Tech Support Forum - View Single Post - Attempted epxonwo toolbar removal

Jono21 · 01-14-2008, 08:17 AM

Yep I ran it twice because the first time I forgot to turn off my Norton Anti-Virus. So I ran it a second time, lol. Whoops.

Anyway here is my ComboFix2.txt

---

ComboFix 08-01-13.1 - Jono 2008-01-13 17:35:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.474 [GMT 8:00]
Running from: C:\Documents and Settings\Jono\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\dat.txt
C:\WINDOWS\dnqdlpmmwv.dll
C:\WINDOWS\epxonwo.dll
C:\WINDOWS\fqwmwdn.exe
C:\WINDOWS\rs.txt
C:\WINDOWS\search_res.txt
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-13 17:34 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-13 04:13 . 2008-01-13 04:13 <DIR> d-------- C:\Deckard
2008-01-13 04:00 . 2008-01-13 04:00 6,062 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-13 03:59 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-01-13 03:59 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-01-13 03:59 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-01-13 03:59 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-01-13 03:59 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-01-13 03:59 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-13 03:45 . 2008-01-13 03:45 <DIR> d-------- C:\Program Files\XoftSpySE
2008-01-12 18:37 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\ltpqtkrimcfr.sys
2008-01-12 16:55 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-12 16:53 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\vjcaeyqadmlh.sys
2008-01-12 16:49 . 2008-01-12 16:54 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-12 05:00 . 2008-01-12 20:34 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-12 05:00 . 2008-01-12 18:31 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-12 05:00 . 2008-01-12 18:31 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-12 05:00 . 2008-01-12 18:31 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-10 17:06 . 2008-01-10 17:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-10 00:12 . 2008-01-10 00:13 <DIR> d-------- C:\Program Files\MediaStarCodec
2008-01-08 19:33 . 2008-01-09 17:19 <DIR> d-------- C:\Program Files\Norton Security Scan
2007-12-23 01:53 . 2006-10-04 22:06 1,197,294 --------- C:\WINDOWS\system32\dllcache\sysmain.sdb
2007-12-23 01:53 . 2006-10-04 22:06 764,868 --------- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2007-12-23 01:53 . 2006-10-04 22:06 217,118 --------- C:\WINDOWS\system32\dllcache\apphelp.sdb
2007-12-23 01:47 . 2007-12-23 01:47 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-12-23 01:47 . 2007-12-23 01:49 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-12-23 00:24 . 2008-01-04 15:35 <DIR> d-------- C:\Program Files\PKR
2007-12-22 14:20 . 2007-12-22 14:31 <DIR> d-------- C:\Program Files\WMV9_VCM
2007-12-21 08:36 . 2007-12-21 08:36 <DIR> d-------- C:\Documents and Settings\Jono\Application Data\InstallShield
2007-12-20 18:55 . 2008-01-12 19:31 <DIR> d-------- C:\Program Files\Ares
2007-12-20 16:59 . 2007-12-20 18:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-20 16:59 . 2007-12-20 16:59 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-20 16:39 . 2007-12-20 16:39 <DIR> d-------- C:\Program Files\QuickTime
2007-12-15 11:59 . 2007-12-15 12:00 <DIR> d-------- C:\Program Files\LimeWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-12 20:15 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-12 12:17 --------- d-----w C:\Program Files\Symantec
2008-01-12 12:14 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-01-12 12:11 --------- d-----w C:\Program Files\MSN Messenger
2008-01-12 11:53 --------- d-----w C:\Program Files\Google
2008-01-12 11:33 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-01-12 10:55 --------- d-----w C:\Documents and Settings\Jono\Application Data\Symantec
2008-01-12 10:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-12 09:41 --------- d-----w C:\Program Files\DIGStream
2008-01-10 02:40 --------- d-----w C:\Program Files\Oberon Media
2008-01-04 07:07 --------- d-----w C:\Program Files\Norton Internet Security
2008-01-03 15:49 --------- d-----w C:\Documents and Settings\Jono\Application Data\DivX
2007-12-22 17:52 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-11 12:57 --------- d-----w C:\Documents and Settings\Jono\Application Data\Ventrilo
2007-12-11 12:37 --------- d-----w C:\Program Files\Ventrilo
2007-12-11 12:36 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-08 02:40 --------- d-----w C:\Documents and Settings\Administrator\Application Data\HP
2007-12-07 23:35 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Media Player Classic
2007-12-07 23:33 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-12-07 23:33 --------- d-----w C:\Program Files\ffdshow
2007-12-07 23:32 --------- d-----w C:\Program Files\DivX
2007-12-07 22:55 --------- d-----w C:\Documents and Settings\Administrator\Application Data\PC Suite
2007-11-14 07:26 450,560 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-11-01 11:33 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 09:55 3,065,856 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:35 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 06:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 06:40 222,720 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2005-09-24 15:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 13:39 68856]
"RealPlayer"="C:\Program Files\Real\RealOne Player\realplay.exe" [2006-12-26 00:40 1003520]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-16 12:00 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 17:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 12:56 64512]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 13:58 458752]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-24 22:11 132496]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-20 13:58 7581696]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-07-20 13:58 86016]
"nwiz"="nwiz.exe" [2006-07-20 13:58 1519616 C:\WINDOWS\system32\nwiz.exe]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 23:02 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 19:19 52840]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 13:22 794713]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-07-19 15:14 102400]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 11:33 163840]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 10:50 40960]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 10:23 1187840]
"Reminder"="C:\Windows\CREATOR\Remind_XP.exe" [2006-02-09 09:52 643072]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2006-03-16 04:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2006-03-16 04:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-03-16 04:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-03-16 04:00 455168]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-26 00:22 151597]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 08:50 155648]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 11:20 227328]
"YeppStudioAgent"="C:\Program Files\Samsung\SamsungMediaStudio4.1\SamsungMediaStudioAgent.exe" [ ]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 16:30 517768]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 14:24 54840]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 07:56 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 13:58 1744896]

