Computer won't boot to desktop

Rgrycza · 08-29-2007, 11:00 AM

Hi -

I have a computer running Win2K that has gotten infected. At first I was just getting an occassional pop-up, one every couple of minutes. I was able to install Panda Internet Security and run it and that took care of the pop-ups. Now, it boots normally, but after account log in, the whole screen stays the blue background color - none of the desktop icons appear. If I do ctrl-alt-del, I can get into the task manager and run programs, but often they'll freeze. I've also logged out, and when I log back in, the normal desktop will flash up for 1 to 2 seconds then disappear. sonmetimes it will do this more than once, but not for long enough to actually do anything.

I tried to get into add/remove programs to check for the programs in the instruction list, but wasn't able to. I can access the computer over our network, and can exchange files, and was even able to install the Deckard system scanner.

I did install Panda Internet Security, ran its full scan and it found and corrected several problems. I also let it run from the CD on reboot and it found one more problem - Program files/InetGet2/Popinstall.exe. I also was able to get to the Microsoft website and get most of the updates installed. about 4 failed to install.

Here's the HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:35:16 PM, on 8/29/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\PowerPanelPlus\upssrv.exe
C:\PowerPanelPlus\upsio.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\MacOpener\FORMATM.EXE
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv50.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\slpd.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ezSP_Px.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
c:\program files\panda software\panda internet security 2007\WebProxy.exe
C:\WINNT\system32\taskmgr.exe
G:\Edrive backup\DSRP Share\dss.exe
G:\EDRIVE~1\DSRPSH~1\TRENDM~1\Hijack\Administrator.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.metacrawler.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.metacrawler.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.metacrawler.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 200.200.200.2 dsrp
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0de33f3b-ae56-4c57-b996-1ed712ea3c12} - C:\WINNT\system32\vyvletv.dll
O2 - BHO: 0 - {5C06F59F-B3E4-4047-7C9F-11BFFD23FA34} - C:\Program Files\Common Files\lacu.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {DCA978DD-7CB6-469D-AC9F-B3EB0EA50171} - C:\WINNT\system32\jkklm.dll
O2 - BHO: (no name) - {E9BD0828-1FD9-410C-A50F-43EBE65D310F} - C:\WINNT\system32\cbxxvtr.dll (file missing)
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINNT\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKCU\..\Run: [7s4T36Q] dpmquoui.exe
O4 - HKCU\..\Run: [MBv3RWcFV] docjpg21.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - C:\WINNT\system32\shdocvw.dll (HKCU)
O9 - Extra 'Tools' menuitem: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - C:\WINNT\system32\shdocvw.dll (HKCU)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1188401063812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1188401048671
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O20 - Winlogon Notify: cbxxvtr - cbxxvtr.dll (file missing)
O20 - Winlogon Notify: jkklm - C:\WINNT\system32\jkklm.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: UPS Service (CyberPowerUPS) - Cyber Power Systems, Inc. - C:\PowerPanelPlus\upssrv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MacFormatService - DataViz Inc. - C:\Program Files\MacOpener\FORMATM.EXE
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv50.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
O23 - Service: Service Location Protocol (slpd) - Avid - C:\WINNT\System32\slpd.exe

--
End of file - 5903 bytes

And here's the Deckard log:
Deckard's System Scanner v20070826.66
Run by Administrator on 2007-08-29 12:34:44
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.

System Drive C: has 0.17 GiB (less than 15%) free.

-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:35:16 PM, on 8/29/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\PowerPanelPlus\upssrv.exe
C:\PowerPanelPlus\upsio.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\MacOpener\FORMATM.EXE
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv50.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\slpd.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ezSP_Px.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
c:\program files\panda software\panda internet security 2007\WebProxy.exe
C:\WINNT\system32\taskmgr.exe
G:\Edrive backup\DSRP Share\dss.exe
G:\EDRIVE~1\DSRPSH~1\TRENDM~1\Hijack\Administrator.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.metacrawler.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.metacrawler.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.metacrawler.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 200.200.200.2 dsrp
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0de33f3b-ae56-4c57-b996-1ed712ea3c12} - C:\WINNT\system32\vyvletv.dll
O2 - BHO: 0 - {5C06F59F-B3E4-4047-7C9F-11BFFD23FA34} - C:\Program Files\Common Files\lacu.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {DCA978DD-7CB6-469D-AC9F-B3EB0EA50171} - C:\WINNT\system32\jkklm.dll
O2 - BHO: (no name) - {E9BD0828-1FD9-410C-A50F-43EBE65D310F} - C:\WINNT\system32\cbxxvtr.dll (file missing)
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINNT\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKCU\..\Run: [7s4T36Q] dpmquoui.exe
O4 - HKCU\..\Run: [MBv3RWcFV] docjpg21.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - C:\WINNT\system32\shdocvw.dll (HKCU)
O9 - Extra 'Tools' menuitem: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - C:\WINNT\system32\shdocvw.dll (HKCU)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1188401063812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1188401048671
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O20 - Winlogon Notify: cbxxvtr - cbxxvtr.dll (file missing)
O20 - Winlogon Notify: jkklm - C:\WINNT\system32\jkklm.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: UPS Service (CyberPowerUPS) - Cyber Power Systems, Inc. - C:\PowerPanelPlus\upssrv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MacFormatService - DataViz Inc. - C:\Program Files\MacOpener\FORMATM.EXE
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv50.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
O23 - Service: Service Location Protocol (slpd) - Avid - C:\WINNT\System32\slpd.exe

--
End of file - 5903 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - shell\open\command - C:\PROGRA~1\PANDAS~1\PANDAI~1\PavScrip.exe "%1" %*
.vbs - VBSFile - shell\open\command - C:\PROGRA~1\PANDAS~1\PANDAI~1\PavScrip.exe "%1" %*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 MacOpen - c:\winnt\system32\drivers\macopen.sys <Not Verified; DataViz Inc.; MacOpener>
R1 ShldDrv (Panda File Shield Driver) - c:\winnt\system32\drivers\shlddrv.sys <Not Verified; Panda Software; Panda®Shield>
R2 ALIEHCD (ALi PCI to USB Enhanced Host Controller) - c:\winnt\system32\drivers\aliehci.sys <Not Verified; ALi Corporation; ALi Ehci Host Controller Driver>
R2 DS1410D - c:\winnt\system32\drivers\ds1410d.sys
R2 PAVDRV (Panda anti-virus driver) - c:\winnt\system32\drivers\pavdrv50.sys <Not Verified; Panda Software; Panda® Antivirus>
R2 PavProc (Panda Process Protection Driver) - c:\winnt\system32\drivers\pavproc.sys <Not Verified; Panda Software; PandaShield>
R2 Sentinel - c:\winnt\system32\drivers\sentinel.sys
R3 Afc (PPdus ASPI Shell) - c:\winnt\system32\drivers\afc.sys <Not Verified; Arcsoft, Inc.; Arcsoft(R) ASPI Shell>
R3 aliroothub (USB2.0 Root Hub) - c:\winnt\system32\drivers\alirthub.sys <Not Verified; ALi Corporation; ALi Roothub Driver for USB2.0>

S2 TMMAN - c:\winnt\system32\drivers\tmman.sys <Not Verified; Philips Semiconductors; TriMedia Software Development Environment>
S3 Equinox BOB (Sirius.Sys - Avid Equinox BOB USB Client Driver) - c:\winnt\system32\drivers\sirius.sys <Not Verified; Avid Technology, Inc.; Avid Sirius>
S3 Equinox PCI - c:\winnt\system32\drivers\stargate.sys <Not Verified; Avid Technology, Inc.; Equinox PCI Device Driver>
S3 InCDFat (Ahead InCDFat File System Driver) - c:\winnt\system32\drivers\incdfat.sys <Not Verified; Nero AG; Ahead InCDFat File System Driver>
S3 NAL (Nal Service ) - c:\winnt\system32\drivers\iqvw32.sys (file missing)
S3 TMIRQ - c:\winnt\system32\drivers\tmirq.sys <Not Verified; Merging Technologies S.A.; TMIrq>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CyberPowerUPS (UPS Service) - c:\powerpanelplus\upssrv.exe <Not Verified; Cyber Power Systems, Inc.; PowerPanel>
R2 MacFormatService - "c:\program files\macopener\formatm.exe" /service <Not Verified; DataViz Inc.; MacOpener>
R2 PavPrSrv (Panda Process Protection Service) - "c:\program files\common files\panda software\pavshld\pavprsrv.exe" <Not Verified; Panda Software; PandaShield>
R2 PAVSRV (Panda anti-virus service) - "c:\program files\panda software\panda internet security 2007\pavsrv50.exe" <Not Verified; Panda Software International; Panda residents>
R2 PSIMSVC (Panda IManager Service) - "c:\program files\panda software\panda internet security 2007\psimsvc.exe" <Not Verified; Panda Software; Panda Antivirus>
R2 slpd (Service Location Protocol) - c:\winnt\system32\slpd.exe <Not Verified; Avid; Avid|SICORE Engine>

S4 AvidStartup (Avid Startup) - system32\avidstartup.exe <Not Verified; ; AvidStartup>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_8086&DEV_1076&SUBSYS_11768086&REV_00\4&1F4428AA&0&18F0
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_8086&DEV_1076&SUBSYS_11768086&REV_00\4&1F4428AA&0&18F0
Service:

-- Scheduled Tasks -------------------------------------------------------------

2007-08-25 12:51:00 284 --a------ C:\WINNT\Tasks\AppleSoftwareUpdate.job

-- Files created between 2007-07-29 and 2007-08-29 -----------------------------

2007-08-29 12:05:00 0 d-------- C:\Program Files\Trend Micro <TRENDM~1>
2007-08-29 10:56:55 0 d--h---c- C:\WINNT\$SQLUninstallMDAC27SP1-KB927779-x86-ENU$
2007-08-29 10:34:12 0 d-a------ C:\WINNT\system32\SoftwareDistribution
2007-08-29 10:21:48 104838 --a------ C:\PAVVTS.DAT
2007-08-29 10:21:48 10160 --a------ C:\PAVPROT.BIN
2007-08-29 10:10:20 103936 -----n--- C:\WINNT\system32\drivers\netfltdi.sys <Not Verified; Panda Software; Panda®Network Manager>
2007-08-29 10:10:20 141312 -----n--- C:\WINNT\system32\drivers\netflt.sys <Not Verified; Panda Software International; Panda Residents>
2007-08-29 10:09:56 446464 --a------ C:\WINNT\system32\HHActiveX.dll <Not Verified; eHelp Corporation.; RoboHELP HTML 9.2>
2007-08-29 10:09:45 16640 --a------ C:\WINNT\system32\drivers\cpoint.sys <Not Verified; Panda Software; © Panda Software 2005>
2007-08-29 10:09:44 139264 --a------ C:\WINNT\system32\TpUtil.dll <Not Verified; Panda Software; TpUtil Dynamic Link Library>
2007-08-29 10:09:44 101888 --a------ C:\WINNT\system32\SYSTOOLS.DLL <Not Verified; Panda Software; SYSTOOLS>
2007-08-29 10:09:44 245760 --a------ C:\WINNT\system32\PavSHook.dll <Not Verified; Panda Software; PavSHook Dynamic Link Library>
2007-08-29 10:09:44 57344 --a------ C:\WINNT\system32\pavipc.dll <Not Verified; Panda Software; PavIpc Dynamic Link Library>
2007-08-29 10:09:34 70656 --a------ C:\WINNT\system32\drivers\pavdrv50.sys <Not Verified; Panda Software; Panda® Antivirus>
2007-08-29 10:09:33 0 d-a------ C:\WINNT\system32\PAV
2007-08-29 10:09:33 45056 --a------ C:\WINNT\system32\avldr.dll <Not Verified; Panda Software; Panda Antivirus for Windows NT/2000/XP/2003>
2007-08-29 10:08:56 0 d-a------ C:\Program Files\Panda Software
2007-08-29 10:08:07 26752 -ra------ C:\WINNT\system32\drivers\ShldDrv.sys <Not Verified; Panda Software; Panda®Shield>
2007-08-29 10:08:07 165120 -ra------ C:\WINNT\system32\drivers\PavProc.sys <Not Verified; Panda Software; PandaShield>
2007-08-29 10:08:07 0 d-------- C:\Program Files\Common Files\Panda Software
2007-08-29 09:26:09 6448 --ahs---- C:\WINNT\system32\mlkkj.bak1
2007-08-29 09:25:58 95744 --a------ C:\WINNT\system32\sptll.dll
2007-08-29 09:25:55 354912 --a------ C:\WINNT\system32\jkklm.dll
2007-08-29 09:24:10 0 d-------- C:\Program Files\WinPop
2007-08-29 09:24:10 0 d-------- C:\Program Files\InetGet2
2007-08-29 09:21:26 246 --a------ C:\Program Files\Common Files\lacu
2007-08-29 09:21:24 917 --a------ C:\WINNT\system32\winpfz32.sys
2007-08-29 09:20:59 0 d-------- C:\Documents and Settings\Default User\Application Data\NetMon
2007-08-29 09:20:56 0 d--hs---- C:\WINNT\R1JFRyBCT0xMSU4
2007-08-29 09:20:50 171520 --a------ C:\WINNT\system32\vyvletv.dll
2007-08-29 09:20:49 0 d-------- C:\Program Files\Web Buying
2007-08-29 09:20:48 0 d-a------ C:\WINNT\system32\tmps9
2007-08-29 09:20:48 0 d-a------ C:\WINNT\system32\drvr2
2007-08-29 09:20:48 0 d-a------ C:\WINNT\system32\cfig32
2007-08-29 09:20:48 0 d-a------ C:\WINNT\system32\capcom
2007-08-29 09:20:46 0 d-a------ C:\WINNT\system32\f02WtR
2007-08-28 11:46:23 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_324.dat
2007-08-20 08:34:22 0 d-------- C:\Program Files\iPod
2007-08-20 08:34:09 0 d-------- C:\Program Files\iTunes
2007-08-05 15:26:19 0 d-------- C:\PCTemp

