Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log, Please Help Virtumonde Virus


  • This topic is locked This topic is locked
24 replies to this topic

#1 Sapphiah

Sapphiah

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 21 March 2008 - 10:35 PM

Additional information:

Computer was very sluggish while I was downloading WinPatrol. I ran the mbam scan and the ad aware 2007 scan again. The scans found 9 and 149 infections, respectively. Below is the scan for WinPatrol. Thank you for your help.





Log created by WinPatrol version 14.0.2007.1:14.0.2007.1
Scan saved at 11:19:05 PM, on 3/21/2008
Platform: Windows XP SP2 Home Edition Service Pack 2 (Build 2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRAM FILES\Lavasoft\AD-AWARE 2007\AAWSERVICE.EXE
C:\PROGRAM FILES\Citrix\ICA CLIENT\ssonsvr.exe
C:\WINDOWS\explorer.exe
C:\PROGRAM FILES\CYBERLINK\PowerDVD\pdvdserv.exe
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\mmtask.exe
C:\WINDOWS\zHotkey.exe
C:\PROGRAM FILES\DIGITAL MEDIA READER\SHWICONEM.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WkUFind.exe
C:\PROGRAM FILES\COMMON FILES\AOL\1154307608\ee\AOLSOFTWARE.EXE
C:\PROGRAM FILES\LEXMARK 3100 SERIES\lxbrbmgr.exe
C:\PROGRAM FILES\MICROSOFT OFFICE\Office12\GROOVEMONITOR.EXE
C:\PROGRAM FILES\Corel\COREL PHOTO ALBUM 6\MEDIADETECT.EXE
C:\PROGRAM FILES\LEXMARK 7300 SERIES\lxcimon.exe
C:\PROGRAM FILES\LEXMARK 7300 SERIES\ezprint.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\PROGRAM FILES\Java\JRE1.6.0_05\bin\jusched.exe
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AOL\USERPROFILES\ALL USERS\ANTISPYWARE\dat\updates\aspapp\SUNSETASP2.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\PROGRAM FILES\MESSENGER\msmsgs.exe
C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\UPDATESERVICE\isuspm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRAM FILES\Google\GOOGLETOOLBARNOTIFIER\1.2.1128.5462\GOOGLETOOLBARNOTIFIER.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRAM FILES\BigFix\bigfix.exe
C:\PROGRAM FILES\LEXMARK 3100 SERIES\lxbrbmon.exe
C:\PROGRAM FILES\COMMON FILES\AOL\1154307608\ee\services\ANTISPYWAREAPP\VER2_0_32_1\AOLSP SCHEDULER.EXE
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\lxcicoms.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wentxp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROLEX.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
O1 - Hosts: 127.0.0.
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\Google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NAVShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\Google\googletoolbar2.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut]HDAudPropShortcut.exe
O4 - HKLM\..\Run: [RemoteControl]C:\Program Files\CyberLink\PowerDVD\pdvdserv.exe
O4 - HKLM\..\Run: [ccApp]C:\Program Files\Common Files\Symantec Shared\ccapp.exe
O4 - HKLM\..\Run: [NAV CfgWiz]C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE REBOOT
O4 - HKLM\..\Run: [NeroFilterCheck]C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask]c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [CHotkey]zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd]ShowWnd.exe
O4 - HKLM\..\Run: [SunKistEM]C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan]SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd]ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr]ALCMTR.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection]C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AOLDialer]C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [KernelFaultCheck]%systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HostManager]C:\Program Files\Common Files\AOL\1154307608\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend]C:\Program Files\Common Files\AOL\IPHSend\iphsend.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series]C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
O4 - HKLM\..\Run: [LXBRKsk]C:\Program Files\Lexmark 3100 Series\lxbrksk.exe
O4 - HKLM\..\Run: [GrooveMonitor]C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
O4 - HKLM\..\Run: [Corel Photo Downloader]C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [lxcimon.exe]C:\Program Files\Lexmark 7300 Series\lxcimon.exe
O4 - HKLM\..\Run: [EzPrint]C:\Program Files\Lexmark 7300 Series\ezprint.exe
O4 - HKLM\..\Run: [WrtMon.exe]C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [SDTray]C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher]C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched]C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [5417482f]C:\WINDOWS\system32\pxsttgqi.dll,b
O4 - HKLM\..\Run: [AOLAspSunset2]C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp2.exe
O4 - HKLM\..\Run: [LXCICATS]rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [BM57247bb3]C:\WINDOWS\system32\qwmovihb.dll,s
O4 - HKLM\..\Run: [braviax]braviax.exe
O4 - HKLM\..\Run: [WinPatrol]C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [MSMSGS]C:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [MoneyAgent]C:\Program Files\Microsoft Money\System\mnyexpr.exe
O4 - HKCU\..\Run: [ISUSPM]C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe -scheduler
O4 - HKCU\..\Run: [ctfmon.exe]C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer]C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg]C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Microsoft Windows Adapter 5.1.3214]C:\Documents and Settings\Owner\Application Data\haseb.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk=C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: BigFix.lnk=C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [Java (Sun)] Java (Sun) - C:\Program Files\Java\jre1.6.0_05\bin
O11 - Options group: [] -
O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O14 - IERESET.INF: START_PAGE_URL = http://www.gateway.com
O14 - IERESET.INF: SEARCH_PAGE_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
O14 - IERESET.INF:HKCU, Start Page = %START_PAGE_URL%
O14 - IERESET.INF:HKLM, Default_Page_URL = %START_PAGE_URL%
O14 - IERESET.INF:HKLM, Default_Search_URL = %SEARCH_PAGE_URL%
O14 - IERESET.INF:HKLM, Search Page = %SEARCH_PAGE_URL%
O14 - IERESET.INF:HKCU, Search Page = %SEARCH_PAGE_URL%
O15 - Trusted Zone: aol.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shock...director/sw.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_05) - http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} (http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim) - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.6.0_04) - http://java.sun.com/products/plugin/autodl...indows-i586.cab
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) - http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) - http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
O20 - AppInit_DLLs: cru629.dat

