|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
Thread Tools |
12-23-2007, 05:48 PM
|
#1 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 9
OS: XP SP2
|
Winlogonhooker removal
Hi,
I've been trying to remove winlogonhooker using spy sweeper, yet I keep on getting get it back. While online my symantic antivirus keeps on catching different adwares. Below is my HijackThis log. Please help, thank you! Logfile of HijackThis v1.99.1 Scan saved at 7:42:31 PM, on 12/23/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\carpserv.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\ICO.EXE C:\WINDOWS\System32\ezSP_Px.exe C:\Program Files\Sony\HotKey Utility\HKserv.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Apoint\Apvfb.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\Program Files\Sony\HotKey Utility\HKWnd.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Lexmark 2300 Series\lxcgmon.exe C:\Program Files\Lexmark 2300 Series\ezprint.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\lxcgcoms.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\D-Link AirPlus\AirPlus.exe C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Outerinfo\OuterinfoUpdate.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\wscntfy.exe C:\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe" O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [HKSERV.EXE] "C:\Program Files\Sony\HotKey Utility\HKserv.exe" O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\lserver\server.vbs" O4 - HKLM\..\Run: [VAIO Recovery] "C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe" O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [lafmjabo] "rundll32.exe" "C:\Program Files\gvsdktav\wbsjklqp.dll",Init O4 - HKLM\..\Run: [rqvoryfu] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\rqvoryfu.dll" O4 - HKLM\..\Run: [886bc831] rundll32.exe "C:\WINDOWS\system32\irmumltt.dll",b O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvvun.dll,startup O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe O4 - Global Startup: Bluetooth.lnk = ? O4 - Global Startup: D-Link AirPlus.lnk = ? O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1180482656200 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: MATLAB Server (matlabserver) - Unknown owner - D:\MATLAB7\webserver\bin\win32\matlabserver.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing) O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing) O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing) O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe |
|
     |
|
12-25-2007, 03:11 PM
|
#2 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 21,354
OS: XP
|
Re: Winlogonhooker removal
www.bleepingcomputer.com
www.forospyware.com www.geekstogo.com 1. Please choose from any of the above links. Download the file & Save it to Desktop. 2. Double click on ComboFix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that & a fresh Hijackthis log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall |
|
|
|
|
12-25-2007, 03:38 PM
|
#3 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 9
OS: XP SP2
|
Re: Winlogonhooker removal
hi Subs,
I downloaded combofix, but when I run it, it gives me the following error message: "The instruction at 0x7c9111de referenced memory at 0x00780065. The memory could not be read. and the application is swreg.cfexe Also in the ComboFix window I get stack overflow. Thank you for your help in advance. |
|
|
|
|
12-25-2007, 03:45 PM
|
#4 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 21,354
OS: XP
|
Re: Winlogonhooker removal
Try running it from Safe Mode
1. Restart your computer 2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3. Instead of Windows loading as normal, a menu should appear 4. Select the option to run Windows in Safe Mode. |
