Windows BBS The Place for Microsoft Windows Support! Windows, Support, Help Site

Go Back   Windows BBS > Security > Malware and Virus Removal
Reload this Page

Drive Cleaner Problem

Register FAQDonate Mark Forums Read

Malware and Virus Removal Problems removing malware/viruses? Get help from our Malware removal experts.

Register your FREE account to unlock additional features at WindowsBBS.com
Register
Welcome to WindowsBBS.com
Microsoft Windows Support

Mission Statement

WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.

Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.

Discussion Forums
Operating Systems
Windows 7 Windows 7
Windows Vista Windows Vista
Windows XP Windows XP
Windows Server System Windows Server System
Windows 2000 Windows 2000
Windows 95/98/Me/NT Windows 95/98/Me/NT
Internet & Networking
Networking
Internet Explorer
Microsoft Mail
Firefox, Thunderbird
      & SeaMonkey
General Internet
Security
General Security
Malware and Virus
     Removal
Other
Other Software
Hardware
Test Posts
Community
Introductions
General Discussions
Comments
      & Suggestions
News @ WindowsBBS

Forum Sponsor
Image

Reply
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 3rd October 2006   #1
Inactive
 
Profile:
Join Date: Oct 2006
Posts: 20
Computer Experience:
beginner
jetbobo Reputation Level
same problem
Hi, I believe that I am having the same problem. I am getting these banners where I won't beable to click my desktop icons as well.

I'm getting something of the sorts as this:

Would you like to install DriveCleaner to check your computer for free?(Recommended)


I downloaded Killbox and CombatFix.

Here is my ComboFix log:

Paul - 06-10-02 20:56:57.62 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\TEMP"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\{8C772AA2-0958-1033-1018-040305130001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\TEMP\My Documents\SMBOLS~1
C:\QooBox\Purity\Documents and Settings\TEMP\My Documents\WNSXS~1
C:\QooBox\Purity\Documents and Settings\TEMP\My Documents\SMBOLS~1\userinit.exe
C:\QooBox\Purity\Documents and Settings\TEMP\My Documents\WNSXS~1\javaw.exe
C:\QooBox\Purity\Documents and Settings\TEMP\My Documents\WNSXS~1\W?nSxS
C:\QooBox\Purity\WINDOWS\SYSTEM32\SMANTE~1


((((((((((((((((((((((((((((((( Files Created from 2006-09-02 to 2006-10-02 ))))))))))))))))))))))))))))))))))