O23 - Service: Ad-Aware 2007 Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service - America Online - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
O23 - Service: Application Management - - C:\WINDOWS\System32\appmgmts.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxci_device - - C:\WINDOWS\system32\lxcicoms.exe -service
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe
O23 - Service: Spyware Doctor Auxiliary Service - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinEncrypt service - WinEncrypt - wentxp.exe

--- Additional WinPatrol Info ---
Default Browser: Internet Explorer - Internet Explorer version 6.00.2900.2180
MSIE: Internet Explorer (6.00.2900.2180)
Firefox 2.0.0.12 installed in C:\Program Files\Mozilla Firefox.
460 IE Cookies in Folder: C:\Documents and Settings\Owner\Cookies\
5 Mozilla Cookies in Folder: C:\Documents and Settings\Owner\Application Data\Mozilla\FireFox\Profiles\j5lukjoy.default

WP00 - HKLM\CS1: BootExecute = autocheck autochk *
WP00 - HKLM\CCS: BootExecute = autocheck autochk *
WP00 - HKLM\CS2: BootExecute = autocheck autochk *
WP02 - HKLM\CCS: Command = C:\WINDOWS\system32\cmd.exe

WP03 - Windows Automatic Update = 4:Automatically download recommended updates for my computer and install them.


WP08 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix: Default = http://
WP08 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes: www = http://

WP31 - Scheduled Tasks: [Symantec NetDetect.job]C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE Never
WP31 - Scheduled Tasks: [Norton AntiVirus - Scan my computer.job]C:\Program Files\Norton AntiVirus\Navw32.exe Never