|
|
|
|
12-25-2007, 11:08 PM
|
#5 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 9
OS: XP SP2
|
Re: Winlogonhooker removal
Hi Subs,
Sorry for the delay, below are the two logs you requested. ComboFix 07-12-26.1 - admin 2007-12-26 0:34:06.1 - NTFSx86 MINIMAL Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.247 [GMT -5:00] Running from: C:\Documents and Settings\admin\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data.\rqvoryfu.dll C:\Program Files\Bnlymlgx C:\Program Files\Bnlymlgx\mffzkvif.dll C:\Program Files\gvsdktav C:\Program Files\gvsdktav\wbsjklqp.dll C:\Program Files\SecCenter C:\Program Files\SecCenter\scprot4.exe.bak C:\WINDOWS\PerfInfo C:\WINDOWS\PerfInfo\pvzB1jR1Htuc.exe C:\WINDOWS\PerfInfo\pvzB1jR1Htud.exe C:\WINDOWS\system32\abefe.ini C:\WINDOWS\system32\abefe.ini2 C:\WINDOWS\system32\bkusxupo.dll C:\WINDOWS\system32\ddcax.dll C:\WINDOWS\system32\efeba.dll C:\WINDOWS\system32\fvxpygsp.ini C:\WINDOWS\system32\fxfipsug.dll C:\WINDOWS\system32\gnhuqgwl.dll C:\WINDOWS\system32\guspifxf.ini C:\WINDOWS\system32\hchmuatu.dll C:\WINDOWS\system32\jkkheef.dll C:\WINDOWS\system32\jkkhifc.dll C:\WINDOWS\system32\ljjjgee.dll C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\pmnlmmn.dll C:\WINDOWS\system32\psgypxvf.dll C:\WINDOWS\system32\ttlmumri.ini C:\WINDOWS\system32\urcjnkks.dll C:\WINDOWS\system32\vtusrom.dll C:\WINDOWS\system32\winudu32.dll C:\WINDOWS\system32\wvwww.dll C:\WINDOWS\system32\wwwvw.ini C:\WINDOWS\system32\wwwvw.ini2 . ((((((((((((((((((((((((( Files Created from 2007-11-26 to 2007-12-26 ))))))))))))))))))))))))))))))) . 2007-12-25 14:20 . 2007-12-25 14:20 5,640 --a------ C:\WINDOWS\system32\khhfc.dll 2007-12-25 14:16 . 2007-12-25 14:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2007-12-25 14:16 . 2007-12-25 14:16 1,409 --a------ C:\WINDOWS\QTFont.for 2007-12-25 11:15 . 2007-12-25 13:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx 2007-12-25 11:15 . 2007-12-25 11:19 <DIR> d-------- C:\Documents and Settings\admin\Application Data\PrevxCSI 2007-12-25 11:14 . 2007-12-25 11:44 1,018,062 ---hs---- C:\WINDOWS\system32\wjarxsrs.ini 2007-12-23 19:37 . 2007-12-25 15:05 <DIR> d-------- C:\HijackThis 2007-12-23 19:02 . 2007-12-23 19:02 104,448 --a------ C:\WINDOWS\system32\drvvun.dll 2007-12-23 10:10 . 2007-12-23 10:10 <DIR> d-------- C:\WINDOWS\ppqvmpqr 2007-12-23 10:09 . 2007-12-23 10:09 208,896 --a------ C:\WINDOWS\system32\ndaTqsVqrX.dll 2007-12-23 00:36 . 2007-12-23 00:36 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot 2007-12-22 21:08 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll 2007-12-22 21:08 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys 2007-12-22 18:24 . 2007-12-22 18:24 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot 2007-12-22 18:24 . 2007-10-01 16:24 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys 2007-12-22 18:24 . 2007-10-01 16:24 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys 2007-12-22 18:24 . 2007-10-01 16:24 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys 2007-12-22 18:23 . 2007-12-22 18:23 <DIR> d-------- C:\Program Files\Webroot 2007-12-22 18:23 . 2007-12-22 18:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot 2007-12-22 17:54 . 2007-12-22 17:54 <DIR> d-------- C:\Documents and Settings\admin\Application Data\Webroot 2007-12-22 16:55 . 2007-12-22 16:55 164 --a------ C:\install.dat 2007-12-22 16:53 . 2007-12-22 16:53 <DIR> d-------- C:\Program Files\CCleaner 2007-12-22 16:51 . 2007-12-22 16:58 <DIR> d-------- C:\Documents and Settings\admin\Application Data\GetRightToGo 2007-12-21 13:29 . 2007-12-21 13:29 <DIR> d-------- C:\Program Files\Boson Software 2007-12-21 13:29 . 2007-12-21 18:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Boson Software 2007-12-21 12:27 . 