2006-10-02 19:00 967 --a------ C:\WINDOWS\ScUnin.pif
2006-10-02 19:00 94,208 --a------ C:\WINDOWS\ScUnin.exe
2006-10-02 18:00 5,248 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\d347prt.sys
2006-10-02 18:00 155,136 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\d347bus.sys
2006-10-01 10:13 126,976 --a------ C:\WINDOWS\SYSTEM32\jzbeady.dll
2006-09-30 17:09 94,208 --a------ C:\WINDOWS\SYSTEM32\HPZipt12.dll
2006-09-30 17:09 69,632 --a------ C:\WINDOWS\SYSTEM32\HPZipm12.exe
2006-09-30 17:09 61,440 --a------ C:\WINDOWS\SYSTEM32\HPZinw12.exe
2006-09-30 17:09 57,344 --a------ C:\WINDOWS\SYSTEM32\HPZisn12.dll
2006-09-30 17:09 278,584 --a------ C:\WINDOWS\SYSTEM32\HPZidr12.dll
2006-09-30 17:09 204,800 --a------ C:\WINDOWS\SYSTEM32\HPZipr12.dll
2006-09-30 17:05 51,120 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\HPZid412.sys
2006-09-30 17:05 21,744 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\HPZius12.sys
2006-09-30 17:05 16,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\HPZipr12.sys
2006-09-30 17:03 98,304 --a------ C:\WINDOWS\SYSTEM32\hpzjsn01.dll
2006-09-30 17:03 606,208 --a------ C:\WINDOWS\SYSTEM32\hpotscl.dll
2006-09-30 17:03 393,216 --a------ C:\WINDOWS\SYSTEM32\hpzcon12.dll
2006-09-30 17:03 278,528 --a------ C:\WINDOWS\SYSTEM32\hpgwiamd.dll
2006-09-30 17:03 274,432 --a------ C:\WINDOWS\SYSTEM32\HPZc3212.dll
2006-09-30 17:03 258,122 --a------ C:\WINDOWS\SYSTEM32\hpovst08.dll
2006-09-30 17:03 196,608 --a------ C:\WINDOWS\SYSTEM32\hpzcoi12.dll
2006-09-30 17:03 139,345 --a------ C:\WINDOWS\SYSTEM32\hpzlnt12.dll
2006-09-30 16:49 31,616 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbccgp.sys
2006-09-29 23:32 446,464 --a------ C:\WINDOWS\SYSTEM32\HHActiveX.dll
2006-09-29 23:32 24,576 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2006-09-29 23:31 9,488 --a------ C:\WINDOWS\SYSTEM32\sporder.dll
2006-09-18 00:00 180,224 --a-s---- C:\WINDOWS\SYSTEM32\archlib.dll
2006-09-17 23:54 356,864 C:\WINDOWSTrueCrypt Setup.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-02 20:57 -------- d-------- C:\Program Files\Common Files
2006-10-02 19:57 -------- d-------- C:\Program Files\SlySoft
2006-10-02 19:57 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-02 19:56 -------- d-------- C:\Program Files\Lavasoft
2006-10-02 19:56 -------- d-------- C:\Documents and Settings\TEMP\Application Data\Lavasoft
2006-10-02 19:20 -------- d-------- C:\Program Files\Starcraft
2006-10-02 18:00 -------- d-------- C:\Program Files\D-Tools
2006-10-02 17:48 -------- d-------- C:\Program Files\Zone Labs
2006-10-02 17:48 -------- d-------- C:\Program Files\GRETECH
2006-10-02 06:56 0 --a------ C:\AUTOEXEC.BAT
2006-10-02 06:56 -------- d-------- C:\Program Files\Panda Software
2006-10-02 00:27 -------- d-------- C:\Documents and Settings\TEMP\Application Data\Windows Live Safety Center
2006-10-02 00:24 -------- d-------- C:\Program Files\Windows Live Safety Center
2006-10-01 23:15 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-01 23:14 -------- d-------- C:\Program Files\Common Files\Panda Software
2006-10-01 01:04 -------- d-------- C:\Program Files\SpywareBlaster
2006-09-30 17:19 -------- d-------- C:\Program Files\Common Files\Hewlett-Packard
2006-09-30 17:17 -------- d-------- C:\Documents and Settings\TEMP\Application Data\AdobeUM
2006-09-30 17:09 -------- d-------- C:\Program Files\HP
2006-09-30 10:31 -------- d-------- C:\Program Files\X3watch
2006-09-30 10:31 -------- d-------- C:\Program Files\Windows Media Player
2006-09-30 10:31 -------- d-------- C:\Program Files\Messenger
2006-09-30 10:20 -------- d-------- C:\Program Files\Microsoft AntiSpyware
2006-09-30 10:18 -------- d-------- C:\Program Files\Canon
2006-09-30 10:16 -------- d-------- C:\Program Files\Gabest
2006-09-30 10:15 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-09-30 10:14 -------- d-------- C:\Program Files\Rio
2006-09-30 10:14 -------- d-------- C:\Program Files\Musicmatch
2006-09-30 10:12 -------- d-------- C:\Program Files\hoonnet
2006-09-30 10:11 -------- d-------- C:\Program Files\HiDownload
2006-09-30 10:11 -------- d-------- C:\Program Files\FlashGet
2006-09-30 10:09 -------- d-------- C:\Program Files\Britannica
2006-09-29 23:30 -------- d-------- C:\Program Files\I8kfanGUI
2006-09-24 18:28 -------- d-------- C:\Program Files\Picasa2
2006-09-24 18:01 -------- d---s---- C:\Documents and Settings\TEMP\Application Data\Microsoft
2006-09-24 18:01 -------- d-------- C:\Program Files\Project64 1.6
2006-09-21 23:15 -------- d-------- C:\Program Files\iRiver
2006-09-20 15:26 -------- d-------- C:\Program Files\Comodo
2006-09-20 09:32 -------- d-------- C:\Documents and Settings\TEMP\Application Data\Comodo
2006-09-20 09:10 -------- d-------- C:\Program Files\Common Files\SWF Studio
2006-09-20 09:10 -------- d-------- C:\Program Files\AWS
2006-09-19 20:07 -------- d-------- C:\Documents and Settings\TEMP\Application Data\Tenebril
2006-09-19 20:00 -------- d-------- C:\Program Files\Common Files\iioz
2006-09-17 23:53 -------- d-------- C:\Program Files\CCleaner
2006-09-13 23:46 -------- d-------- C:\Program Files\AIM
2006-09-13 23:46 -------- d-------- C:\Documents and Settings\TEMP\Application Data\Aim
2006-08-21 08:21 16896 --a------ C:\WINDOWS\SYSTEM32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\SYSTEM32\fltmc.exe
2006-08-21 05:14 128896 --------- C:\WINDOWS\SYSTEM32\DRIVERS\fltmgr.sys
2006-08-17 18:08 -------- d-------- C:\Documents and Settings\TEMP\Application Data\Sun
2006-08-10 17:26 -------- d-------- C:\Program Files\Internet Explorer
2006-08-07 17:15 -------- d-------- C:\Documents and Settings\TEMP\Application Data\MSN6
2006-07-27 09:24 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-26 20:19 0 --a------ C:\WINDOWS\SYSTEM32\cmmgr32.exe
2006-07-26 20:19 0 --a------ C:\WINDOWS\ORUN32.EXE
2006-07-26 20:05 0 --a------ C:\Documents and Settings\TEMP\Application Data\internaldb41.dat
2006-07-26 20:02 1064 --a------ C:\WINDOWS\SYSTEM32\flo188b3.sys
2006-07-26 19:57 286 --a------ C:\WINDOWS\SYSTEM32\n.bat
2006-07-26 19:56 0 --a------ C:\WINDOWS\SYSTEM32\taskkill.exe
2006-07-21 04:24 72704 --a------ C:\WINDOWS\SYSTEM32\hlink.dll
2006-07-03 14:42 356864 --a------ C:\WINDOWS\TrueCrypt Setup.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"i8kfangui"="C:\\Program Files\\I8kfanGUI\\I8kfanGUI.exe /startup"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Aida"="\"C:\\DOCUME~1\\TEMP\\MYDOCU~1\\WNSXS~1\\javaw.exe\" -vt yazb"
"Sxnooz"="C:\\Documents and Settings\\TEMP\\My Documents\\s?mbols\\userinit.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"x3watch"="C:\\Program Files\\X3watch\\x3watch.exe"
"iRiver Updater"="\\Updater.exe"
"DAEMON Tools-1033"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo mponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo mponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo mponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo mponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Online Services\\kyzezeroq.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00, e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8, 00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00, 00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\ComPlus Applications\\howyw.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00, ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8, 00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00, 00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00, ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff, ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a, 00,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explor er]
"NoDriveTypeAutoRun"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explor er\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\syste m]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\expl orer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceOb jectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee.com Update Check (DBWRW931-Owner).job
C:\WINDOWS\tasks\McAfee.com Update Check (PAUL-Paul).job
C:\WINDOWS\tasks\McAfee.com Update Check (RUNOFF-Paul).job
C:\WINDOWS\tasks\WebReg 20040829142653.job
C:\WINDOWS\tasks\WebReg 20040829142701.job