WP32 - Hidden File: C:\boot.ini
WP32 - Hidden File: C:\CONFIG.SYS
WP32 - Hidden File: C:\hiberfil.sys
WP32 - Hidden File: C:\IO.SYS
WP32 - Hidden File: C:\MSDOS.SYS
WP32 - Hidden File: C:\NTDETECT.COM
WP32 - Hidden File: C:\ntldr
WP32 - Hidden File: C:\pagefile.sys
WP32 - Hidden File: C:\WINDOWS\QTFont.qfn
WP32 - Hidden File: C:\WINDOWS\WindowsShell.Manifest
WP32 - Hidden File: C:\WINDOWS\winnt.bmp
WP32 - Hidden File: C:\WINDOWS\winnt256.bmp
WP32 - Hidden File: C:\WINDOWS\system32\cdplayer.exe.manifest
WP32 - Hidden File: C:\WINDOWS\system32\config\default.LOG
WP32 - Hidden File: C:\WINDOWS\system32\config\SAM.LOG
WP32 - Hidden File: C:\WINDOWS\system32\config\SECURITY.LOG
WP32 - Hidden File: C:\WINDOWS\system32\config\software.LOG
WP32 - Hidden File: C:\WINDOWS\system32\config\system.LOG
WP32 - Hidden File: C:\WINDOWS\system32\config\TempKey.LOG
WP32 - Hidden File: C:\WINDOWS\system32\config\userdiff.LOG
WP32 - Hidden File: C:\WINDOWS\system32\logonui.exe.manifest
WP32 - Hidden File: C:\WINDOWS\system32\ncpa.cpl.manifest
WP32 - Hidden File: C:\WINDOWS\system32\nwc.cpl.manifest
WP32 - Hidden File: C:\WINDOWS\system32\Restore\filelist.xml
WP32 - Hidden File: C:\WINDOWS\system32\sapi.cpl.manifest
WP32 - Hidden File: C:\WINDOWS\system32\WindowsLogon.manifest
WP32 - Hidden File: C:\WINDOWS\system32\wuaucpl.cpl.manifest

WP33 - File Type .AVI: [Video Clip]C:\Program Files\Windows Media Player\wmplayer.exe /prefetch:8 /Open %L
WP33 - File Type .BAT: [MS-DOS Batch File]%1 %*
WP33 - File Type .CAB: [Cabinet File]C:\WINDOWS\Explorer.exe /idlist,%I,%L
WP33 - File Type .CAT: [Security Catalog]rundll32.exe cryptext.dll,CryptExtOpenCAT %1
WP33 - File Type .CHM: [Compiled HTML Help file]C:\WINDOWS\hh.exe %1
WP33 - File Type .COM: [MS-DOS Application]%1 %*
WP33 - File Type .CMD: [Windows NT Command Script]%1 %*
WP33 - File Type .DOC: [Microsoft Office Word 97 - 2003 Document]C:\Program Files\Microsoft Office\Office12\WINWORD.EXE /n /dde
WP33 - File Type .EML: [Outlook Express Mail Message]C:\Program Files\Outlook Express\msimn.exe /eml:%1
WP33 - File Type .EXE: [Application]%1 %*
WP33 - File Type .INF: [Setup Information]C:\WINDOWS\System32\NOTEPAD.EXE %1
WP33 - File Type .JS: [JScript Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .LOG: [Text Document]C:\WINDOWS\system32\NOTEPAD.EXE %1
WP33 - File Type .MSI: [Windows Installer Package]C:\WINDOWS\System32\msiexec.exe /i %1 %*
WP33 - File Type .MSG: [Outlook Item]C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE /f %1
WP33 - File Type .MID: [MIDI Sequence]C:\Program Files\Windows Media Player\wmplayer.exe /Open %L
WP33 - File Type .MP3: [MP3 Format Sound]C:\Program Files\Windows Media Player\wmplayer.exe /prefetch:6 /Open %L
WP33 - File Type .PIF: [Shortcut to MS-DOS Program]%1 %*
WP33 - File Type .RAM: [RealPlayer File]C:\Program Files\Real\RealPlayer\RealPlay.exe /m audio/x-pn-realaudio %1
WP33 - File Type .REG: [Registration Entries]%1 %*
WP33 - File Type .RTF: [Rich Text Format]C:\Program Files\Microsoft Office\Office12\WINWORD.EXE /n /dde
WP33 - File Type .SCR: [Screen Saver]%1 %*
WP33 - File Type .TXT: [Text Document]C:\WINDOWS\system32\NOTEPAD.EXE %1
WP33 - File Type .URL: [Internet Shortcut]rundll32.exe shdocvw.dll,OpenURL %l
WP33 - File Type .VBS: [VBScript Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .VBE: [VBScript Encoded Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .WSF: [Windows Script File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .WSH: [Windows Script Host Settings File]C:\WINDOWS\System32\WScript.exe %1 %*
WP33 - File Type .XLS: [Microsoft Office Excel 97-2003 Worksheet]C:\Program Files\Microsoft Office\Office12\EXCEL.EXE /e