-- Find3M Report ---------------------------------------------------------------

2007-08-29 10:23:18 0 d-a------ C:\Program Files\Common Files
2007-08-29 10:19:24 0 d-------- C:\Program Files\MacOpener
2007-08-29 10:09:30 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-08-29 09:36:36 0 d-------- C:\Program Files\EPSON Print CD
2007-08-27 11:00:12 2386926 ---h----- C:\WINNT\ShellIconCache
2007-08-23 09:01:44 64696 --a------ C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-07-28 04

22 135 --a------ C:\Program Files\Common Files\proly.html
2007-07-19 16:55:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2007-07-18 15:53:25 0 d-------- C:\Program Files\Avery Dennison
2007-07-09 12:51:43 0 d-------- C:\Program Files\Skyline
2007-07-05 11:49:38 0 d-------- C:\Program Files\Java
2007-07-05 11:48:57 0 d-------- C:\Program Files\Common Files\Java
2007-07-05 11:48:15 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2007-07-02 14:49:55 0 d-------- C:\Program Files\Intel
2007-07-02 11:50:39 0 d-------- C:\Program Files\EPSON
2007-07-02 11:48:15 0 d-------- C:\Program Files\ArcSoft
2007-07-02 08:35:24 0 d-------- C:\Program Files\Apple Software Update
2007-06-01 08:47:03 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_2f0.dat
2007-05-31 01:44:55 823296 --a------ C:\WINNT\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-05-31 01:44:54 802816 --a------ C:\WINNT\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-05-31 01:44:54 823296 --a------ C:\WINNT\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-05-31 01:44:54 740442 --a------ C:\WINNT\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0de33f3b-ae56-4c57-b996-1ed712ea3c12}]
08/29/07 09:20a 171520 --a------ C:\WINNT\system32\vyvletv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C06F59F-B3E4-4047-7C9F-11BFFD23FA34}]
C:\Program Files\Common Files\lacu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DCA978DD-7CB6-469D-AC9F-B3EB0EA50171}]
08/29/07 09:25a 354912 --a------ C:\WINNT\system32\jkklm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9BD0828-1FD9-410C-A50F-43EBE65D310F}]
C:\WINNT\system32\cbxxvtr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ezShieldProtector for Px"="C:\WINNT\system32\ezSP_Px.exe" [08/20/02 09:29a]
"Synchronization Manager"="mobsync.exe" [06/19/03 02:05p C:\WINNT\system32\mobsync.exe]
"APVXDWIN"="C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.exe" [10/11/06 12:09p]
"SCANINICIO"="C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe" [02/01/06 06:13p]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"7s4T36Q"="dpmquoui.exe" []
"MBv3RWcFV"="docjpg21.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E9BD0828-1FD9-410C-A50F-43EBE65D310F}"= C:\WINNT\system32\cbxxvtr.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 09/27/05 12:13p 45056 C:\WINNT\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxxvtr]
cbxxvtr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkklm]
C:\WINNT\system32\jkklm.dll 08/29/07 09:25a 354912 C:\WINNT\system32\jkklm.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

-- Hosts -----------------------------------------------------------------------

200.200.200.2 dsrp
127.0.0.1 www.doubleclick.net
127.0.0.1 ad.preferances.com
127.0.0.1 ad.doubleclick.com
127.0.0.1 ads.web.aol.com
127.0.0.1 ad.preferences.com
127.0.0.1 ad.washingtonpost.com
127.0.0.1 adpick.switchboard.com
127.0.0.1 ads.doubleclick.com
127.0.0.1 ads.infospace.com

496 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2007-08-29 12:36:24 ------------

Thanks for the help!!!
Russ

Rgrycza · 08-29-2007, 03:23 PM

Well - I ran vundofix and it appears to have fixed the problem. Computer now boots to the desktop, and I've run Panda again and it doesn't detect anything else. I'm going to try a few other spyware programs in the morning, just to see if they find anything.

I'd still appreciate an analyst to go over the log files to see if there's anything else that might just be lying there dormant.

Here's the new HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:10:58 PM, on 8/29/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\PowerPanelPlus\upssrv.exe
C:\PowerPanelPlus\upsio.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\MacOpener\FORMATM.EXE
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv50.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\slpd.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ezSP_Px.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
c:\program files\panda software\panda internet security 2007\WebProxy.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.metacrawler.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.metacrawler.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.metacrawler.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 200.200.200.2 dsrp
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0de33f3b-ae56-4c57-b996-1ed712ea3c12} - C:\WINNT\system32\vyvletv.dll
O2 - BHO: 0 - {5C06F59F-B3E4-4047-7C9F-11BFFD23FA34} - C:\Program Files\Common Files\lacu.dll (file missing)
O2 - BHO: (no name) - {66E3C3E7-790F-4735-93CE-CAA8D98AE615} - C:\WINNT\system32\jkklm.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINNT\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKCU\..\Run: [7s4T36Q] dpmquoui.exe
O4 - HKCU\..\Run: [MBv3RWcFV] docjpg21.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - C:\WINNT\system32\shdocvw.dll (HKCU)
O9 - Extra 'Tools' menuitem: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - C:\WINNT\system32\shdocvw.dll (HKCU)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1188401063812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1188401048671
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O20 - Winlogon Notify: cbxxvtr - cbxxvtr.dll (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: UPS Service (CyberPowerUPS) - Cyber Power Systems, Inc. - C:\PowerPanelPlus\upssrv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MacFormatService - DataViz Inc. - C:\Program Files\MacOpener\FORMATM.EXE
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv50.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
O23 - Service: Service Location Protocol (slpd) - Avid - C:\WINNT\System32\slpd.exe

--
End of file - 5711 bytes

Here's the Deckard log:
Deckard's System Scanner v20070826.66
Run by Administrator on 2007-08-29 17:16:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 0.19 GiB (less than 15%) free.

-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:16:51 PM, on 8/29/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\PowerPanelPlus\upssrv.exe
C:\PowerPanelPlus\upsio.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\MacOpener\FORMATM.EXE
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv50.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\slpd.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ezSP_Px.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
c:\program files\panda software\panda internet security 2007\WebProxy.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\7H9JK3DE\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.metacrawler.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.metacrawler.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.metacrawler.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 200.200.200.2 dsrp
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0de33f3b-ae56-4c57-b996-1ed712ea3c12} - C:\WINNT\system32\vyvletv.dll
O2 - BHO: 0 - {5C06F59F-B3E4-4047-7C9F-11BFFD23FA34} - C:\Program Files\Common Files\lacu.dll (file missing)
O2 - BHO: (no name) - {66E3C3E7-790F-4735-93CE-CAA8D98AE615} - C:\WINNT\system32\jkklm.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINNT\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKCU\..\Run: [7s4T36Q] dpmquoui.exe
O4 - HKCU\..\Run: [MBv3RWcFV] docjpg21.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - C:\WINNT\system32\shdocvw.dll (HKCU)
O9 - Extra 'Tools' menuitem: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - C:\WINNT\system32\shdocvw.dll (HKCU)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1188401063812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1188401048671
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O20 - Winlogon Notify: cbxxvtr - cbxxvtr.dll (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: UPS Service (CyberPowerUPS) - Cyber Power Systems, Inc. - C:\PowerPanelPlus\upssrv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MacFormatService - DataViz Inc. - C:\Program Files\MacOpener\FORMATM.EXE
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv50.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
O23 - Service: Service Location Protocol (slpd) - Avid - C:\WINNT\System32\slpd.exe

--
End of file - 5866 bytes

-- Files created between 2007-07-29 and 2007-08-29 -----------------------------

2007-08-29 15:35:30 24576 --a------ C:\WINNT\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2007-08-29 15:34:57 0 d-------- C:\VundoFix Backups
2007-08-29 12:05:00 0 d-------- C:\Program Files\Trend Micro
2007-08-29 10:56:55 0 d--h---c- C:\WINNT\$SQLUninstallMDAC27SP1-KB927779-x86-ENU$
2007-08-29 10:34:12 0 d-a------ C:\WINNT\system32\SoftwareDistribution
2007-08-29 10:21:48 104838 --a------ C:\PAVVTS.DAT
2007-08-29 10:21:48 10160 --a------ C:\PAVPROT.BIN
2007-08-29 10:10:20 103936 -----n--- C:\WINNT\system32\drivers\netfltdi.sys <Not Verified; Panda Software; Panda®Network Manager>
2007-08-29 10:10:20 141312 -----n--- C:\WINNT\system32\drivers\netflt.sys <Not Verified; Panda Software International; Panda Residents>
2007-08-29 10:09:56 446464 --a------ C:\WINNT\system32\HHActiveX.dll <Not Verified; eHelp Corporation.; RoboHELP HTML 9.2>
2007-08-29 10:09:45 16640 --a------ C:\WINNT\system32\drivers\cpoint.sys <Not Verified; Panda Software; © Panda Software 2005>
2007-08-29 10:09:44 139264 --a------ C:\WINNT\system32\TpUtil.dll <Not Verified; Panda Software; TpUtil Dynamic Link Library>
2007-08-29 10:09:44 101888 --a------ C:\WINNT\system32\SYSTOOLS.DLL <Not Verified; Panda Software; SYSTOOLS>
2007-08-29 10:09:44 245760 --a------ C:\WINNT\system32\PavSHook.dll <Not Verified; Panda Software; PavSHook Dynamic Link Library>
2007-08-29 10:09:44 57344 --a------ C:\WINNT\system32\pavipc.dll <Not Verified; Panda Software; PavIpc Dynamic Link Library>
2007-08-29 10:09:34 70656 --a------ C:\WINNT\system32\drivers\pavdrv50.sys <Not Verified; Panda Software; Panda® Antivirus>
2007-08-29 10:09:33 0 d-a------ C:\WINNT\system32\PAV
2007-08-29 10:09:33 45056 --a------ C:\WINNT\system32\avldr.dll <Not Verified; Panda Software; Panda Antivirus for Windows NT/2000/XP/2003>
2007-08-29 10:08:56 0 d-a------ C:\Program Files\Panda Software
2007-08-29 10:08:07 26752 -ra------ C:\WINNT\system32\drivers\ShldDrv.sys <Not Verified; Panda Software; Panda®Shield>
2007-08-29 10:08:07 165120 -ra------ C:\WINNT\system32\drivers\PavProc.sys <Not Verified; Panda Software; PandaShield>
2007-08-29 10:08:07 0 d-------- C:\Program Files\Common Files\Panda Software
2007-08-29 09:25:58 95744 --a------ C:\WINNT\system32\sptll.dll
2007-08-29 09:24:10 0 d-------- C:\Program Files\WinPop
2007-08-29 09:24:10 0 d-------- C:\Program Files\InetGet2
2007-08-29 09:21:26 246 --a------ C:\Program Files\Common Files\lacu
2007-08-29 09:21:24 917 --a------ C:\WINNT\system32\winpfz32.sys
2007-08-29 09:20:59 0 d-------- C:\Documents and Settings\Default User\Application Data\NetMon
2007-08-29 09:20:56 0 d--hs---- C:\WINNT\R1JFRyBCT0xMSU4
2007-08-29 09:20:50 171520 --a------ C:\WINNT\system32\vyvletv.dll
2007-08-29 09:20:49 0 d-------- C:\Program Files\Web Buying
2007-08-29 09:20:48 0 d-a------ C:\WINNT\system32\tmps9
2007-08-29 09:20:48 0 d-a------ C:\WINNT\system32\drvr2
2007-08-29 09:20:48 0 d-a------ C:\WINNT\system32\cfig32
2007-08-29 09:20:48 0 d-a------ C:\WINNT\system32\capcom
2007-08-29 09:20:46 0 d-a------ C:\WINNT\system32\f02WtR
2007-08-28 11:46:23 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_324.dat
2007-08-20 08:34:22 0 d-------- C:\Program Files\iPod
2007-08-20 08:34:09 0 d-------- C:\Program Files\iTunes
2007-08-05 15:26:19 0 d-------- C:\PCTemp

