Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blue Background Causing Virus


  • This topic is locked This topic is locked
11 replies to this topic

#1 angusmcghee

angusmcghee

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 09 December 2006 - 03:47 PM

Hello. I recently got the smitfraud-c spyware thing, so I looked around and I used the smitfraudfix tool, but this background is still here. Afterwards, my anti-virus program told me that I had the Trojan.Vundo, so I downloaded the VundoFix, but its still a problem. I got rid of the pop-ups, I just can't get to the control panel and change the background and remove programs and such. So here's my hijackthis log.
Any help would be appreciated.


Logfile of HijackThis v1.99.1
Scan saved at 3:36:44 PM, on 12/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\devldr32.exe
D:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Virus Protection stuff\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\WINDOWS\system32\WgaTray.exe
D:\Program Files\mozilla\downloads\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\VIRUSP~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Burn4Free Toolbar Helper - {F8E5CA21-C27B-43e7-B2BE-4CA93C9F9A1F} - (no file)
O3 - Toolbar: Burn4Free Toolbar - {70DE7956-479D-4eb7-8641-2B45774C350E} - (no file)
O3 - Toolbar: Safety Bar - {fbea0445-4c4a-4136-864a-c72a4a182a84} - C:\Program Files\Safety Bar\SafetyBar.dll (file missing)
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DLBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "D:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [updateMgr] "F:\Program Files\Adobe\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [ofuk] C:\PROGRA~1\COMMON~1\ofuk\ofukm.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Virus Protection stuff\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: check-ip-changed.bat
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\aim.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119974883738
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/popc...aploader_v6.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wineil32 - wineil32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Apache2 - Unknown owner - C:\OpenSA\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: DLBXCustomerConnect - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXserv.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

BC AdBot (Login to Remove)

 


m

#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 09 December 2006 - 04:43 PM

You have both AVG and Norton running - remove one of them - only one AV should be active on a system

============================

1. Download this file :

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

Note:
Do not mouseclick combofix's window while its running. That may cause it to stall
=========================

Make sure you allow these changes in Tea-Timer


Add remove programs – remove Viewpoint

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis – mark them, close IE, click fix checked

R3 - Default URLSearchHook is missing

O2 - BHO: Burn4Free Toolbar Helper - {F8E5CA21-C27B-43e7-B2BE-4CA93C9F9A1F} - (no file)

O3 - Toolbar: Burn4Free Toolbar - {70DE7956-479D-4eb7-8641-2B45774C350E} - (no file)

O3 - Toolbar: Safety Bar - {fbea0445-4c4a-4136-864a-c72a4a182a84} - C:\Program Files\Safety Bar\SafetyBar.dll (file missing)

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe

O4 - HKCU\..\Run: [ofuk] C:\PROGRA~1\COMMON~1\ofuk\ofukm.exe

O20 - Winlogon Notify: wineil32 - wineil32.dll (file missing)

DownLoad http://www.downloads.subratam.org/KillBox.zip or
http://www.thespykiller.co.uk/files/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\Program Files\Safety Bar
C:\Program Files\Viewpoint
C:\Program Files\ipwins
C:\PROGRA~1\COMMON~1\ofuk

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system

========================
Go to Control Panel > Display.
Click on the "Desktop" tab then click the "Customize Desktop" button.
Click on the "Web" tab.
Under "Web Pages" you should see an entry checked called something like "Security" or similar.
Select that entry and click the "Delete" button. Click OK then Apply and OK.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 angusmcghee

angusmcghee
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 10 December 2006 - 02:33 PM

Here's the ComboFix log:
Tyler - 06-12-10 0:28:23.78 Service Pack 2
ComboFix 06.11.27W - Running from: "D:\Program Files\mozilla\Firefox 2\Mozilla Firefox"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\components
C:\Program Files\Common Files\{34FE89F9-08CE-1033-0418-020419010001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Tyler\My Documents\ECURIT~1
C:\QooBox\Purity\Program Files\WNSXS~1
C:\QooBox\Purity\Program Files\WNSXS~1\W?nSxS
C:\QooBox\Purity\WINDOWS\system32\SSEMBL~1
C:\QooBox\Purity\WINDOWS\system32\SSEMBL~1\?ti2evxx.exe