Memory currently in use: 49%
Physical Memory Free: 260,732 KB
Paging File Free: 887,400 KB
Virtual Memory Free: 2,058,620 KB


--
End of file

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:46 AM

Posted 28 March 2008 - 08:52 PM

Hello Sapphiah,

Welcome to the BleepingComputer Forums.
Since it has been a few days, please post a new HijackThis log.

Is this a company or work computer?

Thank you for your patience.

Edited by SifuMike, 28 March 2008 - 08:58 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Sapphiah

Sapphiah
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 29 March 2008 - 02:59 AM

This is a personal home computer. However, I have a citrix link to a work computer.

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:46 AM

Posted 29 March 2008 - 12:08 PM

Hi Sapphiah,

You forgot to post a fresh Hijackthis log. :thumbsup:

Below is the scan for WinPatrol.

Do not post the WinPatrol log, as that does not help me.

Before you repost your log please download and install the new version by following the instructions of the at Step 9 of Preparation Guide for use before posting a HijackThis Log

Note that it is unnecessary to uninstall the old version because the new one will be copied to a different folder.

Let it install in the default folder C:\Program Files\Trend Micro\HijackThis

Then post a Hijackthis log.

Edited by SifuMike, 29 March 2008 - 01:23 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Sapphiah

Sapphiah
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 30 March 2008 - 12:19 AM

From the beginning I could not get Hijack This to run or open on my computer. I'm sorry I forgot to mention that in this post. I originally mentioned it. The icon is on my desktop, but nothing happens when I double - click on it. I have tried to save in the safe mode. It was suggested that I run WinPatrol before. Do you have any suggestions? or is there another way to run HijackThis log? Is there something I need to turn off in my computer that may be preventing HijackThis from running? Currently, the following applications are installed and running: spybot, spyware doctor, mbam.

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:46 AM

Posted 30 March 2008 - 12:29 AM

Lets try renaming Hijackthis.
  • Please go to the folder where you saved Hijackthis.exe:
  • Right-click on it, then select Rename.
  • Name it something like: AnalyzeThis.exe (or whatever you want)
  • Then double-click AnalyzeThis.exe to scan and then post the new logfile.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Sapphiah

Sapphiah
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 30 March 2008 - 01:42 AM

Here is a HijackThis log. My current problems:

1. At startup get error message: C:Error loading C:\Windows\system32\pxsttgqi.dll. The specified module could not be found.

2. Constant popups and redirects in Internet Explorer

3. Your computer is infected. I continually receive this message while I am using Internet Explorer.

This is a home personal computer with a citrix link to work computer.