-- Find3M Report ---------------------------------------------------------------

2007-08-29 16:18:29 0 d-------- C:\Program Files\MacOpener
2007-08-29 10:23:18 0 d-a------ C:\Program Files\Common Files
2007-08-29 10:09:30 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-08-29 09:36:36 0 d-------- C:\Program Files\EPSON Print CD
2007-08-27 11:00:12 2386926 ---h----- C:\WINNT\ShellIconCache
2007-08-23 09:01:44 64696 --a------ C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-07-28 04

22 135 --a------ C:\Program Files\Common Files\proly.html
2007-07-19 16:55:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2007-07-18 15:53:25 0 d-------- C:\Program Files\Avery Dennison
2007-07-09 12:51:43 0 d-------- C:\Program Files\Skyline
2007-07-05 11:49:38 0 d-------- C:\Program Files\Java
2007-07-05 11:48:57 0 d-------- C:\Program Files\Common Files\Java
2007-07-05 11:48:15 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2007-07-02 14:49:55 0 d-------- C:\Program Files\Intel
2007-07-02 11:50:39 0 d-------- C:\Program Files\EPSON
2007-07-02 11:48:15 0 d-------- C:\Program Files\ArcSoft
2007-07-02 08:35:24 0 d-------- C:\Program Files\Apple Software Update
2007-06-01 08:47:03 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_2f0.dat
2007-05-31 01:44:55 823296 --a------ C:\WINNT\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-05-31 01:44:54 802816 --a------ C:\WINNT\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-05-31 01:44:54 823296 --a------ C:\WINNT\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-05-31 01:44:54 740442 --a------ C:\WINNT\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0de33f3b-ae56-4c57-b996-1ed712ea3c12}]
08/29/07 09:20a 171520 --a------ C:\WINNT\system32\vyvletv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C06F59F-B3E4-4047-7C9F-11BFFD23FA34}]
C:\Program Files\Common Files\lacu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66E3C3E7-790F-4735-93CE-CAA8D98AE615}]
C:\WINNT\system32\jkklm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ezShieldProtector for Px"="C:\WINNT\system32\ezSP_Px.exe" [08/20/02 09:29a]
"Synchronization Manager"="mobsync.exe" [06/19/03 02:05p C:\WINNT\system32\mobsync.exe]
"APVXDWIN"="C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.exe" [10/11/06 12:09p]
"SCANINICIO"="C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe" [02/01/06 06:13p]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"7s4T36Q"="dpmquoui.exe" []
"MBv3RWcFV"="docjpg21.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 09/27/05 12:13p 45056 C:\WINNT\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxxvtr]
cbxxvtr.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

-- End of Deckard's System Scanner: finished at 2007-08-29 17:17:27 ------------

Thanks! Russ

Rgrycza · 08-31-2007, 01:04 PM

Bump*

Rgrycza · 09-04-2007, 06:47 AM

Bump*

tetonbob · 09-04-2007, 09:00 AM

Hello Rgrycza -

Sorry for the delay. We've been very busy here in the HJT forum.

Since it's been a few days since your last log was taken, please run DSS once again, and post it's log, main.txt

It will show the current state of your machine.

I'm subscribed to this thread, and will be notified of your reply.

Rgrycza · 09-04-2007, 09:10 AM

Thanks - I'll run DSS shortly. Spy Sweeper and CounterSpy are both finishing up there scans.

Russ

Rgrycza · 09-04-2007, 10:17 AM

Hi Again -

Spy Sweeper found this:
Adware found: abcsearch
Adware found: alwaysupdatednews
Adware found: websearch toolbar
Adware found: command
Spy Cookie found: yieldmanager cookie
Spy Cookie found: specificclick.com cookie
Spy Cookie found: tacoda cookie
Adware found: maxifiles
Adware found: trojan.gen

I manually deleted the cookies, but I only have the trial version of Spy Sweeper, so it wouldn't do anything about the adware.

CounterSpy found nothing, but I do find it amusing that its active protection doesn't recognize its own program modules when they try to start - like Counterspy.exe!

Here's the DSS log:

Deckard's System Scanner v20070826.66
Run by Administrator on 2007-09-04 12:10:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 0.29 GiB (less than 15%) free.

-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:16:51 PM, on 8/29/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\PowerPanelPlus\upssrv.exe
C:\PowerPanelPlus\upsio.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\MacOpener\FORMATM.EXE
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv50.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\slpd.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ezSP_Px.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
c:\program files\panda software\panda internet security 2007\WebProxy.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\7H9JK3DE\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.metacrawler.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.metacrawler.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.metacrawler.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 200.200.200.2 dsrp
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0de33f3b-ae56-4c57-b996-1ed712ea3c12} - C:\WINNT\system32\vyvletv.dll
O2 - BHO: 0 - {5C06F59F-B3E4-4047-7C9F-11BFFD23FA34} - C:\Program Files\Common Files\lacu.dll (file missing)
O2 - BHO: (no name) - {66E3C3E7-790F-4735-93CE-CAA8D98AE615} - C:\WINNT\system32\jkklm.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINNT\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKCU\..\Run: [7s4T36Q] dpmquoui.exe
O4 - HKCU\..\Run: [MBv3RWcFV] docjpg21.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - C:\WINNT\system32\shdocvw.dll (HKCU)
O9 - Extra 'Tools' menuitem: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - C:\WINNT\system32\shdocvw.dll (HKCU)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1188401063812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1188401048671
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O20 - Winlogon Notify: cbxxvtr - cbxxvtr.dll (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: UPS Service (CyberPowerUPS) - Cyber Power Systems, Inc. - C:\PowerPanelPlus\upssrv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MacFormatService - DataViz Inc. - C:\Program Files\MacOpener\FORMATM.EXE
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv50.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
O23 - Service: Service Location Protocol (slpd) - Avid - C:\WINNT\System32\slpd.exe

--
End of file - 5866 bytes

-- Files created between 2007-08-04 and 2007-09-04 -----------------------------

2007-08-31 15

33 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-31 14:22:09 0 --a------ C:\WINNT\system32\SBRC.dat
2007-08-31 14:22:09 0 --a------ C:\WINNT\system32\SBFC.dat
2007-08-31 11:37:57 80 -r-hs---- C:\WINNT\system32\320981CE5F.dll
2007-08-31 09:40:45 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sunbelt Software <SUNBEL~1>
2007-08-31 09:40:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software <SUNBEL~1>
2007-08-31 09:34:28 0 d-------- C:\Program Files\Webroot
2007-08-31 09:34:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-08-31 09:34:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2007-08-31 09:33:16 164 --a------ C:\install.dat
2007-08-31 09:23:06 147456 --a------ C:\WINNT\system32\Vbzip11.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2007-08-31 09:23:06 143360 --a------ C:\WINNT\system32\vbuzip10.dll <Not Verified; Info-ZIP; Info-ZIP's UnZip Windows DLL>
2007-08-31 09:23:04 10752 --a------ C:\WINNT\system32\aamd532.dll <Not Verified; Almeida & Andrade Ltda; MD5 Maker DLL>
2007-08-31 09:23:01 0 d-------- C:\Program Files\Spy Cleaner Gold
2007-08-31 09:07:55 0 d-------- C:\Documents and Settings\Administrator\Application Data\WinPatrol
2007-08-31 09:07:48 0 d-------- C:\Program Files\BillP Studios
2007-08-30 14:58:25 53248 -ra------ C:\WINNT\system32\Prounstl.exe <Not Verified; Intel Corporation; Intel(R) PRO Adapter>
2007-08-30 14:57:57 88592 -ra------ C:\WINNT\system32\drivers\e1000nt5.sys <Not Verified; Intel Corporation; Intel(R) PRO/1000 Adapter>
2007-08-30 13:41:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-08-30 11:21:17 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-30 09:56:41 208896 --a------ C:\WINNT\system32\wmpns.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows Media Player>
2007-08-30 09:08:38 0 d-------- C:\Program Files\SpywareBlaster
2007-08-29 15:35:30 24576 --a------ C:\WINNT\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2007-08-29 12:05:00 0 d-------- C:\Program Files\Trend Micro
2007-08-29 10:56:55 0 d--h---c- C:\WINNT\$SQLUninstallMDAC27SP1-KB927779-x86-ENU$
2007-08-29 10:34:12 0 d-a------ C:\WINNT\system32\SoftwareDistribution
2007-08-29 10:21:48 104838 --a------ C:\PAVVTS.DAT
2007-08-29 10:21:48 10160 --a------ C:\PAVPROT.BIN
2007-08-29 10:10:20 103936 -----n--- C:\WINNT\system32\drivers\netfltdi.sys <Not Verified; Panda Software; Panda®Network Manager>
2007-08-29 10:10:20 141312 -----n--- C:\WINNT\system32\drivers\netflt.sys <Not Verified; Panda Software International; Panda Residents>
2007-08-29 10:09:56 446464 --a------ C:\WINNT\system32\HHActiveX.dll <Not Verified; eHelp Corporation.; RoboHELP HTML 9.2>
2007-08-29 10:09:45 16640 --a------ C:\WINNT\system32\drivers\cpoint.sys <Not Verified; Panda Software; © Panda Software 2005>
2007-08-29 10:09:44 139264 --a------ C:\WINNT\system32\TpUtil.dll <Not Verified; Panda Software; TpUtil Dynamic Link Library>
2007-08-29 10:09:44 101888 --a------ C:\WINNT\system32\SYSTOOLS.DLL <Not Verified; Panda Software; SYSTOOLS>
2007-08-29 10:09:44 245760 --a------ C:\WINNT\system32\PavSHook.dll <Not Verified; Panda Software; PavSHook Dynamic Link Library>
2007-08-29 10:09:44 57344 --a------ C:\WINNT\system32\pavipc.dll <Not Verified; Panda Software; PavIpc Dynamic Link Library>
2007-08-29 10:09:34 70656 --a------ C:\WINNT\system32\drivers\pavdrv50.sys <Not Verified; Panda Software; Panda® Antivirus>
2007-08-29 10:09:33 0 d-a------ C:\WINNT\system32\PAV
2007-08-29 10:09:33 45056 --a------ C:\WINNT\system32\avldr.dll <Not Verified; Panda Software; Panda Antivirus for Windows NT/2000/XP/2003>
2007-08-29 10:08:56 0 d-a------ C:\Program Files\Panda Software
2007-08-29 10:08:07 26752 -ra------ C:\WINNT\system32\drivers\ShldDrv.sys <Not Verified; Panda Software; Panda®Shield>
2007-08-29 10:08:07 165120 -ra------ C:\WINNT\system32\drivers\PavProc.sys <Not Verified; Panda Software; PandaShield>
2007-08-29 10:08:07 0 d-------- C:\Program Files\Common Files\Panda Software
2007-08-29 09:24:10 0 d-------- C:\Program Files\WinPop
2007-08-29 09:21:26 246 --a------ C:\Program Files\Common Files\lacu
2007-08-29 09:20:56 0 d--hs---- C:\WINNT\R1JFRyBCT0xMSU4
2007-08-29 09:20:48 0 d-a------ C:\WINNT\system32\tmps9
2007-08-29 09:20:48 0 d-a------ C:\WINNT\system32\drvr2
2007-08-29 09:20:48 0 d-a------ C:\WINNT\system32\cfig32
2007-08-29 09:20:48 0 d-a------ C:\WINNT\system32\capcom
2007-08-29 09:20:46 0 d-a------ C:\WINNT\system32\f02WtR
2007-08-28 11:46:23 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_324.dat
2007-08-07 13:58:08 8064 --a------ C:\WINNT\system32\drivers\AWRTRD.sys <Not Verified; Lavasoft AB; Ad-Watch Registry Protection>
2007-08-07 13:56:58 9344 --a------ C:\WINNT\system32\drivers\NSDriver.sys <Not Verified; Lavasoft AB; Ad-Watch Connections>
2007-08-05 15:26:19 0 d-------- C:\PCTemp

-- Find3M Report ---------------------------------------------------------------

2007-09-04 08:51:01 0 d-------- C:\Program Files\QuickTime
2007-08-31 17:04:46 2475728 ---h----- C:\WINNT\ShellIconCache
2007-08-31 09:39:45 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-08-30 14:07:17 0 d-------- C:\Program Files\EPSON Print CD
2007-08-30 11:21:17 0 d-a------ C:\Program Files\Common Files
2007-08-30 11:20:56 0 d-------- C:\Program Files\MacOpener
2007-08-23 09:01:44 64696 --a------ C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-07-28 04

22 135 --a------ C:\Program Files\Common Files\proly.html
2007-07-19 16:55:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2007-07-18 15:53:25 0 d-------- C:\Program Files\Avery Dennison
2007-07-05 11:49:38 0 d-------- C:\Program Files\Java
2007-07-05 11:48:57 0 d-------- C:\Program Files\Common Files\Java
2007-07-05 11:48:15 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ezShieldProtector for Px"="C:\WINNT\system32\ezSP_Px.exe" [08/20/02 09:29a]
"Synchronization Manager"="mobsync.exe" [06/19/03 02:05p C:\WINNT\system32\mobsync.exe]
"APVXDWIN"="C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.exe" [10/11/06 12:09p]
"SCANINICIO"="C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe" [02/01/06 06:13p]
"AAWTray"="G:\Edrive backup\Program Files\Ad-Aware 2007\AAWTray.exe" [08/08/07 03:53p]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/07 09:41a]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [08/02/07 11:59a]
"Spy Watcher"="C:\PROGRA~1\SPYCLE~1\SpyWatcher.exe" [04/07/05 04:18a]
"@"="" []
"SBCSTray"="G:\Edrive backup\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [06/15/07 03:17p]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [07/19/07 10:54p]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 09/27/05 12:13p 45056 C:\WINNT\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxxvtr]
cbxxvtr.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBCSSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

-- End of Deckard's System Scanner: finished at 2007-09-04 12:13:16 ------------

Thanks!