2007-12-21 12:43 <DIR> d-------- C:\WINDOWS\system32\URTTemp 2007-12-20 16:28 . 2007-12-20 16:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2007-12-20 16:25 . 2007-12-20 16:25 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-12-17 13:20 . 2007-12-17 13:46 <DIR> d-------- C:\WINDOWS\system32\juvprpba 2007-12-16 18:12 . 2007-12-20 17:46 320 --ahs---- C:\WINDOWS\system32\rqtwa.ini 2007-12-16 17:38 . 2007-12-16 17:39 69 --a------ C:\WINDOWS\NeroDigital.ini 2007-12-16 15:12 . 2007-12-16 15:12 <DIR> d-------- C:\Documents and Settings\admin\Application Data\Nero 2007-12-16 15:06 . 2007-12-16 15:06 <DIR> d-------- C:\Program Files\Nero 2007-12-16 15:06 . 2007-12-16 15:10 <DIR> d-------- C:\Program Files\Common Files\Nero 2007-12-16 15:06 . 2007-12-16 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero 2007-12-16 13:26 . 2007-12-16 13:39 952 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys 2007-12-16 13:19 . 2007-12-16 13:19 <DIR> d-------- C:\Program Files\PowerQuest 2007-12-13 19:33 . 2007-12-15 10:03 <DIR> d-------- C:\Program Files\ICQToolbar 2007-12-12 19:21 . 2007-12-12 19:21 <DIR> d-------- C:\WINDOWS\PaltalkScene 2007-12-12 19:21 . 2007-12-13 20:15 <DIR> d-------- C:\Program Files\Paltalk Messenger 2007-12-12 19:21 . 2007-12-13 20:15 <DIR> d-------- C:\Documents and Settings\admin\Application Data\Paltalk 2007-12-09 16:28 . 2007-12-09 16:28 <DIR> d-------- C:\Program Files\Photo Viewer 2007-12-03 20:33 . 2007-12-03 20:33 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll 2007-12-03 20:33 . 2007-12-03 20:33 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll 2007-12-03 20:33 . 2007-12-03 20:33 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll 2007-12-03 20:33 . 2007-12-03 20:33 682,496 --a------ C:\WINDOWS\system32\DivX.dll 2007-12-03 20:33 . 2007-12-03 20:33 630,784 --a------ C:\WINDOWS\system32\divxdec.ax 2007-11-29 17:30 . 2007-11-29 17:30 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-11-29 17:30 . 2007-11-29 17:30 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll 2007-11-29 17:30 . 2007-11-29 17:30 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe 2007-11-29 17:30 . 2007-11-29 17:30 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll 2007-11-29 17:30 . 2007-11-29 17:30 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb 2007-11-29 17:28 . 2007-11-29 17:28 196,608 --a------ C:\WINDOWS\system32\dtu100.dll 2007-11-29 17:28 . 2007-11-29 17:28 81,920 --a------ C:\WINDOWS\system32\dpl100.dll 2007-11-29 17:28 . 2007-11-29 17:28 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest 2007-11-29 17:28 . 2007-11-29 17:28 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest 2007-11-29 00:06 . 2007-12-08 16:41 13 --a------ C:\WINDOWS\system32\WinSys32.crc 2007-11-29 00:05 . 2007-12-09 16:32 <DIR> d-------- C:\Program Files\CoffeeCup Software 2007-11-29 00:05 . 1998-06-17 04:00 18,944 --a------ C:\WINDOWS\system32\BORLNDMM.DLL 2007-11-28 23:51 . 2007-12-09 16:37 <DIR> d-------- C:\Program Files\Nvu 2007-11-28 23:51 . 2007-11-28 23:51 <DIR> d-------- C:\Documents and Settings\admin\Application Data\Nvu 2007-11-28 23:12 . 2007-11-28 23:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Macrovision 2007-11-28 22:12 . 2007-11-28 22:12 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared 2007-11-28 22:11 . 2007-11-28 22:12 <DIR> d-------- C:\Program Files\Common Files\Macromedia 2007-11-28 22:07 . 2007-11-28 22:12 <DIR> d-------- C:\Program Files\Macromedia 2007-11-28 16:55 . 2007-11-28 16:55 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe 2007-11-28 16:53 . 2007-11-28 16:53 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll 2007-11-28 16:53 . 2007-11-28 16:53 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax 2007-11-28 16:53 . 