Thanks for your help.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:32:17 AM, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\AOL\1154307608\ee\AOLSoftware.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Lexmark 7300 Series\lxcimon.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp2.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\BigFix\bigfix.exe
c:\program files\common files\aol\1154307608\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1154307608\ee\aolsoftware.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\lxcicoms.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wentxp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack this\AnalyzeThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1154307608\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [lxcimon.exe] "C:\Program Files\Lexmark 7300 Series\lxcimon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [5417482f] rundll32.exe "C:\WINDOWS\system32\pxsttgqi.dll",b
O4 - HKLM\..\Run: [AOLAspSunset2] C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp2.exe
O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [BM57247bb3] Rundll32.exe "C:\WINDOWS\system32\qwmovihb.dll",s
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Microsoft Windows Adapter 5.1.3214] C:\Documents and Settings\Owner\Application Data\haseb.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: cru629.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxci_device - - C:\WINDOWS\system32\lxcicoms.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinEncrypt service (wencrservice) - WinEncrypt - C:\WINDOWS\SYSTEM32\wentxp.exe
O24 - Desktop Component 0: (no name) - http://www.theabeforum.com/attachment.php?id=5
O24 - Desktop Component 1: (no name) - http://herballegacy.com/images/img00294.gif
O24 - Desktop Component 2: (no name) - http://i.a.cnn.net/si/.element/img/3.0/glo...ue_gradient.jpg

--
End of file - 11032 bytes

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:46 AM

Posted 30 March 2008 - 12:18 PM

Hi Sapphiah,

This computer is really infected. :thumbsup:


Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Sapphiah

Sapphiah
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 30 March 2008 - 04:07 PM

SDFix: Version 1.164

Run by Owner on Sun 03/30/2008 at 04:25 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Resetting AppInit_DLLs value


Rebooting


Infected beep.sys Found!

beep.sys File Locations:

"C:\WINDOWS\Drivers\beep.sys" 34304 03/10/2008 12:41 AM
"C:\WINDOWS\system32\drivers\beep.sys" 34304 03/10/2008 12:41 AM

Infected File Listed Below:

C:\WINDOWS\system32\drivers\beep.sys

File copied to Backups Folder
Attempting to replace beep.sys with original version


Original beep.sys Restored

"C:\WINDOWS\Drivers\beep.sys" 34304 03/10/2008 12:41 AM
"C:\WINDOWS\system32\dllcache\beep.sys" 4224 03/29/2008 08:58 PM
"C:\WINDOWS\system32\drivers\beep.sys" 4224 03/29/2008 08:58 PM



Checking Files :

Trojan Files Found:

C:\Temp\1cb\syscheck.log - Deleted
C:\WINDOWS\mrofinu1188.exe.tmp - Deleted
C:\WINDOWS\braviax.exe - Deleted
C:\WINDOWS\cru629.dat - Deleted
C:\WINDOWS\Fonts\Setup.exe - Deleted
C:\WINDOWS\system32\braviax.exe - Deleted
C:\WINDOWS\system32\cru629.dat - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\users32.dat - Deleted
C:\WINDOWS\system32\winivstr.exe - Deleted
C:\WINDOWS\Fonts\*.zip - 1 File(s) 118,335 bytes - Deleted
C:\WINDOWS\Fonts\-\*.zip - 5554 File(s) 657,238,144 bytes - Deleted



Folder C:\Temp\1cb - Removed
Folder C:\Temp\tn3 - Removed
Folder C:\WINDOWS\Fonts\- - Removed


The below files have been patched by Trojan.Agent to load users32.dat and should be replaced:

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe
C:\WINDOWS\system32\NeroCheck.exe
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Common Files\AOL\1154307608\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-30 16:37:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\CLSID]
"\30 A?E?2?A?E?D?8?F?-?5?6?9?5?-?4?a?6?d?-?9?7?0?9?-?1?4?E?5?1?C?D?1?7?B?1?C?'?"=""

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0a\\waol.exe"="C:\\Program Files\\America Online 9.0a\\waol.exe:*:Enabled:America Online 9.0a"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\WINDOWS\\system32\\lxcicoms.exe"="C:\\WINDOWS\\system32\\lxcicoms.exe:*:Enabled:Lexmark Communications System"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0a\\waol.exe"="C:\\Program Files\\America Online 9.0a\\waol.exe:*:Enabled:America Online 9.0a"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"

Remaining Files :