Completion time: Mon 10/02/2006 20:57:42.58
ComboFix.txt
jetbobo is offline   Reply With Quote
Didn't find the information you thought to find?
Check out these Similar Threads
Old 3rd October 2006   #2
SuperGeek
 
TeMerc's Avatar
 
Profile:
Join Date: May 2006
Location: PHX. AZ
Posts: 3,311
Computer Experience:
Intermediate
TeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation Level
Hi Jetbobo and welcome to the forums.

I have moved your post to it's own thread, because it's very difficult to diagnose two problems at one time. Especially if they may be different.

Downloading ComboFix and Killbox may be a start, but we first need you to run HijackThis! and post a log so we can se a larger picture.

HiJackThis v:1.99.1zip.
DL the zip file to your desktop, then create a new folder on your C drive, called 'HJT' or 'HijackThis'. Then unzip the files to the new folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.

Run the program, and press Scan. You will notice the Scan button will turn into a "Save Log" button. Save the log and Post that log onto this topic. DO NOT DELETE or modify anything yet, as some of it is needed to keep your system in proper working order.

Also, please do not perform any other steps which you think need to be done. You've come here for help, let us help you and we'll get things sorted out in the proper order of which they need doing.

We do appreciate your initiative tho.
TeMerc is offline   Reply With Quote
Old 3rd October 2006   #3
Inactive
 
Profile:
Join Date: Oct 2006
Posts: 20
Computer Experience:
beginner
jetbobo Reputation Level
my apologies about the other operations.