2007-11-28 16:53 344,064 --a------ C:\WINDOWS\system32\dpus11.dll 2007-11-28 16:53 . 2007-11-28 16:53 294,912 --a------ C:\WINDOWS\system32\dpu11.dll 2007-11-28 16:53 . 2007-11-28 16:53 294,912 --a------ C:\WINDOWS\system32\dpu10.dll 2007-11-28 16:53 . 2007-11-28 16:53 57,344 --a------ C:\WINDOWS\system32\dpv11.dll 2007-11-28 16:53 . 2007-11-28 16:53 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll 2007-11-28 16:52 . 2007-11-28 16:52 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-26 05:25 --------- d-----w C:\Program Files\Symantec AntiVirus 2007-12-22 23:18 --------- d-----w C:\Documents and Settings\admin\Application Data\Skype 2007-12-21 23:10 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-12-20 21:30 --------- d-----w C:\Program Files\Lavasoft 2007-12-20 21:30 --------- d-----w C:\Documents and Settings\admin\Application Data\Lavasoft 2007-12-19 23:53 --------- d-----w C:\Documents and Settings\admin\Application Data\uTorrent 2007-12-12 19:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2007-12-12 18:16 --------- d-----w C:\Program Files\Lx_cats 2007-12-09 21:30 --------- d-----w C:\Program Files\Common Files\Adobe 2007-12-06 23:56 --------- d-----w C:\Program Files\DivX 2007-11-13 21:38 --------- d-----w C:\Program Files\iTunes 2007-11-13 21:37 --------- d-----w C:\Program Files\iPod 2007-11-13 21:31 --------- d-----w C:\Program Files\QuickTime 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-11-05 01:10 --------- d-----w C:\Program Files\Java 2007-11-02 02:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Musicnotes 2007-11-02 02:23 1,409 ----a-w C:\WINDOWS\Fonts\HELST___.FOT 2007-11-02 02:23 1,409 ----a-w C:\WINDOWS\Fonts\HELSS___.FOT 2007-11-02 02:23 1,409 ----a-w C:\WINDOWS\Fonts\HELSM___.FOT 2007-11-02 02:23 1,409 ----a-w C:\WINDOWS\Fonts\HELSINKI.FOT 2007-11-02 02:23 --------- d-----w C:\Program Files\Musicnotes . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 10:00] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 15:35] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CARPService"="carpserv.exe" [2003-03-18 17:49 C:\WINDOWS\system32\carpserv.exe] "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2003-02-27 13:04] "ATIModeChange"="Ati2mdxx.exe" [2001-09-04 19:24 C:\WINDOWS\system32\Ati2mdxx.exe] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-03-25 18:00] "Mouse Suite 98 Daemon"="ICO.EXE" [2002-03-14 18:46 C:\WINDOWS\system32\ico.exe] "ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 12:29] "HKSERV.EXE"="C:\Program Files\Sony\HotKey Utility\HKserv.exe" [2003-03-17 11:00] "ZTgServerSwitch"="c:\program files\support.com\client\lserver\server.vbs" [2003-04-08 14:16] "VAIO Recovery"="C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 00:08] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 18:26] "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 19:33] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11] "Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 01:12] "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47] "LXCGCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 12:48] "lxcgmon.exe"="C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 01:07] "EzPrint"="C:\Program Files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 07:05] "FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 08:36] "pdfFactory Pro Dispatcher v1"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe" [2002-10-30 15:59] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36] "NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57] "NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51] C:\Documents and Settings\admin\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 19:24:54] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli scecli S3 AIRPLUS;D-Link AirPlus Wireless