((((((((((((((((((((((((((((((( Files Created from 2006-11-10 to 2006-12-10 ))))))))))))))))))))))))))))))))))


2006-12-09 15:48 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-09 08:39 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-08 20:08 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2006-12-08 06:50 <DIR> dr-h----- C:\$VAULT$.AVG
2006-12-08 06:49 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-12-08 06:49 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-12-08 06:49 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-12-08 06:49 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-12-08 06:49 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-12-08 06:49 <DIR> d----c--- C:\Documents and Settings\Tyler\Application Data\AVG7
2006-12-08 06:48 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Grisoft
2006-12-08 06:48 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\avg7
2006-12-08 06:48 <DIR> d-------- C:\Program Files\Grisoft
2006-12-08 00:44 <DIR> d--hs---- C:\WINDOWS\VHlsZXI
2006-12-07 23:24 <DIR> d-------- C:\WINDOWS\ofuk
2006-12-07 23:24 <DIR> d-------- C:\Program Files\Common Files\ofuk
2006-12-07 20:36 2,958 --a------ C:\WINDOWS\system32\tmp.reg
2006-12-07 20:14 <DIR> d-------- C:\VundoFix Backups
2006-12-05 20:43 2 --a------ C:\WINDOWS\system32\wcpsu.exe
2006-12-05 20:32 <DIR> d-------- C:\WINDOWS\$regcmp$
2006-12-05 20:29 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\TEMP
2006-12-05 19:37 <DIR> d--hs---- C:\Diskeeper
2006-12-05 19:28 <DIR> d-------- C:\Program Files\MeadCo
2006-12-05 16:09 <DIR> dr-h-c--- C:\Documents and Settings\Tyler\Recent
2006-12-05 06:55 <DIR> d-------- C:\Program Files\Java
2006-12-05 00:05 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-12-04 20:15 <DIR> d----c--- C:\Documents and Settings\Tyler\Application Data\Uniblue


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-10 00:30 -------- d-------- C:\Program Files\Common Files
2006-12-10 00:20 -------- d-------- C:\Program Files\Symantec AntiVirus
2006-12-09 09:26 -------- d-------- C:\Program Files\Internet Explorer
2006-12-09 09:25 -------- d-------- C:\Program Files\Dell Photo AIO Printer 962
2006-12-09 09:24 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-12-07 16:10 -------- d-------- C:\Program Files\DL_cats
2006-12-02 19:35 -------- d---sc--- C:\Documents and Settings\Tyler\Application Data\Microsoft
2006-11-09 19:33 -------- d-------- C:\Program Files\Google
2006-11-09 19:26 -------- d-------- C:\Program Files\Winamp
2006-11-05 11:30 -------- d----c--- C:\Documents and Settings\Tyler\Application Data\AdobeUM
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-13 07:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 07:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 07:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-13 05:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2006-10-05 05:49 245760 --a------ C:\WINDOWS\system32\rlxf.dll
2006-09-20 18:57 34832 --a--c--- C:\Documents and Settings\Tyler\Application Data\GDIPFONTCACHEV1.DAT
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Aim6"=""
"updateMgr"="\"F:\\Program Files\\Adobe\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1"
"ofuk"="C:\\PROGRA~1\\COMMON~1\\ofuk\\ofukm.exe"
"SpybotSD TeaTimer"="D:\\Program Files\\Virus Protection stuff\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"DLBXCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\DLBXtime.dll,_RunDLLEntry@16"
"dlbxmon.exe"="\"C:\\Program Files\\Dell Photo AIO Printer 962\\dlbxmon.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"DiskeeperSystray"="\"D:\\Program Files\\Diskeeper Corporation\\Diskeeper\\DkIcon.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"AVG7_CC"="D:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"D:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="D:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="D:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks\AutorunsDisabled]
"{C671A733-A4AA-4B5F-8CEE-006242C457B5}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000
"NoLowDiskSpaceChecks"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="F:\\PROGRA~1\\Adobe\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D:\Program Files]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D:\Program Files\FeedReader30]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D:\Program Files\FeedReader30\feedreader.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="feedreader"
"hkey"="HKCU"
"command"="D:\\Program Files\\FeedReader30\\feedreader.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"D:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\feedreader.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="feedreader"
"hkey"="HKCU"
"command"="\"D:\\Program Files\\FeedReader30\\FeedReader30\\feedreader.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1150297419\\ee\\AOLSoftware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pg2"
"hkey"="HKCU"
"command"="D:\\Program Files\\PeerGuardian2\\pg2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="D:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wineil32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job