Russ

tetonbob · 09-04-2007, 10:22 AM

If SpySweeper isn't going to remove anything, it's just taking up space on your harddrive.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Download this file - http://download.bleepingcomputer.com...a/ComboFix.exe

* IMPORTANT !!! Place combofix.exe on your Desktop
Disconnect from the internet....pull the plug!
Go to -> Run -> paste in the following single line command & click OK

"%userprofile%\desktop\combofix.exe" /killall
Follow the prompts. Type "1" and press Enter to begin the scan.
Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------
Re-establish an internet connection.
Open HijackThis (not DSS) and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Rgrycza · 09-04-2007, 11:31 AM

OK - here's the new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:15 PM, on 9/4/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
G:\Edrive backup\Program Files\Ad-Aware 2007\aawservice.exe
C:\WINNT\System32\cisvc.exe
C:\PowerPanelPlus\upssrv.exe
C:\PowerPanelPlus\upsio.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\MacOpener\FORMATM.EXE
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv50.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\slpd.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CMD.EXE
C:\WINNT\system32\ezSP_Px.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE
G:\Edrive backup\Program Files\Ad-Aware 2007\AAWTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
c:\program files\panda software\panda internet security 2007\WebProxy.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINNT\regedit.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\avciman.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.metacrawler.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.blingo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.metacrawler.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINNT\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe" /logon
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKLM\..\Run: [AAWTray] "G:\Edrive backup\Program Files\Ad-Aware 2007\AAWTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe"
O4 - HKLM\..\Run: [Spy Watcher] "C:\PROGRA~1\SPYCLE~1\SpyWatcher.exe" -S
O4 - HKLM\..\Run: [SBCSTray] "G:\Edrive backup\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - C:\WINNT\system32\shdocvw.dll (HKCU)
O9 - Extra 'Tools' menuitem: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - C:\WINNT\system32\shdocvw.dll (HKCU)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1188401063812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1188401048671
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O20 - Winlogon Notify: cbxxvtr - cbxxvtr.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - G:\Edrive backup\Program Files\Ad-Aware 2007\aawservice.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: UPS Service (CyberPowerUPS) - Cyber Power Systems, Inc. - C:\PowerPanelPlus\upssrv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: MacFormatService - DataViz Inc. - C:\Program Files\MacOpener\FORMATM.EXE
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv50.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - G:\Edrive backup\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Service Location Protocol (slpd) - Avid - C:\WINNT\System32\slpd.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6695 bytes

tetonbob · 09-04-2007, 11:33 AM

From ComboFix instructions:

Quote:

6. When finished, it shall produce a log for you. Post that log in your next reply

If it's closed, it will be located at C:\ComboFix.txt

Rgrycza · 09-04-2007, 11:34 AM

Do you want the ComboFix logs, and should i uninstall the spyware/adware cleaners and monitors I've installed? In some ways they're just interfering by trying to block processes of programs like ComboFix.

Russ

tetonbob · 09-04-2007, 11:38 AM

Yes, I want C:\ComboFix.txt

Rgrycza · 09-04-2007, 11:39 AM

ComboFix 07-09-04.4 - "Administrator" 09/04/2007 13:16:28.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1075 [GMT -5:00]

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\winpop
C:\WINNT\system32\f02WtR
C:\WINNT\system32\tmps9

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR

((((((((((((((((((((((((( Files Created from 2007-08-04 to 2007-09-04 )))))))))))))))))))))))))))))))

2007-09-04 13:14 51,200 --a------ C:\WINNT\NirCmd.exe
2007-08-31 15:06 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-31 14:22 0 --a------ C:\WINNT\system32\SBRC.dat
2007-08-31 14:22 0 --a------ C:\WINNT\system32\SBFC.dat
2007-08-31 11:37 80 -r-hs---- C:\WINNT\system32\320981CE5F.dll
2007-08-31 09:42 15,544 --a------ C:\WINNT\system32\drivers\sbhr.sys
2007-08-31 09:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sunbelt Software
2007-08-31 09:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sunbelt Software
2007-08-31 09:34 23,864 --a------ C:\WINNT\system32\drivers\sskbfd.sys
2007-08-31 09:34 21,816 --a------ C:\WINNT\system32\drivers\sshrmd.sys
2007-08-31 09:34 20,280 --a------ C:\WINNT\system32\drivers\SSFS0BB8.sys
2007-08-31 09:34 163,128 --a------ C:\WINNT\system32\drivers\ssidrv.sys
2007-08-31 09:34 1,521,464 --a------ C:\WINNT\WRSetup.dll
2007-08-31 09:34 <DIR> d-------- C:\Program Files\Webroot
2007-08-31 09:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-08-31 09:34 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Webroot
2007-08-31 09:33 164 --a------ C:\install.dat
2007-08-31 09:23 147,456 --a------ C:\WINNT\system32\Vbzip11.dll
2007-08-31 09:23 143,360 --a------ C:\WINNT\system32\vbuzip10.dll
2007-08-31 09:23 10,752 --a------ C:\WINNT\system32\aamd532.dll
2007-08-31 09:23 <DIR> d-------- C:\Program Files\Spy Cleaner Gold
2007-08-31 09:07 <DIR> d-------- C:\Program Files\BillP Studios
2007-08-31 09:07 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\WinPatrol
2007-08-30 14:58 53,248 -ra------ C:\WINNT\system32\Prounstl.exe
2007-08-30 14:57 88,592 -ra------ C:\WINNT\system32\drivers\e1000nt5.sys
2007-08-30 13:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-30 11:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-30 09:56 208,896 --a------ C:\WINNT\system32\wmpns.dll
2007-08-30 09:08 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-29 15:35 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe
2007-08-29 12:34 <DIR> d-------- C:\Deckard
2007-08-29 12:05 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-29 10:56 <DIR> d--h-c--- C:\WINNT\$SQLUninstallMDAC27SP1-KB927779-x86-ENU$
2007-08-29 10:21 104,838 --a------ C:\PAVVTS.DAT
2007-08-29 10:21 10,160 --a------ C:\PAVPROT.BIN
2007-08-29 10:10 141,312 --------- C:\WINNT\system32\drivers\netflt.sys
2007-08-29 10:10 103,936 --------- C:\WINNT\system32\drivers\netfltdi.sys
2007-08-29 10:09 70,656 --a------ C:\WINNT\system32\drivers\pavdrv50.sys
2007-08-29 10:09 57,344 --a------ C:\WINNT\system32\pavipc.dll
2007-08-29 10:09 45,056 --a------ C:\WINNT\system32\avldr.dll
2007-08-29 10:09 446,464 --a------ C:\WINNT\system32\HHActiveX.dll
2007-08-29 10:09 245,760 --a------ C:\WINNT\system32\PavSHook.dll
2007-08-29 10:09 16,640 --a------ C:\WINNT\system32\drivers\cpoint.sys
2007-08-29 10:09 139,264 --a------ C:\WINNT\system32\TpUtil.dll
2007-08-29 10:09 101,888 --a------ C:\WINNT\system32\SYSTOOLS.DLL
2007-08-29 10:09 <DIR> d-a------ C:\WINNT\system32\PAV
2007-08-29 10:08 26,752 -ra------ C:\WINNT\system32\drivers\ShldDrv.sys
2007-08-29 10:08 165,120 -ra------ C:\WINNT\system32\drivers\PavProc.sys
2007-08-29 10:08 <DIR> d-a------ C:\Program Files\Panda Software
2007-08-29 10:08 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2007-08-29 09:20 <DIR> d-a------ C:\WINNT\system32\drvr2
2007-08-29 09:20 <DIR> d-a------ C:\WINNT\system32\cfig32
2007-08-29 09:20 <DIR> d-a------ C:\WINNT\system32\capcom
2007-08-29 09:20 <DIR> d--hs---- C:\WINNT\R1JFRyBCT0xMSU4
2007-08-07 13:58 8,064 --a------ C:\WINNT\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9,344 --a------ C:\WINNT\system32\drivers\NSDriver.sys
2007-08-05 15:26 <DIR> d-------- C:\PCTemp

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

99-12-07 07:00 32528 --a--c--- C:\WINNT\inf\wbfirdma.sys
07-09-04 11:45 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
07-09-04 08:51 --------- d-------- C:\Program Files\QuickTime
07-08-31 11:38 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\Protexis
07-08-31 09:39 --------- d--h----- C:\Program Files\InstallShield Installation Information
07-08-30 14:07 --------- d-------- C:\Program Files\EPSON Print CD
07-08-30 13:42 5376 --a------ C:\WINNT\system32\drivers\AWRTPD.sys
07-08-30 11:20 --------- d-------- C:\Program Files\MacOpener
07-08-29 17:32 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skyline
07-08-29 09:56 246 --a------ C:\Program Files\Common Files\lacu
07-07-30 19:19 92504 --a------ C:\WINNT\system32\cdm.dll
07-07-30 19:19 549720 --a------ C:\WINNT\system32\wuapi.dll
07-07-30 19:19 53080 --a------ C:\WINNT\system32\wuauclt.exe
07-07-30 19:19 43352 --a------ C:\WINNT\system32\wups2.dll
07-07-30 19:19 325976 --a------ C:\WINNT\system32\wucltui.dll
07-07-30 19:19 203096 --a------ C:\WINNT\system32\wuweb.dll
07-07-30 19:19 1712984 --a------ C:\WINNT\system32\wuaueng.dll
07-07-30 19:18 33624 --a------ C:\WINNT\system32\wups.dll
07-07-30 19:18 207736 --a------ C:\WINNT\system32\muweb.dll
07-07-28 04:06 135 --a------ C:\Program Files\Common Files\proly.html
07-07-18 15:53 --------- d-------- C:\Program Files\Avery Dennison
07-07-18 15:53 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Avery
07-06-26 04:57 235280 --a------ C:\WINNT\system32\GDI32.DLL
07-06-15 14:37 27376 --a------ C:\WINNT\system32\SBBD.exe
07-06-07 01:50 1119232 --a------ C:\WINNT\system32\msxml3.dll
01-10-19 09:33 271 ---h----- C:\Program Files\desktop.ini
01-10-19 09:33 21952 ---h-c--- C:\Program Files\folder.htt
1999-12-07 12:00:00 94,784 -csh--w C:\WINNT\twain.dll
1999-12-07 12:00:00 44,816 -csh--w C:\WINNT\twain_32.dll
2006-06-22 18:00:26 80 --sha-r C:\WINNT\system32\D971DED562.dll
2003-06-19 19:05:04 1,015,859 --sha-w C:\WINNT\system32\mfc42.dll
1999-12-07 12:00:00 77,878 --sh--w C:\WINNT\system32\msvcirt.dll
2003-06-19 19:05:04 286,773 --sha-w C:\WINNT\system32\msvcrt.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ezShieldProtector for Px"="C:\WINNT\system32\ezSP_Px.exe" [02-08-20 09:29 ]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]
"APVXDWIN"="C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.exe" [06-10-11 12:09 ]
"SCANINICIO"="C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe" [06-02-01 18:13 ]
"AAWTray"="G:\Edrive backup\Program Files\Ad-Aware 2007\AAWTray.exe" [07-08-08 15:53 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-04-27 09:41 ]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [07-08-02 11:59 ]
"Spy Watcher"="C:\PROGRA~1\SPYCLE~1\SpyWatcher.exe" [05-04-07 04:18 ]
"SBCSTray"="G:\Edrive backup\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [07-06-15 15:17 ]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [07-07-19 22:54 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 05-09-27 12:13 45056 C:\WINNT\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxxvtr]
cbxxvtr.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"
R0 MacOpen;MacOpen;C:\WINNT\system32\drivers\MacOpen.sys
R0 SBHR;SBHR;C:\WINNT\system32\drivers\sbhr.sys
R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINNT\system32\Drivers\SSFS0BB8.SYS
R1 ShldDrv;Panda File Shield Driver;C:\WINNT\system32\drivers\ShldDrv.sys
R2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;C:\WINNT\system32\Drivers\ALIEHCI.sys
R2 PAVDRV;Panda anti-virus driver;C:\WINNT\system32\Drivers\pavdrv50.sys
R2 PavProc;Panda Process Protection Driver;\??\C:\WINNT\system32\DRIVERS\PavProc.sys
R2 slpd;Service Location Protocol;C:\WINNT\System32\slpd.exe
R3 aliroothub;USB2.0 Root Hub;C:\WINNT\system32\DRIVERS\AliRtHub.sys
R3 IBMFE;IBM 10/100 Ethernet PCI Adapter NT Driver;C:\WINNT\system32\DRIVERS\ibmfent5.sys
R3 ichaud;Service for AC'97 Driver (WDM);C:\WINNT\system32\drivers\ichaud.sys
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys
R3 SBAPIFS;SBAPIFS;\??\C:\WINNT\system32\drivers\sbapifs.sys
S2 TMMAN;TMMAN;C:\WINNT\system32\DRIVERS\TMMAN.sys
S3 EL90X;3Com EtherLink XL Adapter Driver;C:\WINNT\system32\DRIVERS\el90xnd5.sys
S3 Equinox BOB;Sirius.Sys - Avid Equinox BOB USB Client Driver;C:\WINNT\system32\DRIVERS\Sirius.sys
S3 Equinox PCI;Equinox PCI;C:\WINNT\system32\DRIVERS\Stargate.sys
S3 InCDFat;Ahead InCDFat File System Driver;\??\C:\WINNT\System32\Drivers\InCDFat.sys
S3 MaxtorFrontPanel1;Maxtor 1394 Storage Front Panel Driver;C:\WINNT\system32\DRIVERS\mxofwfp.sys
S3 NAL;Nal Service ;\??\C:\WINNT\system32\Drivers\iqvw32.sys
S3 TMIRQ;TMIRQ;C:\WINNT\system32\DRIVERS\TMIRQ.sys