Adapter;C:\WINDOWS\system32\DRIVERS\airplus.sys [2003-09-08 15:06] S3 SONYWBMS;Sony Memory Stick controller(WB);C:\WINDOWS\system32\DRIVERS\SonyWBMS.SYS [2002-11-19 03:12] . Contents of the 'Scheduled Tasks' folder "2007-11-13 21:01:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2006-10-14 22:15:10 C:\WINDOWS\Tasks\Registration reminder 1.job" - C:\WINDOWS\System32\OOBE\oobebaln.exe "2006-10-14 22:15:10 C:\WINDOWS\Tasks\Registration reminder 2.job" - C:\WINDOWS\System32\OOBE\oobebaln.exe "2006-10-14 22:15:10 C:\WINDOWS\Tasks\Registration reminder 3.job" - C:\WINDOWS\System32\OOBE\oobebaln.exe . ************************************************************************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-26 00:46:21 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-12-26 0:49:47 - machine was rebooted [admin] . 2007-12-23 01:51:55 --- E O F --- ------------------------------------------------ Logfile of HijackThis v1.99.1 Scan saved at 1:02:44 AM, on 12/26/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\Ati2evxx.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\carpserv.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\ICO.EXE C:\WINDOWS\System32\ezSP_Px.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Sony\HotKey Utility\HKserv.exe C:\Program Files\Apoint\Apvfb.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Sony\HotKey Utility\HKWnd.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Lexmark 2300 Series\lxcgmon.exe C:\Program Files\Lexmark 2300 Series\ezprint.exe C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroDist.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe C:\WINDOWS\system32\lxcgcoms.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\D-Link AirPlus\AirPlus.exe C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE C:\HijackThis\HijackThis.exe C:\Program Files\iPod\bin\iPodService.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe" O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [HKSERV.EXE] "C:\Program Files\Sony\HotKey Utility\HKserv.exe" O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\lserver\server.vbs" O4 - HKLM\..\Run: [VAIO Recovery] "C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe" O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe O4 - Global Startup: Bluetooth.lnk = ? O4 - Global Startup: D-Link AirPlus.lnk = ? O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1180482656200 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: MATLAB Server (matlabserver) - Unknown owner - D:\MATLAB7\webserver\bin\win32\matlabserver.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing) O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing) O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing) O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe |
|
|
|
|
12-26-2007, 03:14 AM
|
#6 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 21,354
OS: XP
|
Re: Winlogonhooker removal
Open notepad and copy/paste the text in the quotebox below into it:
Code:
http://www.techsupportforum.com/security-center/hijackthis-log-help/205264-winlogonhooker-removal.html#post1230668 Collect:: C:\WINDOWS\system32\ndaTqsVqrX.dll C:\WINDOWS\system32\rqtwa.ini C:\WINDOWS\system32\khhfc.dll File:: C:\WINDOWS\system32\wjarxsrs.ini Folder:: C:\WINDOWS\system32\juvprpba C:\WINDOWS\ppqvmpqr Registry:: [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00  Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Additonally, ComboFix will generate a zipped file on your Desktop, called [4]Submit@Date_Time.zip Before proceeding to the next step, please submit this file to http://www.bleepingcomputer.com/subm....php?channel=4 --------------- Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400 Answer Yes, when prompted to install an ActiveX component.