I dl HJT and made a new folder, here's the log of it:

Logfile of HijackThis v1.99.1
Scan saved at 9:42:31 PM, on 10/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\X3watch\x3watch.exe
C:\Updater.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\TEMP\MYDOCU~1\WNSXS~1\javaw.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - {86A5B286-714F-04CE-1402-5FF00BB96EC4} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {9F1490D7-5C19-7599-14F7-75E2EA0727C7} - (no file)
R3 - URLSearchHook: (no name) - {83A5E980-2648-5B9C-1402-5FF00BB86C93} - C:\WINDOWS\system32\jzbeady.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,dexfddu.exe
O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: (no name) - {83A5E980-2648-5B9C-1402-5FF00BB86C93} - C:\WINDOWS\system32\jzbeady.dll
O2 - BHO: (no name) - {86A5B286-714F-04CE-1402-5FF00BB96EC4} - (no file)
O2 - BHO: (no name) - {9F1490D7-5C19-7599-14F7-75E2EA0727C7} - (no file)
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\TEMP\MYDOCU~1\WNSXS~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [Sxnooz] C:\Documents and Settings\TEMP\My Documents\s?mbols\userinit.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/reso...lscbase969.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O20 - Winlogon Notify: avldr - avldr.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
jetbobo is offline   Reply With Quote
Old 3rd October 2006   #4
SuperGeek
 
TeMerc's Avatar
 
Profile:
Join Date: May 2006
Location: PHX. AZ
Posts: 3,311
Computer Experience:
Intermediate
TeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation Level
Excellent, thanks for doing as we asked. What you have is a Vundo infection, and while ComboFix finds many files, it does not always delete them, so lets run the VundoFix tool.

Please download VundoFix.exe to your desktop.
  • Double-click *VundoFix.exe* to run it.
  • Click the *Scan for Vundo* button.
  • Once it's done scanning, click the *Remove Vundo* button.
  • You will receive a prompt asking if you want to remove the files, click *YES*
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click *OK*.
  • Please post the contents of C:\*vundofix.txt* and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the *Scan for Vundo* button." when
VundoFix appears at reboot.

Once Vundo has done its thng you may then run ComboFix, then HJT and give me the 3 logs.
TeMerc is offline   Reply With Quote
Old 3rd October 2006   #5
Inactive
 
Profile:
Join Date: Oct 2006
Posts: 20
Computer Experience:
beginner
jetbobo Reputation Level
okay here are the three new logs:

----------
Scan started at 10:25:58 PM 10/2/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.1.6

Checking Java version...

Java version is 1.5.0.3

Scan started at 10:29:57 PM 10/2/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...



------------
Paul - 06-10-02 22:38:52.25 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\TEMP"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\TEMP\My Documents\SMBOLS~1
C:\QooBox\Purity\Documents and Settings\TEMP\My Documents\WNSXS~1
C:\QooBox\Purity\Documents and Settings\TEMP\My Documents\SMBOLS~1\userinit.exe
C:\QooBox\Purity\Documents and Settings\TEMP\My Documents\WNSXS~1\javaw.exe
C:\QooBox\Purity\Documents and Settings\TEMP\My Documents\WNSXS~1\W?nSxS
C:\QooBox\Purity\WINDOWS\SYSTEM32\SMANTE~1


((((((((((((((((((((((((((((((( Files Created from 2006-09-02 to 2006-10-02 ))))))))))))))))))))))))))))))))))


