internet Logs\xDB5.tmp
2008-04-09 03:53 1,339,904 ----a-w C:\WINNT\Internet Logs\xDB6.tmp
2008-04-07 03:29 82,432 ----a-w C:\WINNT\Internet Logs\xDB3.tmp
2008-04-07 03:29 1,334,272 ----a-w C:\WINNT\Internet Logs\xDB4.tmp
2008-04-05 03:43 123,904 ----a-w C:\WINNT\Internet Logs\xDB1.tmp
2008-04-05 03:43 1,308,672 ----a-w C:\WINNT\Internet Logs\xDB2.tmp
2008-03-19 09:26 1,644,080 ----a-w C:\WINNT\system32\WIN32K.SYS
2008-02-19 17:08 236,304 ----a-w C:\WINNT\system32\GDI32.DLL
2008-02-15 15:17 575,488 ----a-w C:\WINNT\system32\WININET.DLL
2008-02-15 13:24 96,528 ----a-w C:\WINNT\system32\dnsrslvr.dll
2008-02-09 19:54 691,545 ----a-w C:\WINNT\unins000.exe
2006-07-23 13:14 563,712 ----a-w C:\Documents and Settings\Michael Rulison\gotomypc_370.exe
2006-07-07 17:10 563,712 ----a-w C:\Documents and Settings\Michael Rulison\370_gotomypc.exe
2006-02-25 16:14 271 ---h--w C:\Program Files\desktop.ini
1999-09-24 23:18 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

------- Sigcheck -------

05-03-21 15:13 11264 ab176f2171db704d51b8809e8a5c38bd C:\WINNT\system32\CTFMON.EXE
.
((((((((((((((((((((((((((((( snapshot@Sun 2008-04-27_18.45.44.61 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINNT\ERDNT\AutoBackup\2008-04-27\ERDNT.EXE
+ 2008-04-27 22:39:44 4,636,672 ----a-w C:\WINNT\ERDNT\AutoBackup\2008-04-27\Users\00000001\NTUSER.DAT
+ 2008-04-27 22:39:49 225,280 ----a-w C:\WINNT\ERDNT\AutoBackup\2008-04-27\Users\00000002\UsrClass.dat
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINNT\ERDNT\AutoBackup\4-28-2008\ERDNT.EXE
+ 2008-04-29 01:00:54 4,632,576 ----a-w C:\WINNT\ERDNT\AutoBackup\4-28-2008\Users\00000001\NTUSER.DAT
+ 2008-04-29 01:00:56 81,920 ----a-w C:\WINNT\ERDNT\AutoBackup\4-28-2008\Users\00000002\UsrClass.dat
+ 1999-09-24 23:18:06 32,528 -c--a-w C:\WINNT\system32\dllcache\wbfirdma.sys
- 2008-02-22 05:23:35 135,168 ----a-w C:\WINNT\system32\java.exe
+ 2008-03-25 05:28:39 135,168 ----a-w C:\WINNT\system32\java.exe
- 2008-02-22 05:23:39 135,168 ----a-w C:\WINNT\system32\javaw.exe
+ 2008-03-25 05:28:43 135,168 ----a-w C:\WINNT\system32\javaw.exe
- 2008-02-22 06:33:32 139,264 ----a-w C:\WINNT\system32\javaws.exe
+ 2008-03-25 06:37:01 139,264 ----a-w C:\WINNT\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [05-03-21 15:13 11264 C:\WINNT\system32\CTFMON.EXE]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-07-27 20:21 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [04-11-02 17:59 218240]
"Adaptec DirectCD"="C:\PROGRA~1\HPCD-W~1\DirectCD\directcd.exe" [06-03-22 12:35 1249280]
"HP CD-Writer"="C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe" [00-10-12 00:14 36864]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [08-04-16 20:23 262401]
"EPSON Stylus Photo 820 Series"="C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S0EIC1.exe" [02-04-10 04:00 74240]
"Synchronization Manager"="mobsync.exe" [03-06-19 16:05 111376 C:\WINNT\system32\mobsync.exe]
"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [08-03-13 23:11 919016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [08-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 16:05 186640]

C:\Documents and Settings\Michael Rulison\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]
ISSHS.exe [2007-05-22 16:19:13 167424]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"= 0 (0x0)
"DisableLockWorkstation"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ActiveSync]
WcesWlgn.dll 06-06-26 17:12 14120 C:\WINNT\system32\WcesWlgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