Contents of the 'Scheduled Tasks' folder
"2007-08-25 17:51:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-04 13:48:08 C:\WINNT\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-04 13:22:28
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-04 13:24:47 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-09-04 13:24

--- E O F ---

tetonbob · 09-04-2007, 11:46 AM

Thanks, Russ.

I'd like a bit more information, please.

Create an uninstall list:

Open HiJackThis
Click on the button " Open the Misc Tools section"
Click on the Box that says "Open Uninstall Manager"
Click on the button "Save list"
Copy and past the List from the notepad file into your post

Rgrycza · 09-04-2007, 11:52 AM

Thanks for all your help!

Here's the uninstall list:

Ad-Aware 2007
Adobe Flash Player 9 ActiveX
Adobe Photoshop 6.0
Adobe Reader 7.0.8
Adobe Shockwave Player
Adobe SVG Viewer 3.0
ALi USB2.0 Driver
Apple Software Update
ATI Control Panel
ATI Display Driver
AutoRun Wizard
AXIS Media Control
CCleaner (remove only)
Cinematize 2.0
DDTI Enhanced Web Printing
DesignPro 5.0 Limited Edition
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Elecard MPEG2 Player Version 2.0
EPSON Print CD
EPSON Printer Software
EPSON Stylus Photo R260 User's Guide
Eusing Free Registry Cleaner
HDD Regenerator
Hotfix for MDAC 2.53 (KB911562)
Hotfix for MDAC 2.71 (KB927779)
InCD
Intel Application Accelerator
Intel(R) PRO Network Connections 12.1.12.0
Intel(R) PROSafe for Wired Connections
Java(TM) 6 Update 2
MacOpener 5.0
Maxtor Quick Start
Microsoft Office XP Professional with FrontPage
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Nero Suite
Panda Internet Security 2007
particleIllusion 3.0
PowerDVD
PowerPanel Plus
QuickTime
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Shockwave
Spy Cleaner Gold 9.5
Spy Sweeper
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Update Rollup 1 for Windows 2000 SP4
VS3 RunTime
Windows 2000 Service Pack 4
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Player system update (9 Series)
WinPatrol 2007
WinZip

Russ

tetonbob · 09-04-2007, 12:07 PM

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Spy Cleaner Gold 9.5<<<---it’s rogueware (or known to be rogueware in the past) and we highly recommend that you uninstall it. Rogue/Suspect means that these products are of unknown, questionable, or dubious value as anti-spyware protection.

See this note:

http://www.spywarewarrior.com/rogue_...tm#scgold_note

Also, you may want to consider the uninstall of the trial version of SpySweeper. ID alone is somewhat helpful, but not enough. You have other fine products in Ad-Aware and Spybot S&D already installed. Those, plus your Anti-Virus should be enough. You also have WinPatrol.

Have you already uninstalled CounterSpy? It's not in the Add/Remove list. Perhaps because it's installed on another drive. CounterSpy is a well regarded product, but it's possible to have too many Anti-Spyware applications.

---------------------------------------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

Killall::

Folder::
C:\Program Files\Spy Cleaner Gold
C:\WINNT\system32\drvr2
C:\WINNT\system32\cfig32
C:\WINNT\system32\capcom
C:\WINNT\R1JFRyBCT0xMSU4

DirLook::
C:\PCTemp

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spy Watcher"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxxvtr]

Save this as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------

Rgrycza · 09-04-2007, 12:37 PM

Hi TetonBob -

Yes, I do still have CounterSpy on the computer, and yes, it is on another drive. The first time I ran it, it found some things, but since then it hasn't found anything. Should I uninstall it?

I've uninstalled Spy Cleaner Gold from the add/remove programs menu, and run ComboFix with the script you supplied.

Before ComboFix finished writing the log, though, I got a registry error - Cannot import creg.cf: Not all data was successfully written to the registry. Some keys are open by the system or other processes.

Russ

tetonbob · 09-04-2007, 01:03 PM

Did ComboFix stop, or continue?

Rgrycza · 09-04-2007, 01:08 PM

ComboFix has stopped - the error message has an "OK" box. I believe if I click it, ComboFix will finish up.

Russ

tetonbob · 09-04-2007, 01:21 PM

Please do click OK.