C:\Documents and Settings\Jono\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-08-04 19:38:55]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 19:05:26]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-12 13:33:22]
HP Pavilion Webcam Tray Icon.lnk - C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2006-12-21 10:33:41]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-25 00:39:30]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 04:05:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

R3 SNP2UVC;USB2.0 PC Camera (SNP2UVC);C:\WINDOWS\system32\DRIVERS\snp2uvc.sys [2006-07-06 10:28]
S3 RTCore32;RTCore32;C:\Program Files\RMClock\RTCore32.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f37d4a97-eb30-11db-b38b-001636b95763}]
\Shell\AutoRun\command - F:\setupSNK.exe

*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 14:41:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-10 01:09:47 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Jono.job"
- c:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.EXEh/TASK:
"2008-01-04 09:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - User.job"
- c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
"2008-01-10 01:10:17 C:\WINDOWS\Tasks\Norton AntiVirus - Run Norton QuickScan - Jono.job"
- c:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.EXEg/TASK:
"2008-01-13 09:27:15 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-01-12 19:45:13 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 17:40:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????c??????`?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-13 17:40:56
ComboFix-quarantined-files.txt 2008-01-13 09:40:53
.
2008-01-08 23:11:17 --- E O F ---

01-14-2008, 08:17 AM	#5 (permalink)
Jono21 Registered User Join Date: Jan 2008 Posts: 4 OS: Windows XP Service Pack 2	Re: Attempted epxonwo toolbar removal - 5 Steps: Posting of Logs Yep I ran it twice because the first time I forgot to turn off my Norton Anti-Virus. So I ran it a second time, lol. Whoops. Anyway here is my ComboFix2.txt --- ComboFix 08-01-13.1 - Jono 2008-01-13 17:35:52.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.474 [GMT 8:00] Running from: C:\Documents and Settings\Jono\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\dat.txt C:\WINDOWS\dnqdlpmmwv.dll C:\WINDOWS\epxonwo.dll C:\WINDOWS\fqwmwdn.exe C:\WINDOWS\rs.txt C:\WINDOWS\search_res.txt D:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 ))))))))))))))))))))))))))))))) . 2008-01-13 17:34 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-13 04:13 . 2008-01-13 04:13 <DIR> d-------- C:\Deckard 2008-01-13 04:00 . 2008-01-13 04:00 6,062 --a------ C:\WINDOWS\system32\tmp.reg 2008-01-13 03:59 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2008-01-13 03:59 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2008-01-13 03:59 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe 2008-01-13 03:59 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe 2008-01-13 03:59 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2008-01-13 03:59 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2008-01-13 03:45 . 2008-01-13 03:45 <DIR> d-------- C:\Program Files\XoftSpySE 2008-01-12 18:37 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\ltpqtkrimcfr.sys 2008-01-12 16:55 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS 2008-01-12 16:53 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\vjcaeyqadmlh.sys 2008-01-12 16:49 . 2008-01-12 16:54 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-01-12 05:00 . 2008-01-12 20:34 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2008-01-12 05:00 . 2008-01-12 18:31 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2008-01-12 05:00 . 2008-01-12 18:31 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-01-12 05:00 . 2008-01-12 18:31 1,406 --a------ C:\WINDOWS\system32\Help.ico 2008-01-10 17:06 . 