File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 30 Jun 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Wed 30 Jun 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Wed 30 Jun 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Wed 24 Sep 2003 49,238 A..H. --- "C:\Program Files\America Online 9.0a\aolphx.exe"
Wed 24 Sep 2003 36,954 A..H. --- "C:\Program Files\America Online 9.0a\aoltray.exe"
Wed 24 Sep 2003 40,960 A..H. --- "C:\Program Files\America Online 9.0a\RBM.exe"
Fri 23 Feb 2007 225,380 A..H. --- "C:\Program Files\America Online 9.0a\waol.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Sat 7 Jun 2003 77,824 A..H. --- "C:\bundle\PictureIt\PIP\LAUNCHER.EXE"
Wed 21 Sep 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 21 Mar 2008 145,920 ..SHR --- "C:\Program Files\BillP Studios\WinPatrol\Setup.exe"
Tue 18 Mar 2008 707 A..H. --- "C:\Program Files\Common Files\AOL\IPHSend\IPH.BAK"
Wed 21 Sep 2005 4,348 ...H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1key.bak"
Fri 23 Sep 2005 20 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1lic.bak"
Wed 21 Sep 2005 400 ...H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv2key.bak"
Fri 23 Sep 2005 10,752 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv2lic.bak"
Wed 24 Sep 2003 111,824 A..H. --- "C:\Program Files\Common Files\aolshare\shell\us\shellext.dll"
Fri 14 Mar 2008 4,192 A.SH. --- "C:\Documents and Settings\Owner\Application Data\Roxio\Dragon\3.x\DiscInfoCache\HL-DT-ST_DVDRAM_GSA-4120B_A102_300_DICV018_DRGV300002C.TMP"

Finished!









NEW HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:54:01 PM, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\lxcicoms.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wentxp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\1154307608\ee\AOLSoftware.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Lexmark 7300 Series\lxcimon.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp2.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
c:\program files\common files\aol\1154307608\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BigFix\bigfix.exe
c:\program files\common files\aol\1154307608\ee\aolsoftware.exe
C:\Hijack this\AnalyzeThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1154307608\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [lxcimon.exe] "C:\Program Files\Lexmark 7300 Series\lxcimon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [5417482f] rundll32.exe "C:\WINDOWS\system32\pxsttgqi.dll",b
O4 - HKLM\..\Run: [AOLAspSunset2] C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp2.exe
O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [BM57247bb3] Rundll32.exe "C:\WINDOWS\system32\qwmovihb.dll",s
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Microsoft Windows Adapter 5.1.3214] C:\Documents and Settings\Owner\Application Data\haseb.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxci_device - - C:\WINDOWS\system32\lxcicoms.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinEncrypt service (wencrservice) - WinEncrypt - C:\WINDOWS\SYSTEM32\wentxp.exe
O24 - Desktop Component 0: (no name) - http://www.theabeforum.com/attachment.php?id=5
O24 - Desktop Component 1: (no name) - http://herballegacy.com/images/img00294.gif
O24 - Desktop Component 2: (no name) - http://i.a.cnn.net/si/.element/img/3.0/glo...ue_gradient.jpg

--
End of file - 11821 bytes

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:46 AM

Posted 30 March 2008 - 04:34 PM

Download CCleaner and install it. (default location is best). Do not run it yet!

Beginner’s Guide to CCleaner

*******************************************


Please disable Teatimer, SpywareDoctor and WinPatrol before using Hijackthis.

Disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts


To disable Spyware Doctor from running on your system startup:
1. First, disable the OnGuard Tools. This way, when you exit Spyware Doctor, these tools won't stay resident in the background.
2. Click the "Settings" button on the left side.
3. Click the "Startup Settings" link.
4. Uncheck "Run at Windows Startup".
5. Click the "Apply" button.

To disable WinPatrol
Right-click the running icon of Winpatrol in the system tray and choose exit. It will automatically restart at next boot.


How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key. If that does not work this go to this site: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/



Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O4 - HKLM\..\Run: [BM57247bb3] Rundll32.exe "C:\WINDOWS\system32\qwmovihb.dll",s
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKCU\..\Run: [Microsoft Windows Adapter 5.1.3214] C:\Documents and Settings\Owner\Application Data\haseb.exe




*******************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect (uncheck) 'hide protected operating system files (recommended)'.