08-29-2007, 03:23 PM	#2 (permalink)
Rgrycza Registered User Join Date: Aug 2007 Posts: 32 OS: Win 2000	Re: Computer won't boot to desktop Well - I ran vundofix and it appears to have fixed the problem. Computer now boots to the desktop, and I've run Panda again and it doesn't detect anything else. I'm going to try a few other spyware programs in the morning, just to see if they find anything. I'd still appreciate an analyst to go over the log files to see if there's anything else that might just be lying there dormant. Here's the new HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:10:58 PM, on 8/29/2007 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\cisvc.exe C:\PowerPanelPlus\upssrv.exe C:\PowerPanelPlus\upsio.exe C:\WINNT\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\Program Files\MacOpener\FORMATM.EXE C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv50.exe C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE C:\WINNT\system32\MSTask.exe C:\WINNT\System32\slpd.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\ezSP_Px.exe C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE c:\program files\panda software\panda internet security 2007\WebProxy.exe C:\WINNT\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.metacrawler.com R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.metacrawler.com R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.metacrawler.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: 200.200.200.2 dsrp O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {0de33f3b-ae56-4c57-b996-1ed712ea3c12} - C:\WINNT\system32\vyvletv.dll O2 - BHO: 0 - {5C06F59F-B3E4-4047-7C9F-11BFFD23FA34} - C:\Program Files\Common Files\lacu.dll (file missing) O2 - BHO: (no name) - {66E3C3E7-790F-4735-93CE-CAA8D98AE615} - C:\WINNT\system32\jkklm.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINNT\system32\ezSP_Px.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe" O4 - HKCU\..\Run: [7s4T36Q] dpmquoui.exe O4 - HKCU\..\Run: [MBv3RWcFV] docjpg21.exe O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - C:\WINNT\system32\shdocvw.dll (HKCU) O9 - Extra 'Tools' menuitem: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - C:\WINNT\system32\shdocvw.dll (HKCU) O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1188401063812 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1188401048671 O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab O20 - Winlogon Notify: cbxxvtr - cbxxvtr.dll (file missing) O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe O23 - Service: UPS Service (CyberPowerUPS) - Cyber Power Systems, Inc. - C:\PowerPanelPlus\upssrv.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MacFormatService - DataViz Inc. - C:\Program Files\MacOpener\FORMATM.EXE O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv50.exe O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe O23 - Service: Service Location Protocol (slpd) - Avid - C:\WINNT\System32\slpd.exe -- End of file - 5711 bytes Here's the Deckard log: Deckard's System Scanner v20070826.66 Run by Administrator on 2007-08-29 17:16:42 Computer is in Normal Mode. -------------------------------------------------------------------------------- System Drive C: has 0.19 GiB (less than 15%) free. -- HijackThis (run as Administrator.exe) --------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:16:51 PM, on 8/29/2007 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\cisvc.exe C:\PowerPanelPlus\upssrv.exe C:\PowerPanelPlus\upsio.exe C:\WINNT\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\Program Files\MacOpener\FORMATM.EXE C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv50.exe C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE C:\WINNT\system32\MSTask.exe C:\WINNT\System32\slpd.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\ezSP_Px.exe C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE c:\program files\panda software\panda internet security 2007\WebProxy.exe C:\WINNT\system32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\7H9JK3DE\dss[1].exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.metacrawler.com R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.metacrawler.com R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.metacrawler.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: 200.200.200.2 dsrp O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {0de33f3b-ae56-4c57-b996-1ed712ea3c12} - C:\WINNT\system32\vyvletv.dll O2 - BHO: 0 - {5C06F59F-B3E4-4047-7C9F-11BFFD23FA34} - C:\Program Files\Common Files\lacu.dll (file missing) O2 - BHO: (no name) - {66E3C3E7-790F-4735-93CE-CAA8D98AE615} - C:\WINNT\system32\jkklm.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINNT\system32\ezSP_Px.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe" O4 - HKCU\..\Run: [7s4T36Q] dpmquoui.exe O4 - HKCU\..\Run: [MBv3RWcFV] docjpg21.exe O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - C:\WINNT\system32\shdocvw.dll (HKCU) O9 - Extra 'Tools' menuitem: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - C:\WINNT\system32\shdocvw.dll (HKCU) O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1188401063812 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1188401048671 O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab O20 - Winlogon Notify: cbxxvtr - cbxxvtr.dll (file missing) O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe O23 - Service: UPS Service (CyberPowerUPS) - Cyber Power Systems, Inc. - C:\PowerPanelPlus\upssrv.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MacFormatService - DataViz Inc. - C:\Program Files\MacOpener\FORMATM.EXE O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv50.exe O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe O23 - Service: Service Location Protocol (slpd) - Avid - C:\WINNT\System32\slpd.exe -- End of file - 5866 bytes -- Files created between 2007-07-29 and 2007-08-29 ----------------------------- 2007-08-29 15:35:30 24576 --a------ C:\WINNT\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service> 2007-08-29 15:34:57 0 d-------- C:\VundoFix Backups 2007-08-29 12:05:00 0 d-------- C:\Program Files\Trend Micro 2007-08-29 10:56:55 0 d--h---c- C:\WINNT\$SQLUninstallMDAC27SP1-KB927779-x86-ENU$ 2007-08-29 10:34:12 0 d-a------ C:\WINNT\system32\SoftwareDistribution 2007-08-29 10:21:48 104838 --a------ C:\PAVVTS.DAT 2007-08-29 10:21:48 10160 --a------ C:\PAVPROT.BIN 2007-08-29 10:10:20 103936 -----n--- C:\WINNT\system32\drivers\netfltdi.sys <Not Verified; Panda Software; Panda®Network Manager> 2007-08-29 10:10:20 141312 -----n--- C:\WINNT\system32\drivers\netflt.sys <Not Verified; Panda Software International; Panda Residents> 2007-08-29 10:09:56 446464 --a------ C:\WINNT\system32\HHActiveX.dll <Not Verified; eHelp Corporation.; RoboHELP HTML 9.2> 2007-08-29 10:09:45 16640 --a------ C:\WINNT\system32\drivers\cpoint.sys <Not Verified; Panda Software; © Panda Software 2005> 2007-08-29 10:09:44 139264 --a------ C:\WINNT\system32\TpUtil.dll <Not Verified; Panda Software; TpUtil Dynamic Link Library> 2007-08-29 10:09:44 101888 --a------ C:\WINNT\system32\SYSTOOLS.DLL <Not Verified; Panda Software; SYSTOOLS> 2007-08-29 10:09:44 245760 --a------ C:\WINNT\system32\PavSHook.dll <Not Verified; Panda Software; PavSHook Dynamic Link Library> 2007-08-29 10:09:44 57344 --a------ C:\WINNT\system32\pavipc.dll <Not Verified; Panda Software; PavIpc Dynamic Link Library> 2007-08-29 10:09:34 70656 --a------ C:\WINNT\system32\drivers\pavdrv50.sys <Not Verified; Panda Software; Panda® Antivirus> 2007-08-29 10:09:33 0 d-a------ C:\WINNT\system32\PAV 2007-08-29 10:09:33 45056 --a------ C:\WINNT\system32\avldr.dll <Not Verified; Panda Software; Panda Antivirus for Windows NT/2000/XP/2003> 2007-08-29 10:08:56 0 d-a------ C:\Program Files\Panda Software 2007-08-29 10:08:07 26752 -ra------ C:\WINNT\system32\drivers\ShldDrv.sys <Not Verified; Panda Software; Panda®Shield> 2007-08-29 10:08:07 165120 -ra------ C:\WINNT\system32\drivers\PavProc.sys <Not Verified; Panda Software; PandaShield> 2007-08-29 10:08:07 0 d-------- C:\Program Files\Common Files\Panda Software 2007-08-29 09:25:58 95744 --a------ C:\WINNT\system32\sptll.dll 2007-08-29 09:24:10 0 d-------- C:\Program Files\WinPop 2007-08-29 09:24:10 0 d-------- C:\Program Files\InetGet2 2007-08-29 09:21:26 246 --a------ C:\Program Files\Common Files\lacu 2007-08-29 09:21:24 917 --a------ C:\WINNT\system32\winpfz32.sys 2007-08-29 09:20:59 0 d-------- C:\Documents and Settings\Default User\Application Data\NetMon 2007-08-29 09:20:56 0 d--hs---- C:\WINNT\R1JFRyBCT0xMSU4 2007-08-29 09:20:50 171520 --a------ C:\WINNT\system32\vyvletv.dll 2007-08-29 09:20:49 0 d-------- C:\Program Files\Web Buying 2007-08-29 09:20:48 0 d-a------ C:\WINNT\system32\tmps9 2007-08-29 09:20:48 0 d-a------ C:\WINNT\system32\drvr2 2007-08-29 09:20:48 0 d-a------ C:\WINNT\system32\cfig32 2007-08-29 09:20:48 0 d-a------ C:\WINNT\system32\capcom 2007-08-29 09:20:46 0 d-a------ C:\WINNT\system32\f02WtR 2007-08-28 11:46:23 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_324.dat 2007-08-20 08:34:22 0 d-------- C:\Program Files\iPod 2007-08-20 08:34:09 0 d-------- C:\Program Files\iTunes 2007-08-05 15:26:19 0 d-------- C:\PCTemp -- Find3M Report --------------------------------------------------------------- 2007-08-29 16:18:29 0 d-------- C:\Program Files\MacOpener 2007-08-29 10:23:18 0 d-a------ C:\Program Files\Common Files 2007-08-29 10:09:30 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-08-29 09:36:36 0 d-------- C:\Program Files\EPSON Print CD 2007-08-27 11:00:12 2386926 ---h----- C:\WINNT\ShellIconCache 2007-08-23 09:01:44 64696 --a------ C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT 2007-07-28 0422 135 --a------ C:\Program Files\Common Files\proly.html 2007-07-19 16:55:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe 2007-07-18 15:53:25 0 d-------- C:\Program Files\Avery Dennison 2007-07-09 12:51:43 0 d-------- C:\Program Files\Skyline 2007-07-05 11:49:38 0 d-------- C:\Program Files\Java 2007-07-05 11:48:57 0 d-------- C:\Program Files\Common Files\Java 2007-07-05 11:48:15 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun 2007-07-02 14:49:55 0 d-------- C:\Program Files\Intel 2007-07-02 11:50:39 0 d-------- C:\Program Files\EPSON 2007-07-02 11:48:15 0 d-------- C:\Program Files\ArcSoft 2007-07-02 08:35:24 0 d-------- C:\Program Files\Apple Software Update 2007-06-01 08:47:03 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_2f0.dat 2007-05-31 01:44:55 823296 --a------ C:\WINNT\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®> 2007-05-31 01:44:54 802816 --a------ C:\WINNT\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?> 2007-05-31 01:44:54 823296 --a------ C:\WINNT\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®> 2007-05-31 01:44:54 740442 --a------ C:\WINNT\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®> -- Registry Dump --------------------------------------------------------------- Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0de33f3b-ae56-4c57-b996-1ed712ea3c12}] 08/29/07 09:20a 171520 --a------ C:\WINNT\system32\vyvletv.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C06F59F-B3E4-4047-7C9F-11BFFD23FA34}] C:\Program Files\Common Files\lacu.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66E3C3E7-790F-4735-93CE-CAA8D98AE615}] C:\WINNT\system32\jkklm.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ezShieldProtector for Px"="C:\WINNT\system32\ezSP_Px.exe" [08/20/02 09:29a] "Synchronization Manager"="mobsync.exe" [06/19/03 02:05p C:\WINNT\system32\mobsync.exe] "APVXDWIN"="C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.exe" [10/11/06 12:09p] "SCANINICIO"="C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe" [02/01/06 06:13p] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "7s4T36Q"="dpmquoui.exe" [] "MBv3RWcFV"="docjpg21.exe" [] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "LinkResolveIgnoreLinkInfo"=0 (0x0) "NoResolveSearch"=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "LinkResolveIgnoreLinkInfo"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr] avldr.dll 09/27/05 12:13p 45056 C:\WINNT\system32\avldr.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxxvtr] cbxxvtr.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys] @="Driver" -- End of Deckard's System Scanner: finished at 2007-08-29 17:17:27 ------------ Thanks! Russ

08-31-2007, 01:04 PM	#3 (permalink)
Rgrycza Registered User Join Date: Aug 2007 Posts: 32 OS: Win 2000	Re: Computer won't boot to desktop Bump*

09-04-2007, 06:47 AM	#4 (permalink)
Rgrycza Registered User Join Date: Aug 2007 Posts: 32 OS: Win 2000	Re: Computer won't boot to desktop Bump*

09-04-2007, 09:00 AM	#5 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,561 OS: 2000 Pro; XP Pro; XP Home	Re: Computer won't boot to desktop Hello Rgrycza - Sorry for the delay. We've been very busy here in the HJT forum. Since it's been a few days since your last log was taken, please run DSS once again, and post it's log, main.txt It will show the current state of your machine. I'm subscribed to this thread, and will be notified of your reply. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

09-04-2007, 09:10 AM	#6 (permalink)
Rgrycza Registered User Join Date: Aug 2007 Posts: 32 OS: Win 2000	Re: Computer won't boot to desktop Thanks - I'll run DSS shortly. Spy Sweeper and CounterSpy are both finishing up there scans. Russ