2006-10-02 19:00 967 --a------ C:\WINDOWS\ScUnin.pif
2006-10-02 19:00 94,208 --a------ C:\WINDOWS\ScUnin.exe
2006-10-02 18:00 5,248 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\d347prt.sys
2006-10-02 18:00 155,136 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\d347bus.sys
2006-10-01 10:13 126,976 --a------ C:\WINDOWS\SYSTEM32\jzbeady.dll
2006-09-30 17:09 94,208 --a------ C:\WINDOWS\SYSTEM32\HPZipt12.dll
2006-09-30 17:09 69,632 --a------ C:\WINDOWS\SYSTEM32\HPZipm12.exe
2006-09-30 17:09 61,440 --a------ C:\WINDOWS\SYSTEM32\HPZinw12.exe
2006-09-30 17:09 57,344 --a------ C:\WINDOWS\SYSTEM32\HPZisn12.dll
2006-09-30 17:09 278,584 --a------ C:\WINDOWS\SYSTEM32\HPZidr12.dll
2006-09-30 17:09 204,800 --a------ C:\WINDOWS\SYSTEM32\HPZipr12.dll
2006-09-30 17:05 51,120 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\HPZid412.sys
2006-09-30 17:05 21,744 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\HPZius12.sys
2006-09-30 17:05 16,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\HPZipr12.sys
2006-09-30 17:03 98,304 --a------ C:\WINDOWS\SYSTEM32\hpzjsn01.dll
2006-09-30 17:03 606,208 --a------ C:\WINDOWS\SYSTEM32\hpotscl.dll
2006-09-30 17:03 393,216 --a------ C:\WINDOWS\SYSTEM32\hpzcon12.dll
2006-09-30 17:03 278,528 --a------ C:\WINDOWS\SYSTEM32\hpgwiamd.dll
2006-09-30 17:03 274,432 --a------ C:\WINDOWS\SYSTEM32\HPZc3212.dll
2006-09-30 17:03 258,122 --a------ C:\WINDOWS\SYSTEM32\hpovst08.dll
2006-09-30 17:03 196,608 --a------ C:\WINDOWS\SYSTEM32\hpzcoi12.dll
2006-09-30 17:03 139,345 --a------ C:\WINDOWS\SYSTEM32\hpzlnt12.dll
2006-09-30 16:49 31,616 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbccgp.sys
2006-09-29 23:32 446,464 --a------ C:\WINDOWS\SYSTEM32\HHActiveX.dll
2006-09-29 23:32 24,576 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2006-09-29 23:31 9,488 --a------ C:\WINDOWS\SYSTEM32\sporder.dll
2006-09-18 00:00 180,224 --a-s---- C:\WINDOWS\SYSTEM32\archlib.dll
2006-09-17 23:54 356,864 C:\WINDOWSTrueCrypt Setup.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-02 21:37 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-02 21:23 -------- d-------- C:\Program Files\Starcraft
2006-10-02 20:57 -------- d-------- C:\Program Files\Common Files
2006-10-02 19:57 -------- d-------- C:\Program Files\SlySoft
2006-10-02 19:56 -------- d-------- C:\Program Files\Lavasoft
2006-10-02 19:56 -------- d-------- C:\Documents and Settings\TEMP\Application Data\Lavasoft
2006-10-02 18:00 -------- d-------- C:\Program Files\D-Tools
2006-10-02 17:48 -------- d-------- C:\Program Files\Zone Labs
2006-10-02 17:48 -------- d-------- C:\Program Files\GRETECH
2006-10-02 06:56 0 --a------ C:\AUTOEXEC.BAT
2006-10-02 06:56 -------- d-------- C:\Program Files\Panda Software
2006-10-02 00:27 -------- d-------- C:\Documents and Settings\TEMP\Application Data\Windows Live Safety Center
2006-10-02 00:24 -------- d-------- C:\Program Files\Windows Live Safety Center
2006-10-01 23:15 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-01 23:14 -------- d-------- C:\Program Files\Common Files\Panda Software
2006-10-01 01:04 -------- d-------- C:\Program Files\SpywareBlaster
2006-09-30 17:19 -------- d-------- C:\Program Files\Common Files\Hewlett-Packard
2006-09-30 17:17 -------- d-------- C:\Documents and Settings\TEMP\Application Data\AdobeUM
2006-09-30 17:09 -------- d-------- C:\Program Files\HP
2006-09-30 10:31 -------- d-------- C:\Program Files\X3watch
2006-09-30 10:31 -------- d-------- C:\Program Files\Windows Media Player
2006-09-30 10:31 -------- d-------- C:\Program Files\Messenger
2006-09-30 10:20 -------- d-------- C:\Program Files\Microsoft AntiSpyware
2006-09-30 10:18 -------- d-------- C:\Program Files\Canon
2006-09-30 10:16 -------- d-------- C:\Program Files\Gabest
2006-09-30 10:15 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-09-30 10:14 -------- d-------- C:\Program Files\Rio
2006-09-30 10:14 -------- d-------- C:\Program Files\Musicmatch
2006-09-30 10:12 -------- d-------- C:\Program Files\hoonnet
2006-09-30 10:11 -------- d-------- C:\Program Files\HiDownload
2006-09-30 10:11 -------- d-------- C:\Program Files\FlashGet
2006-09-30 10:09 -------- d-------- C:\Program Files\Britannica
2006-09-29 23:30 -------- d-------- C:\Program Files\I8kfanGUI
2006-09-24 18:28 -------- d-------- C:\Program Files\Picasa2
2006-09-24 18:01 -------- d---s---- C:\Documents and Settings\TEMP\Application Data\Microsoft
2006-09-24 18:01 -------- d-------- C:\Program Files\Project64 1.6
2006-09-21 23:15 -------- d-------- C:\Program Files\iRiver
2006-09-20 15:26 -------- d-------- C:\Program Files\Comodo
2006-09-20 09:32 -------- d-------- C:\Documents and Settings\TEMP\Application Data\Comodo
2006-09-20 09:10 -------- d-------- C:\Program Files\Common Files\SWF Studio
2006-09-20 09:10 -------- d-------- C:\Program Files\AWS
2006-09-19 20:07 -------- d-------- C:\Documents and Settings\TEMP\Application Data\Tenebril
2006-09-19 20:00 -------- d-------- C:\Program Files\Common Files\iioz
2006-09-17 23:53 -------- d-------- C:\Program Files\CCleaner
2006-09-13 23:46 -------- d-------- C:\Program Files\AIM
2006-09-13 23:46 -------- d-------- C:\Documents and Settings\TEMP\Application Data\Aim
2006-08-21 08:21 16896 --a------ C:\WINDOWS\SYSTEM32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\SYSTEM32\fltmc.exe
2006-08-21 05:14 128896 --------- C:\WINDOWS\SYSTEM32\DRIVERS\fltmgr.sys
2006-08-17 18:08 -------- d-------- C:\Documents and Settings\TEMP\Application Data\Sun
2006-08-10 17:26 -------- d-------- C:\Program Files\Internet Explorer
2006-08-07 17:15 -------- d-------- C:\Documents and Settings\TEMP\Application Data\MSN6
2006-07-27 09:24 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-26 20:19 0 --a------ C:\WINDOWS\SYSTEM32\cmmgr32.exe
2006-07-26 20:19 0 --a------ C:\WINDOWS\ORUN32.EXE
2006-07-26 20:05 0 --a------ C:\Documents and Settings\TEMP\Application Data\internaldb41.dat
2006-07-26 20:02 1064 --a------ C:\WINDOWS\SYSTEM32\flo188b3.sys
2006-07-26 19:57 286 --a------ C:\WINDOWS\SYSTEM32\n.bat
2006-07-26 19:56 0 --a------ C:\WINDOWS\SYSTEM32\taskkill.exe
2006-07-21 04:24 72704 --a------ C:\WINDOWS\SYSTEM32\hlink.dll
2006-07-03 14:42 356864 --a------ C:\WINDOWS\TrueCrypt Setup.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"i8kfangui"="C:\\Program Files\\I8kfanGUI\\I8kfanGUI.exe /startup"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Aida"="\"C:\\DOCUME~1\\TEMP\\MYDOCU~1\\WNSXS~1\\javaw.exe\" -vt yazb"
"Sxnooz"="C:\\Documents and Settings\\TEMP\\My Documents\\s?mbols\\userinit.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"x3watch"="C:\\Program Files\\X3watch\\x3watch.exe"
"iRiver Updater"="\\Updater.exe"
"DAEMON Tools-1033"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo mponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo mponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo mponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalCo mponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Online Services\\kyzezeroq.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00, e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8, 00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00, 00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\ComPlus Applications\\howyw.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00, ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8, 00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00, 00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00, ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff, ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a, 00,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explor er]
"NoDriveTypeAutoRun"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explor er\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\syste m]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\expl orer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceOb jectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee.com Update Check (DBWRW931-Owner).job
C:\WINDOWS\tasks\McAfee.com Update Check (PAUL-Paul).job
C:\WINDOWS\tasks\McAfee.com Update Check (RUNOFF-Paul).job
C:\WINDOWS\tasks\WebReg 20040829142653.job
C:\WINDOWS\tasks\WebReg 20040829142701.job