Using Windows Explorer, delete the following files in bold

C:\WINDOWS\braviax.exe <==file
C:\WINDOWS\system32\braviax.exe <==file
C:\WINDOWS\system32\qwmovihb.dll <==file
C:\Documents and Settings\Owner\Application Data\haseb.exe <==file


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot your computer, and post a new Hijackthis log

Edited by SifuMike, 30 March 2008 - 04:54 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Sapphiah

Sapphiah
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 31 March 2008 - 01:50 AM

ADDITIONAL INFORMATION

I encountered 2 problems in cleaning my computer during the file hunt section:

1. Could not find file C:\WINDOWS\braviax.exe (found a file in a "backups" folder, deleted it)
2. Could not find file C:\Documents and Settings\Owner\Application Data\haseb.exe

Before I ran HijackThis again, I ran mbam and ad aware 2007. Found no infections. However, I still get an error message at startup.....

C:Error loading C:\Windows\system32\pxsttgqi.dll. The specified module could not be found.


And AOL Spyware Protection said that it found and blocked "Estalive."




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:29:16 AM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\lxcicoms.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wentxp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1154307608\ee\AOLSoftware.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Lexmark 7300 Series\lxcimon.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\BigFix\bigfix.exe
c:\program files\common files\aol\1154307608\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1154307608\ee\aolsoftware.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Hijack this\AnalyzeThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1154307608\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [lxcimon.exe] "C:\Program Files\Lexmark 7300 Series\lxcimon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [5417482f] rundll32.exe "C:\WINDOWS\system32\pxsttgqi.dll",b
O4 - HKLM\..\Run: [AOLAspSunset2] C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp2.exe
O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxci_device - - C:\WINDOWS\system32\lxcicoms.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinEncrypt service (wencrservice) - WinEncrypt - C:\WINDOWS\SYSTEM32\wentxp.exe
O24 - Desktop Component 0: (no name) - https://secure.shoppersmetropolis.com/61182...aderRegPage.gif
O24 - Desktop Component 1: (no name) - http://www.theabeforum.com/attachment.php?id=5
O24 - Desktop Component 2: (no name) - http://herballegacy.com/images/img00294.gif
O24 - Desktop Component 3: (no name) - http://i.a.cnn.net/si/.element/img/3.0/glo...ue_gradient.jpg

--
End of file - 11481 bytes

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:46 AM

Posted 31 March 2008 - 09:57 AM

Hello Sapphiah,

Beside all the other infections, you have a bad vundo infection, so we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

You need to disable your Norton Antivirus, SpywareDoctor and WinPatrol, AOL Spyware Protection and Spybot Teatimer before running ComboFix, as they will prevent it from running.


To disable Norton Antivirus:  
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Disable Auto-Protect."
  • select a duration of 5 hours (this assures no interference with the cleanup of your pc)
  • click "Ok."
  • a popup will warn that protection will now be disabled and the sign will now look like this: Posted Image
You succesfully disabled the Norton Antivirus Guard.


Disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts


To disable Spyware Doctor from running on your system startup:
1. First, disable the OnGuard Tools. This way, when you exit Spyware Doctor, these tools won't stay resident in the background.
2. Click the "Settings" button on the left side.
3. Click the "Startup Settings" link.
4. Uncheck "Run at Windows Startup".
5. Click the "Apply" button.

To disable WinPatrol
Right-click the running icon of Winpatrol in the system tray and choose exit. It will automatically restart at next boot.


Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop. <== IMPORTANT

I cannot help you unless you install the Windows XP Recovery Console; if you have not previously installed it, then please install it now. <== IMPORTANT

You DO NOT need to have the Windows CD to install Recovery Console!

When Recovery Console installs correctly, ComboFix will give you a log like this:

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons




We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read  here   what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.


After you have Recovery Console installed, then run ComboFix and post the ComboFix log.