09-04-2007, 10:17 AM	#7 (permalink)
Rgrycza Registered User Join Date: Aug 2007 Posts: 32 OS: Win 2000	Re: Computer won't boot to desktop Hi Again - Spy Sweeper found this: Adware found: abcsearch Adware found: alwaysupdatednews Adware found: websearch toolbar Adware found: command Spy Cookie found: yieldmanager cookie Spy Cookie found: specificclick.com cookie Spy Cookie found: tacoda cookie Adware found: maxifiles Adware found: trojan.gen I manually deleted the cookies, but I only have the trial version of Spy Sweeper, so it wouldn't do anything about the adware. CounterSpy found nothing, but I do find it amusing that its active protection doesn't recognize its own program modules when they try to start - like Counterspy.exe! Here's the DSS log: Deckard's System Scanner v20070826.66 Run by Administrator on 2007-09-04 12:10:50 Computer is in Normal Mode. -------------------------------------------------------------------------------- System Drive C: has 0.29 GiB (less than 15%) free. -- HijackThis (run as Administrator.exe) --------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:16:51 PM, on 8/29/2007 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\cisvc.exe C:\PowerPanelPlus\upssrv.exe C:\PowerPanelPlus\upsio.exe C:\WINNT\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\Program Files\MacOpener\FORMATM.EXE C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv50.exe C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE C:\WINNT\system32\MSTask.exe C:\WINNT\System32\slpd.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\ezSP_Px.exe C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE c:\program files\panda software\panda internet security 2007\WebProxy.exe C:\WINNT\system32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\7H9JK3DE\dss[1].exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.metacrawler.com R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.metacrawler.com R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.metacrawler.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: 200.200.200.2 dsrp O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {0de33f3b-ae56-4c57-b996-1ed712ea3c12} - C:\WINNT\system32\vyvletv.dll O2 - BHO: 0 - {5C06F59F-B3E4-4047-7C9F-11BFFD23FA34} - C:\Program Files\Common Files\lacu.dll (file missing) O2 - BHO: (no name) - {66E3C3E7-790F-4735-93CE-CAA8D98AE615} - C:\WINNT\system32\jkklm.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINNT\system32\ezSP_Px.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe" O4 - HKCU\..\Run: [7s4T36Q] dpmquoui.exe O4 - HKCU\..\Run: [MBv3RWcFV] docjpg21.exe O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - C:\WINNT\system32\shdocvw.dll (HKCU) O9 - Extra 'Tools' menuitem: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - C:\WINNT\system32\shdocvw.dll (HKCU) O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1188401063812 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1188401048671 O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab O20 - Winlogon Notify: cbxxvtr - cbxxvtr.dll (file missing) O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe O23 - Service: UPS Service (CyberPowerUPS) - Cyber Power Systems, Inc. - C:\PowerPanelPlus\upssrv.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MacFormatService - DataViz Inc. - C:\Program Files\MacOpener\FORMATM.EXE O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv50.exe O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe O23 - Service: Service Location Protocol (slpd) - Avid - C:\WINNT\System32\slpd.exe -- End of file - 5866 bytes -- Files created between 2007-08-04 and 2007-09-04 ----------------------------- 2007-08-31 1533 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2 2007-08-31 14:22:09 0 --a------ C:\WINNT\system32\SBRC.dat 2007-08-31 14:22:09 0 --a------ C:\WINNT\system32\SBFC.dat 2007-08-31 11:37:57 80 -r-hs---- C:\WINNT\system32\320981CE5F.dll 2007-08-31 09:40:45 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sunbelt Software <SUNBEL~1> 2007-08-31 09:40:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software <SUNBEL~1> 2007-08-31 09:34:28 0 d-------- C:\Program Files\Webroot 2007-08-31 09:34:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot 2007-08-31 09:34:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\Webroot 2007-08-31 09:33:16 164 --a------ C:\install.dat 2007-08-31 09:23:06 147456 --a------ C:\WINNT\system32\Vbzip11.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ> 2007-08-31 09:23:06 143360 --a------ C:\WINNT\system32\vbuzip10.dll <Not Verified; Info-ZIP; Info-ZIP's UnZip Windows DLL> 2007-08-31 09:23:04 10752 --a------ C:\WINNT\system32\aamd532.dll <Not Verified; Almeida & Andrade Ltda; MD5 Maker DLL> 2007-08-31 09:23:01 0 d-------- C:\Program Files\Spy Cleaner Gold 2007-08-31 09:07:55 0 d-------- C:\Documents and Settings\Administrator\Application Data\WinPatrol 2007-08-31 09:07:48 0 d-------- C:\Program Files\BillP Studios 2007-08-30 14:58:25 53248 -ra------ C:\WINNT\system32\Prounstl.exe <Not Verified; Intel Corporation; Intel(R) PRO Adapter> 2007-08-30 14:57:57 88592 -ra------ C:\WINNT\system32\drivers\e1000nt5.sys <Not Verified; Intel Corporation; Intel(R) PRO/1000 Adapter> 2007-08-30 13:41:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2007-08-30 11:21:17 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-08-30 09:56:41 208896 --a------ C:\WINNT\system32\wmpns.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows Media Player> 2007-08-30 09:08:38 0 d-------- C:\Program Files\SpywareBlaster 2007-08-29 15:35:30 24576 --a------ C:\WINNT\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service> 2007-08-29 12:05:00 0 d-------- C:\Program Files\Trend Micro 2007-08-29 10:56:55 0 d--h---c- C:\WINNT\$SQLUninstallMDAC27SP1-KB927779-x86-ENU$ 2007-08-29 10:34:12 0 d-a------ C:\WINNT\system32\SoftwareDistribution 2007-08-29 10:21:48 104838 --a------ C:\PAVVTS.DAT 2007-08-29 10:21:48 10160 --a------ C:\PAVPROT.BIN 2007-08-29 10:10:20 103936 -----n--- C:\WINNT\system32\drivers\netfltdi.sys <Not Verified; Panda Software; Panda®Network Manager> 2007-08-29 10:10:20 141312 -----n--- C:\WINNT\system32\drivers\netflt.sys <Not Verified; Panda Software International; Panda Residents> 2007-08-29 10:09:56 446464 --a------ C:\WINNT\system32\HHActiveX.dll <Not Verified; eHelp Corporation.; RoboHELP HTML 9.2> 2007-08-29 10:09:45 16640 --a------ C:\WINNT\system32\drivers\cpoint.sys <Not Verified; Panda Software; © Panda Software 2005> 2007-08-29 10:09:44 139264 --a------ C:\WINNT\system32\TpUtil.dll <Not Verified; Panda Software; TpUtil Dynamic Link Library> 2007-08-29 10:09:44 101888 --a------ C:\WINNT\system32\SYSTOOLS.DLL <Not Verified; Panda Software; SYSTOOLS> 2007-08-29 10:09:44 245760 --a------ C:\WINNT\system32\PavSHook.dll <Not Verified; Panda Software; PavSHook Dynamic Link Library> 2007-08-29 10:09:44 57344 --a------ C:\WINNT\system32\pavipc.dll <Not Verified; Panda Software; PavIpc Dynamic Link Library> 2007-08-29 10:09:34 70656 --a------ C:\WINNT\system32\drivers\pavdrv50.sys <Not Verified; Panda Software; Panda® Antivirus> 2007-08-29 10:09:33 0 d-a------ C:\WINNT\system32\PAV 2007-08-29 10:09:33 45056 --a------ C:\WINNT\system32\avldr.dll <Not Verified; Panda Software; Panda Antivirus for Windows NT/2000/XP/2003> 2007-08-29 10:08:56 0 d-a------ C:\Program Files\Panda Software 2007-08-29 10:08:07 26752 -ra------ C:\WINNT\system32\drivers\ShldDrv.sys <Not Verified; Panda Software; Panda®Shield> 2007-08-29 10:08:07 165120 -ra------ C:\WINNT\system32\drivers\PavProc.sys <Not Verified; Panda Software; PandaShield> 2007-08-29 10:08:07 0 d-------- C:\Program Files\Common Files\Panda Software 2007-08-29 09:24:10 0 d-------- C:\Program Files\WinPop 2007-08-29 09:21:26 246 --a------ C:\Program Files\Common Files\lacu 2007-08-29 09:20:56 0 d--hs---- C:\WINNT\R1JFRyBCT0xMSU4 2007-08-29 09:20:48 0 d-a------ C:\WINNT\system32\tmps9 2007-08-29 09:20:48 0 d-a------ C:\WINNT\system32\drvr2 2007-08-29 09:20:48 0 d-a------ C:\WINNT\system32\cfig32 2007-08-29 09:20:48 0 d-a------ C:\WINNT\system32\capcom 2007-08-29 09:20:46 0 d-a------ C:\WINNT\system32\f02WtR 2007-08-28 11:46:23 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_324.dat 2007-08-07 13:58:08 8064 --a------ C:\WINNT\system32\drivers\AWRTRD.sys <Not Verified; Lavasoft AB; Ad-Watch Registry Protection> 2007-08-07 13:56:58 9344 --a------ C:\WINNT\system32\drivers\NSDriver.sys <Not Verified; Lavasoft AB; Ad-Watch Connections> 2007-08-05 15:26:19 0 d-------- C:\PCTemp -- Find3M Report --------------------------------------------------------------- 2007-09-04 08:51:01 0 d-------- C:\Program Files\QuickTime 2007-08-31 17:04:46 2475728 ---h----- C:\WINNT\ShellIconCache 2007-08-31 09:39:45 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-08-30 14:07:17 0 d-------- C:\Program Files\EPSON Print CD 2007-08-30 11:21:17 0 d-a------ C:\Program Files\Common Files 2007-08-30 11:20:56 0 d-------- C:\Program Files\MacOpener 2007-08-23 09:01:44 64696 --a------ C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT 2007-07-28 0422 135 --a------ C:\Program Files\Common Files\proly.html 2007-07-19 16:55:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe 2007-07-18 15:53:25 0 d-------- C:\Program Files\Avery Dennison 2007-07-05 11:49:38 0 d-------- C:\Program Files\Java 2007-07-05 11:48:57 0 d-------- C:\Program Files\Common Files\Java 2007-07-05 11:48:15 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun -- Registry Dump --------------------------------------------------------------- Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ezShieldProtector for Px"="C:\WINNT\system32\ezSP_Px.exe" [08/20/02 09:29a] "Synchronization Manager"="mobsync.exe" [06/19/03 02:05p C:\WINNT\system32\mobsync.exe] "APVXDWIN"="C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.exe" [10/11/06 12:09p] "SCANINICIO"="C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe" [02/01/06 06:13p] "AAWTray"="G:\Edrive backup\Program Files\Ad-Aware 2007\AAWTray.exe" [08/08/07 03:53p] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/07 09:41a] "WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [08/02/07 11:59a] "Spy Watcher"="C:\PROGRA~1\SPYCLE~1\SpyWatcher.exe" [04/07/05 04:18a] "@"="" [] "SBCSTray"="G:\Edrive backup\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [06/15/07 03:17p] "SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [07/19/07 10:54p] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "LinkResolveIgnoreLinkInfo"=0 (0x0) "NoResolveSearch"=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "LinkResolveIgnoreLinkInfo"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr] avldr.dll 09/27/05 12:13p 45056 C:\WINNT\system32\avldr.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxxvtr] cbxxvtr.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBCSSvc] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService] @="Service" -- End of Deckard's System Scanner: finished at 2007-09-04 12:13:16 ------------ Thanks! Russ

09-04-2007, 10:22 AM	#8 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,561 OS: 2000 Pro; XP Pro; XP Home	Re: Computer won't boot to desktop If SpySweeper isn't going to remove anything, it's just taking up space on your harddrive. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- Download this file - http://download.bleepingcomputer.com...a/ComboFix.exe * IMPORTANT !!! Place combofix.exe on your Desktop Disconnect from the internet....pull the plug! Go to -> Run -> paste in the following single line command & click OK "%userprofile%\desktop\combofix.exe" /killall Follow the prompts. Type "1" and press Enter to begin the scan. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. --------------------------------------------------------------------------------------------- Re-establish an internet connection. Open HijackThis (not DSS) and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. --------------------------------------------------------------------------------------------- __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

09-04-2007, 11:31 AM	#9 (permalink)
Rgrycza Registered User Join Date: Aug 2007 Posts: 32 OS: Win 2000	Re: Computer won't boot to desktop OK - here's the new HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:29:15 PM, on 9/4/2007 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe G:\Edrive backup\Program Files\Ad-Aware 2007\aawservice.exe C:\WINNT\System32\cisvc.exe C:\PowerPanelPlus\upssrv.exe C:\PowerPanelPlus\upsio.exe C:\WINNT\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\Program Files\MacOpener\FORMATM.EXE C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv50.exe C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE C:\WINNT\system32\MSTask.exe C:\WINNT\System32\slpd.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\CMD.EXE C:\WINNT\system32\ezSP_Px.exe C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE G:\Edrive backup\Program Files\Ad-Aware 2007\AAWTray.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE c:\program files\panda software\panda internet security 2007\WebProxy.exe C:\Program Files\Webroot\Spy Sweeper\SSU.EXE C:\WINNT\regedit.exe C:\WINNT\system32\NOTEPAD.EXE C:\Program Files\Panda Software\Panda Internet Security 2007\avciman.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.metacrawler.com R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.blingo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.metacrawler.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINNT\system32\ezSP_Px.exe O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe" /logon O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe" O4 - HKLM\..\Run: [AAWTray] "G:\Edrive backup\Program Files\Ad-Aware 2007\AAWTray.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" O4 - HKLM\..\Run: [Spy Watcher] "C:\PROGRA~1\SPYCLE~1\SpyWatcher.exe" -S O4 - HKLM\..\Run: [SBCSTray] "G:\Edrive backup\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - C:\WINNT\system32\shdocvw.dll (HKCU) O9 - Extra 'Tools' menuitem: Internet Cleaner - {45819E58-6E84-4A5D-BD65-A706981E5BE8} - C:\WINNT\system32\shdocvw.dll (HKCU) O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1188401063812 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1188401048671 O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab O20 - Winlogon Notify: cbxxvtr - cbxxvtr.dll (file missing) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - G:\Edrive backup\Program Files\Ad-Aware 2007\aawservice.exe O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe O23 - Service: UPS Service (CyberPowerUPS) - Cyber Power Systems, Inc. - C:\PowerPanelPlus\upssrv.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: MacFormatService - DataViz Inc. - C:\Program Files\MacOpener\FORMATM.EXE O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv50.exe O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - G:\Edrive backup\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe O23 - Service: Service Location Protocol (slpd) - Avid - C:\WINNT\System32\slpd.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe -- End of file - 6695 bytes

09-04-2007, 11:34 AM	#11 (permalink)
Rgrycza Registered User Join Date: Aug 2007 Posts: 32 OS: Win 2000	Re: Computer won't boot to desktop Do you want the ComboFix logs, and should i uninstall the spyware/adware cleaners and monitors I've installed? In some ways they're just interfering by trying to block processes of programs like ComboFix. Russ

09-04-2007, 11:38 AM	#12 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,561 OS: 2000 Pro; XP Pro; XP Home	Re: Computer won't boot to desktop Yes, I want C:\ComboFix.txt __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