2008-01-10 17:06 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-10 00:12 . 2008-01-10 00:13 <DIR> d-------- C:\Program Files\MediaStarCodec 2008-01-08 19:33 . 2008-01-09 17:19 <DIR> d-------- C:\Program Files\Norton Security Scan 2007-12-23 01:53 . 2006-10-04 22:06 1,197,294 --------- C:\WINDOWS\system32\dllcache\sysmain.sdb 2007-12-23 01:53 . 2006-10-04 22:06 764,868 --------- C:\WINDOWS\system32\dllcache\apph_sp.sdb 2007-12-23 01:53 . 2006-10-04 22:06 217,118 --------- C:\WINDOWS\system32\dllcache\apphelp.sdb 2007-12-23 01:47 . 2007-12-23 01:47 <DIR> d-------- C:\WINDOWS\system32\LogFiles 2007-12-23 01:47 . 2007-12-23 01:49 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF 2007-12-23 00:24 . 2008-01-04 15:35 <DIR> d-------- C:\Program Files\PKR 2007-12-22 14:20 . 2007-12-22 14:31 <DIR> d-------- C:\Program Files\WMV9_VCM 2007-12-21 08:36 . 2007-12-21 08:36 <DIR> d-------- C:\Documents and Settings\Jono\Application Data\InstallShield 2007-12-20 18:55 . 2008-01-12 19:31 <DIR> d-------- C:\Program Files\Ares 2007-12-20 16:59 . 2007-12-20 18:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2007-12-20 16:59 . 2007-12-20 16:59 1,409 --a------ C:\WINDOWS\QTFont.for 2007-12-20 16:39 . 2007-12-20 16:39 <DIR> d-------- C:\Program Files\QuickTime 2007-12-15 11:59 . 2007-12-15 12:00 <DIR> d-------- C:\Program Files\LimeWire . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-12 20:15 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-01-12 12:17 --------- d-----w C:\Program Files\Symantec 2008-01-12 12:14 --------- d-----w C:\Program Files\PC Connectivity Solution 2008-01-12 12:11 --------- d-----w C:\Program Files\MSN Messenger 2008-01-12 11:53 --------- d-----w C:\Program Files\Google 2008-01-12 11:33 --------- d-----w C:\Program Files\Common Files\LightScribe 2008-01-12 10:55 --------- d-----w C:\Documents and Settings\Jono\Application Data\Symantec 2008-01-12 10:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-01-12 09:41 --------- d-----w C:\Program Files\DIGStream 2008-01-10 02:40 --------- d-----w C:\Program Files\Oberon Media 2008-01-04 07:07 --------- d-----w C:\Program Files\Norton Internet Security 2008-01-03 15:49 --------- d-----w C:\Documents and Settings\Jono\Application Data\DivX 2007-12-22 17:52 --------- d-----w C:\Program Files\Windows Media Connect 2 2007-12-11 12:57 --------- d-----w C:\Documents and Settings\Jono\Application Data\Ventrilo 2007-12-11 12:37 --------- d-----w C:\Program Files\Ventrilo 2007-12-11 12:36 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-12-08 02:40 --------- d-----w C:\Documents and Settings\Administrator\Application Data\HP 2007-12-07 23:35 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Media Player Classic 2007-12-07 23:33 --------- d-----w C:\Program Files\K-Lite Codec Pack 2007-12-07 23:33 --------- d-----w C:\Program Files\ffdshow 2007-12-07 23:32 --------- d-----w C:\Program Files\DivX 2007-12-07 22:55 --------- d-----w C:\Documents and Settings\Administrator\Application Data\PC Suite 2007-11-14 07:26 450,560 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll 2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll 2007-11-01 11:33 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL 2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys 2007-10-30 09:55 3,065,856 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll 2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2007-10-29 22:35 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll 2007-10-27 06:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll 2007-10-27 06:40 222,720 ------w C:\WINDOWS\system32\dllcache\wmasf.dll 2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll 2005-09-24 15:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 13:39 68856] "RealPlayer"="C:\Program Files\Real\RealOne Player\realplay.exe" [2006-12-26 00:40 1003520] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-16 12:00 15360] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 17:05 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 12:56 64512] "hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 13:58 458752] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-24 22:11 132496] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-20 13:58 7581696] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-07-20 13:58 86016] "nwiz"="nwiz.exe" [2006-07-20 13:58 1519616 C:\WINDOWS\system32\nwiz.exe] "MsmqIntCert"="regsvr32 /s mqrt.dll" [] "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 23:02 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe] "ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 19:19 52840] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 13:22 794713] "QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-07-19 15:14 102400] "QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 11:33 163840] "Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 10:50 40960] "RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 10:23 1187840] "Reminder"="C:\Windows\CREATOR\Remind_XP.exe" [2006-02-09 09:52 643072] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2006-03-16 04:00 208952] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2006-03-16 04:00 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-03-16 04:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-03-16 04:00 455168] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-26 00:22 151597] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 08:50 155648] "PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 11:20 227328] "YeppStudioAgent"="C:\Program Files\Samsung\SamsungMediaStudio4.1\SamsungMediaStudioAgent.exe" [ ] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 16:30 517768] "HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 14:24 54840] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 07:56 286720] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 13:58 1744896] C:\Documents and Settings\Jono\Start Menu\Programs\Startup\ Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-08-04 19:38:55] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 19:05:26] Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-12 13:33:22] HP Pavilion Webcam Tray Icon.lnk - C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2006-12-21 10:33:41] HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-25 00:39:30] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 04:05:56] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme R3 SNP2UVC;USB2.0 PC Camera (SNP2UVC);C:\WINDOWS\system32\DRIVERS\snp2uvc.sys [2006-07-06 10:28] S3 RTCore32;RTCore32;C:\Program Files\RMClock\RTCore32.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f37d4a97-eb30-11db-b38b-001636b95763}] \Shell\AutoRun\command - F:\setupSNK.exe Newly Created Service - COMHOST Newly Created Service - PROCEXP90 . Contents of the 'Scheduled Tasks' folder "2008-01-12 14:41:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-01-10 01:09:47 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Jono.job" - c:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.EXEh/TASK: "2008-01-04 09:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - User.job" - c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK: "2008-01-10 01:10:17 C:\WINDOWS\Tasks\Norton AntiVirus - Run Norton QuickScan - Jono.job" - c:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.EXEg/TASK: "2008-01-13 09:27:15 C:\WINDOWS\Tasks\XoftSpySE 2.job" - C:\Program Files\XoftSpySE\XoftSpy.exe "2008-01-12 19:45:13 C:\WINDOWS\Tasks\XoftSpySE.job" - C:\Program Files\XoftSpySE\XoftSpy.exe . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-13 17:40:29 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????c??????`?@?????L?@ scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-01-13 17:40:56 ComboFix-quarantined-files.txt 2008-01-13 09:40:53 . 2008-01-08 23:11:17 --- E O F ---