Completion time: 06-12-10 0:30:58.89
C:\ComboFix.txt ... 06-12-10 00:30
--------------------------------------------------------------------------

And here's my new HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:22:09 PM, on 12/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXserv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
D:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\Virus Protection stuff\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\mozilla\downloads\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\VIRUSP~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [DLBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DiskeeperSystray] "D:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [updateMgr] "F:\Program Files\Adobe\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Virus Protection stuff\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: check-ip-changed.bat
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\aim.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1119974883738
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/popc...aploader_v6.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Apache2 - Unknown owner - C:\OpenSA\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: DLBXCustomerConnect - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXserv.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

-----------------------------------------------------------------------------------------------

I can get to the control panel window, but I can't open Display or Add/Remove Programs and some others. When I do try to get into them, I get an error message that says:

"Windows cannot find 'C:\WINDOWS\system32\rundll32.exe.' Make sure you typed the name correctly,
and then try again. To search for a file, click the Start button, and then click Search."

I also deleted all the Temp files and used the Killbox program, so that's all good.

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 10 December 2006 - 02:50 PM

go to C:\WINDOWS\system32\dllcache and copy rundll32 to C:\WINDOWS\system32
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#5 angusmcghee

angusmcghee
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 10 December 2006 - 08:56 PM

There is no rundll32 file in C:\WINDOWS\system32\dllcache.

#6 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 11 December 2006 - 10:19 AM

try here

C:\WINDOWS\ServicePackFiles\i386
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#7 angusmcghee

angusmcghee
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 11 December 2006 - 08:09 PM

Okay, so the rundll32 file is good, but I found another problem. In My Computer, the CD drive disappeared. I checked in the right click\properties\hardware window, and it doesn't have it on the list. So any idea what happened there and what I have to do to fix it? Thanks.

#8 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 11 December 2006 - 08:13 PM

Control panel - System - Hardware - Device Manager - remove the CD - boot and let Windows find it again
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#9 angusmcghee

angusmcghee
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 12 December 2006 - 04:02 PM

There is no CD drive in the device manager. But there are some little caution sign things. One by the Secondary IDE Channel and one by SCSI and RAID Controller. I right clicked and clicked Update drivers for both of them. The SCSI and Raid Controller is good now, and it added a entry under DVD/CD-ROM drives as Generic DVD-ROM SCSI CdRom Device (which I'm pretty sure is the daemon program), and that has a little caution sign. I tried to update drivers, but it said Windows cannot find a better match than what I already have installed. This is the same result I got as the Secondary IDE Channel. So, any help on this? Thanks

#10 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 12 December 2006 - 05:05 PM

Right click on 2nd ide controol and remove - boot and let it find it
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#11 angusmcghee

angusmcghee
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 12 December 2006 - 08:05 PM

Alright, everything that I know of is good, so thanks for the help. Much appreciated.

#12 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 12 December 2006 - 08:08 PM

Great closing thread
"Nothing could be finer than to be in South Carolina ............"

Member ASAP




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users