09-04-2007, 11:39 AM	#13 (permalink)
Rgrycza Registered User Join Date: Aug 2007 Posts: 32 OS: Win 2000	Re: Computer won't boot to desktop ComboFix 07-09-04.4 - "Administrator" 09/04/2007 13:16:28.1 - NTFSx86 Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1075 [GMT -5:00] ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Program Files\winpop C:\WINNT\system32\f02WtR C:\WINNT\system32\tmps9 ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_CMDSERVICE -------\LEGACY_NETWORK_MONITOR ((((((((((((((((((((((((( Files Created from 2007-08-04 to 2007-09-04 ))))))))))))))))))))))))))))))) 2007-09-04 13:14 51,200 --a------ C:\WINNT\NirCmd.exe 2007-08-31 15:06 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2 2007-08-31 14:22 0 --a------ C:\WINNT\system32\SBRC.dat 2007-08-31 14:22 0 --a------ C:\WINNT\system32\SBFC.dat 2007-08-31 11:37 80 -r-hs---- C:\WINNT\system32\320981CE5F.dll 2007-08-31 09:42 15,544 --a------ C:\WINNT\system32\drivers\sbhr.sys 2007-08-31 09:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sunbelt Software 2007-08-31 09:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sunbelt Software 2007-08-31 09:34 23,864 --a------ C:\WINNT\system32\drivers\sskbfd.sys 2007-08-31 09:34 21,816 --a------ C:\WINNT\system32\drivers\sshrmd.sys 2007-08-31 09:34 20,280 --a------ C:\WINNT\system32\drivers\SSFS0BB8.sys 2007-08-31 09:34 163,128 --a------ C:\WINNT\system32\drivers\ssidrv.sys 2007-08-31 09:34 1,521,464 --a------ C:\WINNT\WRSetup.dll 2007-08-31 09:34 <DIR> d-------- C:\Program Files\Webroot 2007-08-31 09:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot 2007-08-31 09:34 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Webroot 2007-08-31 09:33 164 --a------ C:\install.dat 2007-08-31 09:23 147,456 --a------ C:\WINNT\system32\Vbzip11.dll 2007-08-31 09:23 143,360 --a------ C:\WINNT\system32\vbuzip10.dll 2007-08-31 09:23 10,752 --a------ C:\WINNT\system32\aamd532.dll 2007-08-31 09:23 <DIR> d-------- C:\Program Files\Spy Cleaner Gold 2007-08-31 09:07 <DIR> d-------- C:\Program Files\BillP Studios 2007-08-31 09:07 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\WinPatrol 2007-08-30 14:58 53,248 -ra------ C:\WINNT\system32\Prounstl.exe 2007-08-30 14:57 88,592 -ra------ C:\WINNT\system32\drivers\e1000nt5.sys 2007-08-30 13:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft 2007-08-30 11:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-08-30 09:56 208,896 --a------ C:\WINNT\system32\wmpns.dll 2007-08-30 09:08 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-08-29 15:35 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe 2007-08-29 12:34 <DIR> d-------- C:\Deckard 2007-08-29 12:05 <DIR> d-------- C:\Program Files\Trend Micro 2007-08-29 10:56 <DIR> d--h-c--- C:\WINNT\$SQLUninstallMDAC27SP1-KB927779-x86-ENU$ 2007-08-29 10:21 104,838 --a------ C:\PAVVTS.DAT 2007-08-29 10:21 10,160 --a------ C:\PAVPROT.BIN 2007-08-29 10:10 141,312 --------- C:\WINNT\system32\drivers\netflt.sys 2007-08-29 10:10 103,936 --------- C:\WINNT\system32\drivers\netfltdi.sys 2007-08-29 10:09 70,656 --a------ C:\WINNT\system32\drivers\pavdrv50.sys 2007-08-29 10:09 57,344 --a------ C:\WINNT\system32\pavipc.dll 2007-08-29 10:09 45,056 --a------ C:\WINNT\system32\avldr.dll 2007-08-29 10:09 446,464 --a------ C:\WINNT\system32\HHActiveX.dll 2007-08-29 10:09 245,760 --a------ C:\WINNT\system32\PavSHook.dll 2007-08-29 10:09 16,640 --a------ C:\WINNT\system32\drivers\cpoint.sys 2007-08-29 10:09 139,264 --a------ C:\WINNT\system32\TpUtil.dll 2007-08-29 10:09 101,888 --a------ C:\WINNT\system32\SYSTOOLS.DLL 2007-08-29 10:09 <DIR> d-a------ C:\WINNT\system32\PAV 2007-08-29 10:08 26,752 -ra------ C:\WINNT\system32\drivers\ShldDrv.sys 2007-08-29 10:08 165,120 -ra------ C:\WINNT\system32\drivers\PavProc.sys 2007-08-29 10:08 <DIR> d-a------ C:\Program Files\Panda Software 2007-08-29 10:08 <DIR> d-------- C:\Program Files\Common Files\Panda Software 2007-08-29 09:20 <DIR> d-a------ C:\WINNT\system32\drvr2 2007-08-29 09:20 <DIR> d-a------ C:\WINNT\system32\cfig32 2007-08-29 09:20 <DIR> d-a------ C:\WINNT\system32\capcom 2007-08-29 09:20 <DIR> d--hs---- C:\WINNT\R1JFRyBCT0xMSU4 2007-08-07 13:58 8,064 --a------ C:\WINNT\system32\drivers\AWRTRD.sys 2007-08-07 13:56 9,344 --a------ C:\WINNT\system32\drivers\NSDriver.sys 2007-08-05 15:26 <DIR> d-------- C:\PCTemp (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 99-12-07 07:00 32528 --a--c--- C:\WINNT\inf\wbfirdma.sys 07-09-04 11:45 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy 07-09-04 08:51 --------- d-------- C:\Program Files\QuickTime 07-08-31 11:38 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\Protexis 07-08-31 09:39 --------- d--h----- C:\Program Files\InstallShield Installation Information 07-08-30 14:07 --------- d-------- C:\Program Files\EPSON Print CD 07-08-30 13:42 5376 --a------ C:\WINNT\system32\drivers\AWRTPD.sys 07-08-30 11:20 --------- d-------- C:\Program Files\MacOpener 07-08-29 17:32 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skyline 07-08-29 09:56 246 --a------ C:\Program Files\Common Files\lacu 07-07-30 19:19 92504 --a------ C:\WINNT\system32\cdm.dll 07-07-30 19:19 549720 --a------ C:\WINNT\system32\wuapi.dll 07-07-30 19:19 53080 --a------ C:\WINNT\system32\wuauclt.exe 07-07-30 19:19 43352 --a------ C:\WINNT\system32\wups2.dll 07-07-30 19:19 325976 --a------ C:\WINNT\system32\wucltui.dll 07-07-30 19:19 203096 --a------ C:\WINNT\system32\wuweb.dll 07-07-30 19:19 1712984 --a------ C:\WINNT\system32\wuaueng.dll 07-07-30 19:18 33624 --a------ C:\WINNT\system32\wups.dll 07-07-30 19:18 207736 --a------ C:\WINNT\system32\muweb.dll 07-07-28 04:06 135 --a------ C:\Program Files\Common Files\proly.html 07-07-18 15:53 --------- d-------- C:\Program Files\Avery Dennison 07-07-18 15:53 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Avery 07-06-26 04:57 235280 --a------ C:\WINNT\system32\GDI32.DLL 07-06-15 14:37 27376 --a------ C:\WINNT\system32\SBBD.exe 07-06-07 01:50 1119232 --a------ C:\WINNT\system32\msxml3.dll 01-10-19 09:33 271 ---h----- C:\Program Files\desktop.ini 01-10-19 09:33 21952 ---h-c--- C:\Program Files\folder.htt 1999-12-07 12:00:00 94,784 -csh--w C:\WINNT\twain.dll 1999-12-07 12:00:00 44,816 -csh--w C:\WINNT\twain_32.dll 2006-06-22 18:00:26 80 --sha-r C:\WINNT\system32\D971DED562.dll 2003-06-19 19:05:04 1,015,859 --sha-w C:\WINNT\system32\mfc42.dll 1999-12-07 12:00:00 77,878 --sh--w C:\WINNT\system32\msvcirt.dll 2003-06-19 19:05:04 286,773 --sha-w C:\WINNT\system32\msvcrt.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ezShieldProtector for Px"="C:\WINNT\system32\ezSP_Px.exe" [02-08-20 09:29 ] "Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe] "APVXDWIN"="C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.exe" [06-10-11 12:09 ] "SCANINICIO"="C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe" [06-02-01 18:13 ] "AAWTray"="G:\Edrive backup\Program Files\Ad-Aware 2007\AAWTray.exe" [07-08-08 15:53 ] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-04-27 09:41 ] "WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [07-08-02 11:59 ] "Spy Watcher"="C:\PROGRA~1\SPYCLE~1\SpyWatcher.exe" [05-04-07 04:18 ] "SBCSTray"="G:\Edrive backup\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [07-06-15 15:17 ] "SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [07-07-19 22:54 ] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoResolveSearch"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr] avldr.dll 05-09-27 12:13 45056 C:\WINNT\system32\avldr.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxxvtr] cbxxvtr.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys] @="Driver" R0 MacOpen;MacOpen;C:\WINNT\system32\drivers\MacOpen.sys R0 SBHR;SBHR;C:\WINNT\system32\drivers\sbhr.sys R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINNT\system32\Drivers\SSFS0BB8.SYS R1 ShldDrv;Panda File Shield Driver;C:\WINNT\system32\drivers\ShldDrv.sys R2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;C:\WINNT\system32\Drivers\ALIEHCI.sys R2 PAVDRV;Panda anti-virus driver;C:\WINNT\system32\Drivers\pavdrv50.sys R2 PavProc;Panda Process Protection Driver;\??\C:\WINNT\system32\DRIVERS\PavProc.sys R2 slpd;Service Location Protocol;C:\WINNT\System32\slpd.exe R3 aliroothub;USB2.0 Root Hub;C:\WINNT\system32\DRIVERS\AliRtHub.sys R3 IBMFE;IBM 10/100 Ethernet PCI Adapter NT Driver;C:\WINNT\system32\DRIVERS\ibmfent5.sys R3 ichaud;Service for AC'97 Driver (WDM);C:\WINNT\system32\drivers\ichaud.sys R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys R3 SBAPIFS;SBAPIFS;\??\C:\WINNT\system32\drivers\sbapifs.sys S2 TMMAN;TMMAN;C:\WINNT\system32\DRIVERS\TMMAN.sys S3 EL90X;3Com EtherLink XL Adapter Driver;C:\WINNT\system32\DRIVERS\el90xnd5.sys S3 Equinox BOB;Sirius.Sys - Avid Equinox BOB USB Client Driver;C:\WINNT\system32\DRIVERS\Sirius.sys S3 Equinox PCI;Equinox PCI;C:\WINNT\system32\DRIVERS\Stargate.sys S3 InCDFat;Ahead InCDFat File System Driver;\??\C:\WINNT\System32\Drivers\InCDFat.sys S3 MaxtorFrontPanel1;Maxtor 1394 Storage Front Panel Driver;C:\WINNT\system32\DRIVERS\mxofwfp.sys S3 NAL;Nal Service ;\??\C:\WINNT\system32\Drivers\iqvw32.sys S3 TMIRQ;TMIRQ;C:\WINNT\system32\DRIVERS\TMIRQ.sys Contents of the 'Scheduled Tasks' folder "2007-08-25 17:51:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2007-09-04 13:48:08 C:\WINNT\Tasks\wrSpySweeperTrialSweep.job" - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe ************************************************************************ catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-04 13:22:28 Windows 5.0.2195 Service Pack 4 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ Completion time: 2007-09-04 13:24:47 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 07-09-04 13:24 --- E O F ---

09-04-2007, 11:46 AM	#14 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,561 OS: 2000 Pro; XP Pro; XP Home	Re: Computer won't boot to desktop Thanks, Russ. I'd like a bit more information, please. Create an uninstall list: Open HiJackThis Click on the button " Open the Misc Tools section" Click on the Box that says "Open Uninstall Manager" Click on the button "Save list" Copy and past the List from the notepad file into your post __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

09-04-2007, 11:52 AM	#15 (permalink)
Rgrycza Registered User Join Date: Aug 2007 Posts: 32 OS: Win 2000	Re: Computer won't boot to desktop Thanks for all your help! Here's the uninstall list: Ad-Aware 2007 Adobe Flash Player 9 ActiveX Adobe Photoshop 6.0 Adobe Reader 7.0.8 Adobe Shockwave Player Adobe SVG Viewer 3.0 ALi USB2.0 Driver Apple Software Update ATI Control Panel ATI Display Driver AutoRun Wizard AXIS Media Control CCleaner (remove only) Cinematize 2.0 DDTI Enhanced Web Printing DesignPro 5.0 Limited Edition DivX Codec DivX Content Uploader DivX Converter DivX Player DivX Web Player Elecard MPEG2 Player Version 2.0 EPSON Print CD EPSON Printer Software EPSON Stylus Photo R260 User's Guide Eusing Free Registry Cleaner HDD Regenerator Hotfix for MDAC 2.53 (KB911562) Hotfix for MDAC 2.71 (KB927779) InCD Intel Application Accelerator Intel(R) PRO Network Connections 12.1.12.0 Intel(R) PROSafe for Wired Connections Java(TM) 6 Update 2 MacOpener 5.0 Maxtor Quick Start Microsoft Office XP Professional with FrontPage MSXML 4.0 SP2 (KB925672) MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) Nero Suite Panda Internet Security 2007 particleIllusion 3.0 PowerDVD PowerPanel Plus QuickTime Security Update for CAPICOM (KB931906) Security Update for CAPICOM (KB931906) Shockwave Spy Cleaner Gold 9.5 Spy Sweeper Spybot - Search & Destroy 1.4 SpywareBlaster v3.5.1 Update Rollup 1 for Windows 2000 SP4 VS3 RunTime Windows 2000 Service Pack 4 Windows Defender Signatures Windows Genuine Advantage v1.3.0254.0 Windows Installer 3.1 (KB893803) Windows Media Encoder 9 Series Windows Media Encoder 9 Series Windows Media Player system update (9 Series) WinPatrol 2007 WinZip Russ

09-04-2007, 12:37 PM	#17 (permalink)
Rgrycza Registered User Join Date: Aug 2007 Posts: 32 OS: Win 2000	Re: Computer won't boot to desktop Hi TetonBob - Yes, I do still have CounterSpy on the computer, and yes, it is on another drive. The first time I ran it, it found some things, but since then it hasn't found anything. Should I uninstall it? I've uninstalled Spy Cleaner Gold from the add/remove programs menu, and run ComboFix with the script you supplied. Before ComboFix finished writing the log, though, I got a registry error - Cannot import creg.cf: Not all data was successfully written to the registry. Some keys are open by the system or other processes. Russ

09-04-2007, 01:03 PM	#18 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,561 OS: 2000 Pro; XP Pro; XP Home	Re: Computer won't boot to desktop Did ComboFix stop, or continue? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

09-04-2007, 01:08 PM	#19 (permalink)
Rgrycza Registered User Join Date: Aug 2007 Posts: 32 OS: Win 2000	Re: Computer won't boot to desktop ComboFix has stopped - the error message has an "OK" box. I believe if I click it, ComboFix will finish up. Russ

09-04-2007, 01:21 PM	#20 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,561 OS: 2000 Pro; XP Pro; XP Home	Re: Computer won't boot to desktop Please do click OK. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009