12 replies to this topic

[strout99]

Logfile of HijackThis v1.99.1
Scan saved at 8:55:08 AM, on 6/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\FSI\F-Prot\F-Sched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\FSI\F-Prot\F-StopW.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Marilyn\My Documents\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wildblue.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mpdu.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer by mpdu.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [xkstartup] C:\WINDOWS\system32\spool\drivers\w32x86\2\ssccgo.exe Xerox WorkCentre XK Series
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKCU\..\Run: [Reminder] C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.mpdu.net
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

[Micah_6:8]

Welcome to the forum

Please download/unzip this:

Registry Search by Bobbi Flekman

<Double-click> on regsearch.exe, and search for these:

CU1
CU2

It may take a while to run, so be patient. When finished, the search results will appear in your text editor,

Paste the contents of the search results into this thread.

[strout99]

Thanks, glad to be here. Okay, here's the log..... REGEDIT4 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.1.0 ; Results at 6/8/2006 10:32:42 AM for strings: ; 'cu1' ; 'cu2' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS ; End Of The Log...

[strout99]

Gotta run out for about 2 hrs, will check back later, thanks!

[Micah_6:8]

Copy the text in the following quote box into Notepad:

reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" > files.txt
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" >> files.txt
notepad files.txt

Save it to your desktop as ff.bat.

CLOSE NOTEPAD.

Now, <double-click> the ff.bat file on the desktop. A Notepad window will open up.

Please paste it's contents into your next post.

[strout99]

Nothing popped up in Notepad . . . it was empty. Here's what the DOS window showed. I 'think' I copied it correctly. C:\Documents and Settings\Marilyn\Desktop>{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttb1{\f0\fswiss\fcharset0 Arial;}} The system cannot find the path specified. c:\Documents and Settings\Marilyn\Desktop>{\*generatorMsftedit 5.41.15.1507;}\viewkind4\uc1\pard\f0\fs20 reg query "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" 1>files.txt\par The system cannot find the path specified. c:\Documents and Settings\Marilyn\Desktop>reg query "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" 1>>files.txt\par The system cannot find the path specified. C:\Documents and Settings\Marilyn\Desktop>notepad files.txt\par

[Micah_6:8]

Try this.

I've made the file myself and attached it to this post.

It's named "ff.txt".

Download it to your desktop, then rename it to "ff.bat"

Attached Files

•  ff.txt   197bytes   237 downloads

[strout99]

okay, I saved it . . . ran it. . . here's the results.... ! REG.EXE VERSION 3.0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Reminder REG_SZ C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE Yahoo! Pager REG_SZ -quiet ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FRISK FP-Scheduler REG_SZ C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP F-StopW REG_SZ C:\Program Files\FSI\F-Prot\F-StopW.EXE NeroFilterCheck REG_SZ C:\WINDOWS\system32\NeroCheck.exe SunJavaUpdateSched REG_SZ C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe KernelFaultCheck REG_EXPAND_SZ %systemroot%\system32\dumprep 0 -k xkstartup REG_SZ C:\WINDOWS\system32\spool\drivers\w32x86\2\ssccgo.exe Xerox WorkCentre XK Series Iomega Drive Icons REG_SZ C:\Program Files\Iomega\DriveIcons\ImgIcon.exe Deskup REG_SZ C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART ADUserMon REG_SZ C:\Program Files\Iomega\AutoDisk\ADUserMon.exe New Value #1 REG_SZ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents

[Micah_6:8]

I believe we're narrowing it down.

Run the Registry Search tool again, this time search for:

New Value

All on one line, then post the results of the search in here.

This "condition" you have is caused by corrupted, or incomplete registry items.

I'm attempting to find it.

[strout99]

Hi Micah.... Yesterday after I ran the ff.bat file, I had to shut down and go out for the evening. When I came back and started up, VIOLA!!! no system 32 file appeared. I since shutdown 2 other times and both times on restart, there has been no System 32 folder showing. YIPPEE!!! But...here's the RegSearch log I just did. Marilyn REGEDIT4 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.1.0 ; Results at 6/9/2006 8:44:02 AM for strings: ; 'new value' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "New Value #1"="" ; End Of The Log...

[Micah_6:8]

We've found "the culprit".

There's an unnecessary, and incomplete, registry entry.

I guess you can "fix" it, or leave it alone, at your discretion (since your "problem" has disappeared).

If you want to "fix" it, please do this:

Copy the contents of the following quote box into Notepad:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"New Value #1"=-

Save it to the desktop as fixme.reg.

Now <double-click> the fixme.reg file on the desktop.

You will receive a prompt similar to: "Do you wish to merge the information into the registry?".

Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".

Reboot.

Thank you for using the forum.

Post Infection Items To Ponder

[strout99]

Thank YOU . . . this place is awesome and I'm sure I'll be back.

[Micah_6:8]

This topic is now closed.

If you need this topic reopened, please request this by sending an email to us at the following link
(Click for address)
Include your post user name and detail why you need it reopened with a valid link to your post.
Any bad links or emails that are not from the original poster will be deleted without response.
Any emails without the subject "Reopen" will be deleted without being looked at.

If this is not your thread please start a New Topic.