--------------- In your next post, please include fresh logs from:
|
|
|
|
|
12-27-2007, 04:36 AM
|
#7 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 9
OS: XP SP2
|
Re: Winlogonhooker removal
hi Subs, Below are the 3 logs you requested. While running Kaspersky (which took quite a long time) Symantec antivirus intervened and stopped it, although I had it disabled, so I restarted the whole process in safe mode with network. However, I'm not sure what to do to test the performance of my computer. Logfile of HijackThis v1.99.1 Scan saved at 6:28:47 AM, on 12/27/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe" O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [HKSERV.EXE] "C:\Program Files\Sony\HotKey Utility\HKserv.exe" O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\lserver\server.vbs" O4 - HKLM\..\Run: [VAIO Recovery] "C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe" O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe" O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe O4 - Global Startup: Bluetooth.lnk = ? O4 - Global Startup: D-Link AirPlus.lnk = ? O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1180482656200 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: MATLAB Server (matlabserver) - Unknown owner - D:\MATLAB7\webserver\bin\win32\matlabserver.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing) O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing) O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing) O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Thursday, December 27, 2007 6:23:59 AM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 26/12/2007 Kaspersky Anti-Virus database records: 495183 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ F:\ Scan Statistics: Total number of scanned objects: 183321 Number of viruses found: 12 Number of infected objects: 34 Number of suspicious objects: 0 Duration of the scan process: 08:48:02 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\admin\Cookies\index.dat Object is locked skipped C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\admin\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\admin\Local Settings\History\History.IE5\MSHist012007122620071227\index.dat Object is locked skipped C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\admin\NTUSER.DAT Object is locked skipped C:\Documents and Settings\admin\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00CC0001\47EE9C00.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00CC0002\47EE9C38.VBN Infected: Trojan-Downloader.Win32.Alphabet.gen skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00CC0003\47EE9C92.VBN Infected: Trojan.Win32.Dialer.yz skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01700000\477E9144.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01700001\477E940C.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01700002\477E98EC.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05080000\476DB976.VBN Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05080001\476DBFFB.VBN Infected: Trojan-Downloader.Win32.Alphabet.gen skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05080002\476DC022.VBN Infected: not-virus:Hoax.Win32.Renos.hx skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05080003\476DC049.VBN Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05080004\476DC074.VBN Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05080005\476DC093.VBN Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05080006\476DC309.VBN Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\055C0000\477F0A03.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05740001\477C6BAD.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\066C0000\476EBC86.VBN Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B2C0000.VBN Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CB80000.VBN Infected: not-virus:Hoax.Win32.Renos.hx skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CB80002\4FFF00CA.VBN Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CB80003\4FFF011C.VBN Infected: Trojan-Downloader.Win32.Alphabet.gen skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CB80004\4FFF017A.VBN Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EB80000\4FFAEE6B.VBN Infected: Backdoor.Win32.Agent.dlj skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EB80001\4FFAEE9B.VBN Infected: Backdoor.Win32.Agent.dlj skipped C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FC00000.VBN Infected: not-a-virus:FraudTool.Win32.UltimateDefender.v skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\rqvoryfu.dll.vir Infected: Trojan.Win32.Obfuscated.mi skipped C:\qoobox\Quarantine\C\Program Files\Bnlymlgx\mffzkvif.dll.vir Infected: Trojan.Win32.Obfuscated.mi skipped C:\qoobox\Quarantine\C\Program Files\gvsdktav\wbsjklqp.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.kzd skipped C:\qoobox\Quarantine\C\WINDOWS\system32\jkkheef.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bwo skipped C:\qoobox\Quarantine\C\WINDOWS\system32\ljjjgee.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.bwo skipped C:\qoobox\Quarantine\C\WINDOWS\system32\vtusrom.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.coa skipped C:\qoobox\Quarantine\C\WINDOWS\system32\winudu32.dll.vir Infected: Trojan.Win32.Dialer.yz skipped C:\qoobox\Quarantine\catchme2007-12-26_ 04608.20.zip/pmnlmmn.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bwo skipped C:\qoobox\Quarantine\catchme2007-12-26_ 04608.20.zip ZIP: infected - 1 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{714C809E-5AB6-4445-9A67-94FBD9F1D08A}\RP1\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped C:\WINDOWS\system32\config\OSession.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\drvvun.dll Infected: Trojan.Win32.Dialer.yz skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped Scan process completed. ComboFix 07-12-26.1 - admin 2007-12-26 0:34:06.1 - NTFSx86 MINIMAL Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.247 [GMT -5:00] Running from: C:\Documents and Settings\admin\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))) |