Completion time: Mon 10/02/2006 22:39:28.22
ComboFix.txt
ComboFix2.txt

-------------

Logfile of HijackThis v1.99.1
Scan saved at 10:37:43 PM, on 10/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\X3watch\x3watch.exe
C:\Updater.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\TEMP\MYDOCU~1\WNSXS~1\javaw.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - {86A5B286-714F-04CE-1402-5FF00BB96EC4} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {9F1490D7-5C19-7599-14F7-75E2EA0727C7} - (no file)
R3 - URLSearchHook: (no name) - {83A5E980-2648-5B9C-1402-5FF00BB86C93} - C:\WINDOWS\system32\jzbeady.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,dexfddu.exe
O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: (no name) - {83A5E980-2648-5B9C-1402-5FF00BB86C93} - C:\WINDOWS\system32\jzbeady.dll
O2 - BHO: (no name) - {86A5B286-714F-04CE-1402-5FF00BB96EC4} - (no file)
O2 - BHO: (no name) - {9F1490D7-5C19-7599-14F7-75E2EA0727C7} - (no file)
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\TEMP\MYDOCU~1\WNSXS~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [Sxnooz] C:\Documents and Settings\TEMP\My Documents\s?mbols\userinit.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/reso...lscbase969.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O20 - Winlogon Notify: avldr - avldr.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
jetbobo is offline   Reply With Quote
Old 3rd October 2006   #6
SuperGeek
 
TeMerc's Avatar
 
Profile:
Join Date: May 2006
Location: PHX. AZ
Posts: 3,311
Computer Experience:
Intermediate
TeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation Level
I meant to mention this before, but the log from HJT is awfully short, was it made in safe mode? If so please generate a fresh one in normal mode, so we can see all that starts up.