R1 Cdudf;Cdudf;C:\WINNT\system32\drivers\Cdudf.sys [06-03-22 12:37 ]
R1 hpcd2k;hpcd2k;C:\WINNT\system32\drivers\hpcd2k.sys [00-10-23 00:23 ]
R3 NtApm;NT Apm/Legacy Interface Driver;C:\WINNT\system32\DRIVERS\NtApm.sys [99-09-25 06:36 ]
R3 s3m;s3m;C:\WINNT\system32\DRIVERS\s3m.sys [99-11-19 10:20 ]
S3 FastNIC;SMC EZ Card 10/100 (SMC1244TX V2);C:\WINNT\system32\DRIVERS\FastNIC.sys [03-03-28 15:37 ]
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;C:\WINNT\system32\PLCNDIS5.SYS [02-09-09 14:53 ]
S3 SCPNDIS5;SCPNDIS5 NDIS Protocol Driver;C:\PROGRA~1\NETGEA~1\SCPNDIS5.SYS [03-04-11 13:17 ]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-07 22:24:33 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-27 19:07:26 C:\WINNT\Tasks\SDMsgUpdate (SD).job"
- D:\SmartDraw 7\Messages\SDNotify.exeQ-PSD -V760 -SSDU.ini -A -Mhttp://www.smartdraw.com/msgs/messagecheck.aspx -D0 -T
"2008-04-27 22:14:01 C:\WINNT\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-29 00:20:44
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-29 0:35:52 - machine was rebooted [Michael Rulison]
ComboFix-quarantined-files.txt 2008-04-29 04:35:35
ComboFix2.txt 2008-04-27 22:47:58

Pre-Run: 734,470,144 bytes free
Post-Run: 678,055,936 bytes free

167 --- E O F --- 2008-04-16 04:01:14

************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:37:36 AM, on 4/29/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
D:\program files\a-squared free\a2service.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\regsvc.exe
D:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\HPCD-W~1\DirectCD\directcd.exe
C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\explorer.exe
D:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DirectCD\directcd.exe
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O6 "USB001" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: ISSHS.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cp...ddObjSigned.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1140929957520
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1140930095799
O16 - DPF: {CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA} (Java Plug-in 1.4.2_12) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.5.0_07) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/RACtrl.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\program files\a-squared free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - D:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 8361 bytes

********************************************

Malwarebytes' Anti-Malware 1.11
Database version: 694

Scan type: Quick Scan
Objects scanned: 31901
Time elapsed: 34 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

****************************************
  • 0

#8
Essexboy
Posted 29 April 2008 - 11:48 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
A few minor bits and bobs now


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O16 - DPF: {CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA} (Java Plug-in 1.4.2_12) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.5.0_07) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

The only apparent remaining problem is the way that IE behaves. When I open IE initially, or open a subsequent new IE window, the window opens immediately, but the content will not seem to appear until I (for example) mouseover the app in the taskbar, right click, and then the contents will load. I don't actually have to select anything after right clicking, just the right click itself is sufficient to cause the contents to load. Hmmmmm


Is this a recent problem ? Are you still getting a re-occurence after we cleaned the cache with ATF
  • 0

#9
Mike R
Posted 29 April 2008 - 05:31 PM

Mike R

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Completed requested tasks.

Yes. The problem continues even after ATF cleaner does its thing. This problem started around the same time the TR/VUNDO infection began. I can't say with certainty whether it was before or after, but within 24 hrs of the same time.
  • 0

#10
Essexboy
Posted 30 April 2008 - 01:36 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets get you a fresh and more secure version of IE

Download and install IE7

Reboot and try it out - let me know if the problem persists ..

Now to let you know about the malware :) ........................

Now the best part of the day ----- Your log now appears clean :)

You may now delete the tools I had you download

Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done



Now that you are clean, to help protect your computer in the future I recommend that you get the following free program: It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?


Keep safe :)

Keep me updated on the IE7
  • 0

#11
Mike R
Posted 30 April 2008 - 04:02 PM

Mike R

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thanks for your excellent help.

While the machine I registered from has xp as the operating system, the problematic machine is running 2000 Professional. It is my understanding that IE7 won't run on that system. Nonetheless, I guess you are saying it might be advantageous to reinstall IE6 plus all updates. Similarly, I don't believe 2000 Professional has the ability to do system restore. I know I should break down and get a new machine, but I'm trying to keep this one serviceable. I do currently run SpywareBlaster, ZoneAlarm, and Avira AntiVir, as well as frequent Microsoft updates. I will certainly try SuperAntispyware.

Any other advice you might offer would be welcomed.

Again, thanks so very much for your generous contribution of time and expertise.
  • 0

#12
Essexboy
Posted 01 May 2008 - 01:53 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Duh :) you are right will not work on 2000 :)
  • 0

#13
Essexboy
Posted 01 May 2008 - 01:53 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP