Thread: Having a problem, possibly malware in winlogon.exe
View Single Post
Old 12-03-2006, 12:43 AM   #9 (permalink)
phrozenwind
Registered User
 
Join Date: Dec 2006
Posts: 18
OS: XP


Normal mode is still shot, here's the new log:

Chad Swanson - 06-12-02 18:48:28.04 Service Pack 2
ComboFix 06-12-01W-BetaE - Running from: "C:\Documents and Settings\Chad Swanson\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


d:\autorun.inf . . . . failed to delete


((((((((((((((((((((((((((((((( Files Created from 2006-11-02 to 2006-12-02 ))))))))))))))))))))))))))))))))))


2006-12-02 19:09 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-02 18:54 <DIR> d-------- C:\WINNT
2006-12-02 18:53 <DIR> d-------- C:\WINDOWS\erdnt
2006-12-02 18:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2006-12-01 22:59 <DIR> d-------- C:\HJT
2006-12-01 21:14 <DIR> d-------- C:\WINDOWS\pss
2006-11-29 21:46 <DIR> d-------- C:\Program Files\Cassini Emulator
2006-11-26 00:38 <DIR> d-------- C:\Program Files\winLAME
2006-11-15 09:30 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-15 09:30 <DIR> d-------- C:\4578be2f18a9c8653998a5ee1a11
2006-11-04 14:14 1,245,696 --a------ C:\WINDOWS\system32\msxml4.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-02 19:52 -------- d-------- C:\Program Files\Internet Explorer
2006-12-02 19:49 -------- d-------- C:\Program Files\Bonjour
2006-12-02 18:42 -------- d---s---- C:\Documents and Settings\Chad Swanson\Application Data\Microsoft
2006-11-27 22:25 -------- d-------- C:\Program Files\SPSSEVAL
2006-10-19 14:28 -------- d-------- C:\Program Files\BitTornado
2006-10-13 06:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-09-22 13:55 64 --a------ C:\WINDOWS\vmreg32.dll
2006-09-12 23:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"AIM"="C:\\PROGRA~1\\AIM\\aim.exe -cnetwait.odl"
"DW4"="\"C:\\Program Files\\The Weather Channel FW\\Desktop Weather\\DesktopWeather.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"nwiz"="nwiz.exe /installquiet"
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe"
"00THotkey"="C:\\WINDOWS\\System32\\00THotkey.exe"
"000StTHK"="000StTHK.exe"
"TMESRV.EXE"="C:\\Program Files\\TOSHIBA\\TME3\\TMESRV31.EXE /Logon"
"TMERzCtl.EXE"="C:\\Program Files\\TOSHIBA\\TME3\\TMERzCtl.EXE /Service"
"TMEEJME.EXE"="C:\\Program Files\\TOSHIBA\\TME3\\TMEEJME.EXE"
"TMESBS.EXE"="C:\\Program Files\\TOSHIBA\\TME3\\TMESBS32.EXE /Client"
"DpUtil"="C:\\Program Files\\TOSHIBA\\DualPointUtility\\TEDTray.exe"
"TFNF5"="TFNF5.exe"
"TosHKCW.exe"="\"C:\\Program Files\\TOSHIBA\\Wireless Hotkey\\TosHKCW.exe\""
"NDSTray.exe"="\"C:\\Program Files\\Toshiba\\ConfigFree\\NDSTray.exe\""
"ezShieldProtector for Px"="C:\\WINDOWS\\System32\\ezSP_Px.exe"
@=""
"TFncKy"="TFncKy.exe /Type 25"
"Tpwrtray"="TPWRTRAY.EXE"
"Pinger"="c:\\toshiba\\ivp\\ism\\pinger.exe /run"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"Network Associates Error Reporting Service"="\"C:\\Program Files\\Common Files\\Network Associates\\TalkBack\\TBMon.exe\""
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb08.exe"
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"DriverMagicLogon"="\"C:\\Program Files\\SymplisIT\\DriverMagic\\dmschedule.exe\" /boot"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c2,01,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061202-165836-484
O4 - HKLM\..\RunServices: [AOL Services Hosts] aolserviceshosts.exe
backup-20061202-165836-787
O4 - HKLM\..\Run: [AOL Services Hosts] aolserviceshosts.exe
backup-20061202-165836-704
O4 - HKLM\..\Run: [irfk] C:\WINDOWS\NITEAIM.EXE
Completion time: 06-12-03 1:39:34.09
phrozenwind is offline