Sorry about that.
TeMerc is offline   Reply With Quote
Old 3rd October 2006   #7
Inactive
 
Profile:
Join Date: Oct 2006
Posts: 20
Computer Experience:
beginner
jetbobo Reputation Level
I believe I did a HJT log in normal mode, but I'll reboot and try it again. Thanks
jetbobo is offline   Reply With Quote
Old 3rd October 2006   #8
Inactive
 
Profile:
Join Date: Oct 2006
Posts: 20
Computer Experience:
beginner
jetbobo Reputation Level
okay here is the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:30:40 PM, on 10/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\X3watch\x3watch.exe
C:\Updater.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - {86A5B286-714F-04CE-1402-5FF00BB96EC4} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {9F1490D7-5C19-7599-14F7-75E2EA0727C7} - (no file)
R3 - URLSearchHook: (no name) - {83A5E980-2648-5B9C-1402-5FF00BB86C93} - C:\WINDOWS\system32\jzbeady.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,dexfddu.exe
O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: (no name) - {83A5E980-2648-5B9C-1402-5FF00BB86C93} - C:\WINDOWS\system32\jzbeady.dll
O2 - BHO: (no name) - {86A5B286-714F-04CE-1402-5FF00BB96EC4} - (no file)
O2 - BHO: (no name) - {9F1490D7-5C19-7599-14F7-75E2EA0727C7} - (no file)
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\TEMP\MYDOCU~1\WNSXS~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [Sxnooz] C:\Documents and Settings\TEMP\My Documents\s?mbols\userinit.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/reso...lscbase969.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O20 - Winlogon Notify: avldr - avldr.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
jetbobo is offline   Reply With Quote
Old 3rd October 2006   #9
SuperGeek
 
TeMerc's Avatar
 
Profile:
Join Date: May 2006
Location: PHX. AZ
Posts: 3,311
Computer Experience:
Intermediate
TeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation Level
OK, well I guess you have a very trim machine with not much runnig, which is a good thing.

Ok, the Vundo tool didn't find anything, but it also appears that ComboFix nuetered QooLogic. Lets proceed with fixing.

Below you will find my results and recommendations. Please read ALL instructions carefully BEFORE proceeding.


Please hit Hit 'Ctrl' + 'Alt' + 'Delete' to bring up running processes and 'End Task' on the following process(es) if present:
C:\DOCUME~1\TEMP\MYDOCU~1\WNSXS~1\javaw.exe


Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R3 - URLSearchHook: (no name) - {86A5B286-714F-04CE-1402-5FF00BB96EC4} - (no file)

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

R3 - URLSearchHook: (no name) - {9F1490D7-5C19-7599-14F7-75E2EA0727C7} - (no file)

R3 - URLSearchHook: (no name) - {83A5E980-2648-5B9C-1402-5FF00BB86C93} - C:\WINDOWS\system32\jzbeady.dll

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,dexfddu. exe


O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)

O2 - BHO: (no name) - {83A5E980-2648-5B9C-1402-5FF00BB86C93} - C:\WINDOWS\system32\jzbeady.dll

O2 - BHO: (no name) - {86A5B286-714F-04CE-1402-5FF00BB96EC4} - (no file)

O2 - BHO: (no name) - {9F1490D7-5C19-7599-14F7-75E2EA0727C7} - (no file)


O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\TEMP\MYDOCU~1\WNSXS~1\javaw.exe" -vt yazb

O4 - HKCU\..\Run: [Sxnooz] C:\Documents and Settings\TEMP\My Documents\s?mbols\userinit.exe

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

And search for, then delete, if found, (some may not be present after previous steps) the following files/folders:
C:\WINDOWS\system32\jzbeady.dll<<<--this file
dexfddu. exe<<<--this file


To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.

Post a new HJT log back into this thread please.
TeMerc is offline   Reply With Quote
Old 4th October 2006   #10
Inactive
 
Profile:
Join Date: Oct 2006
Posts: 20
Computer Experience:
beginner
jetbobo Reputation Level
okay here is the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:19:37 PM, on 10/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\X3watch\x3watch.exe
C:\Updater.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HJT\HijackThis.exe

O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/reso...lscbase969.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O20 - Winlogon Notify: avldr - avldr.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
jetbobo is offline   Reply With Quote
Old 4th October 2006   #11
SuperGeek
 
TeMerc's Avatar
 
Profile:
Join Date: May 2006
Location: PHX. AZ
Posts: 3,311
Computer Experience:
Intermediate
TeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation Level
Everything looks good, are you experiencing any more odd behaviour on the machine? Let us know.

We have 3 more things to do, to help ensure you have removed all the little 'leftovers' which may be hiding:

Empty the TIF (Temporary Internet Files)
Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
The app below will help with temp files.
Index.dat Suite

Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

This would also be a good time to set a new system restore point for your machine.
Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion.

Here is a link which describes how security apps work with WIN XP machines.
XP User Accts Security Apps Operation

To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.1.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

Links for tutorials for all the apps I mentioned can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!!
Tom
TeMerc is offline   Reply With Quote
Old 4th October 2006   #12
Inactive
 
Profile:
Join Date: Oct 2006
Posts: 20
Computer Experience:
beginner
jetbobo Reputation Level
Thank you so much for all your help! It looks like the banner isn't showing up anymore. I dl the links you provided! Thank you!

Oh one more thing. I got a free subscription to Panda 2006 for one whole year and also I have a zonealarm setup. Is it good to dl both of these onto my computer? I had both up awhile back and a few other spyware programs like AVG7 and spycatcher but for some reason somewhere I tried to get on the internet, but my internet was blocking. So I ended up uninstalling a lot of the programs and my internet worked again. So I guess I was just wondering if those two were okay to dl. Thanks again!
jetbobo is offline   Reply With Quote
Old 4th October 2006   #13
SuperGeek
 
TeMerc's Avatar
 
Profile:
Join Date: May 2006
Location: PHX. AZ
Posts: 3,311
Computer Experience:
Intermediate
TeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation Level
Quote:
Originally Posted by jetbobo
Thank you so much for all your help! It looks like the banner isn't showing up anymore. I dl the links you provided! Thank you!

Oh one more thing. I got a free subscription to Panda 2006 for one whole year and also I have a zonealarm setup. Is it good to dl both of these onto my computer? I had both up awhile back and a few other spyware programs like AVG7 and spycatcher but for some reason somewhere I tried to get on the internet, but my internet was blocking. So I ended up uninstalling a lot of the programs and my internet worked again. So I guess I was just wondering if those two were okay to dl. Thanks again!
This all depends on what versions of the software you were running. You cannot run two anti-virus apps at once, they will conflict with one another. Not so with anti-spyware apps tho. You can run a couple, tho if both have a 'real time' monitor, they could cause a problem, depending on your system.

I ran several at once for a while with no troubles, other than multiple alerts whenever I made changes.

If you install some of the apps I listed above, you would really only need one of the real time apps, along with av and firewall. And same goes with firewalls, only one at a time, and be sure the Windows XP firewall is off.
TeMerc is offline   Reply With Quote
Old 5th October 2006   #14
Inactive
 
Profile:
Join Date: Oct 2006
Posts: 20
Computer Experience:
beginner
jetbobo Reputation Level
Hi. The drive cleaner problem is coming back up again
jetbobo is offline   Reply With Quote
Old 5th October 2006   #15
SuperGeek
 
TeMerc's Avatar
 
Profile:
Join Date: May 2006
Location: PHX. AZ
Posts: 3,311
Computer Experience:
Intermediate
TeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation LevelTeMerc Reputation Level
Ok, lets see where it's running from, give me a new ComboFix log please and also give me a start up list from HJT.

Open HJT, click the 'None of the above, just start the program' button.
Then click the 'Config' button in the lower right hand of the program.
Then select the 'Misc Tools' button.
In the upper left hand side of the program tick the two boxes 'List also minor sections (full)' button and the 'List empty sections (complete)' button and select 'Yes' when promted by the dialog box. The resultant scan will produce a notepad log file, please paste that log file back here for me to review.
TeMerc is offline   Reply With Quote
Reply
Page 1 of 2 1 2

« WinAntiVirussPro Removal....HELP...PC is abnormally slow, pop-ups | Antimal problem »
Thread Tools


Similar Threads
Thread Thread Starter Forum Replies Last Post
Very strange hard drive failure problem, stumped totally. itsthewooo Hardware 4 19th June 2005 04:43
Problem - CDs play through PC speaker, rather than headphone jack on CD-ROM drive miwinter Hardware 5 7th January 2005 20:08
serial ata hard drive problem gghartman Hardware 15 29th November 2004 23:57
Drive not keeping format information -- WinME LewDog Hardware 2 10th December 2002 19:55
CD-RW drive install problem RichC Hardware 5 22nd August 2002 23:45


All times are GMT +1. The time now is 04:08.




Advertise - Contact Us - Windows BBS - Archive - Privacy Statement - Top

Advertisements do not imply our endorsement of the product or service advertised.
Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.3.2
Copyright © 2002 - 2009 WindowsBBS.com. All rights reserved.
Terms of Use, Legal Information & Privacy Policy
[]

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32