Edited by SifuMike, 31 March 2008 - 10:01 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Sapphiah

Sapphiah
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 31 March 2008 - 08:14 PM

The error message regarding windows dll still appears and this time I got an error message stating that Norton Anti-virus auto-protect driver could not be loaded. Your system is not protected from viruses. Please restart your computer....OK or Cancel. Also, something about scripts was mentioned by Norton. I wasn't really relying on it anyway and it needs to be updated? So, should I uninstall Norton?







ComboFix 08-03-30.4 - Owner 2008-03-31 19:55:31.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.241 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\sanR24
C:\Temp\sanR24\lDii.log
C:\WINDOWS\BM57247bb3.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\d4
C:\WINDOWS\system32\e5
C:\WINDOWS\system32\g7
C:\WINDOWS\system32\gvtgwviq.dll
C:\WINDOWS\system32\nod32se.exe
C:\WINDOWS\system32\w8

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.

2008-03-30 22:41 . 2008-03-30 22:48 <DIR> d-------- C:\Program Files\Yahoo!
2008-03-30 22:41 . 2008-03-30 22:41 <DIR> d-------- C:\Program Files\CCleaner
2008-03-30 17:37 . 2008-03-30 17:40 <DIR> d-------- C:\Black Women's Issues
2008-03-30 16:23 . 2008-03-30 16:23 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-30 16:11 . 2008-03-30 16:52 <DIR> d-------- C:\SDFix
2008-03-27 17:43 . 2008-03-27 19:43 <DIR> d-------- C:\Jobs
2008-03-26 02:49 . 2008-03-31 13:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-26 02:49 . 2008-03-26 02:49 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-21 23:15 . 2008-03-21 23:15 <DIR> d-------- C:\Program Files\BillP Studios
2008-03-21 23:15 . 2008-03-21 23:15 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\WinPatrol
2008-03-21 23:14 . 2008-03-29 22:38 <DIR> d-------- C:\WinPatrol 2007
2008-03-21 17:04 . 2008-03-31 02:29 <DIR> d-------- C:\Hijack this
2008-03-19 16:44 . 2008-03-19 16:44 <DIR> d-------- C:\bleepingcomputer_files
2008-03-19 16:44 . 2008-03-19 16:44 56,518 --a------ C:\bleepingcomputer.htm
2008-03-18 18:51 . 2008-03-18 18:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-03-18 18:32 . 2008-03-18 18:32 14,336 --a------ C:\sRVN.exe
2008-03-18 18:11 . 2004-08-19 21:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-03-18 18:11 . 2004-08-19 21:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-03-18 18:11 . 2004-08-19 21:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2008-03-18 18:11 . 2004-08-19 21:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-03-18 17:50 . 2008-03-30 02:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-18 02:34 . 2008-03-30 02:30 <DIR> d-------- C:\Hijack This Log
2008-03-17 04:17 . 2008-03-17 20:14 <DIR> d-------- C:\Program Files\Google
2008-03-17 02:21 . 2008-03-31 00:58 14,845,991 --a------ C:\WINDOWS\system32.zip
2008-03-17 02:16 . 2008-03-17 02:16 <DIR> d-------- C:\Autoruns
2008-03-17 01:44 . 2008-03-17 01:51 <DIR> d-------- C:\Documents and Settings\Owner\.SunDownloadManager
2008-03-14 14:40 . 2008-03-14 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-03-14 03:03 . 2008-03-14 03:03 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-14 03:03 . 2008-03-14 03:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-14 03:01 . 2008-03-14 03:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-12 04:05 . 2008-03-12 04:05 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-03-12 01:43 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-11 00:12 . 2008-03-11 15:02 <DIR> d-------- C:\Receipts
2008-03-10 02:04 . 2008-03-11 15:01 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-10 02:04 . 2008-03-10 02:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-03-10 02:04 . 2008-03-10 02:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-10 02:02 . 2008-03-10 02:02 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-03-10 00:45 . 2008-03-10 00:45 16,787 --a------ C:\Documents and Settings\All Users\Application Data\utunag.exe
2008-03-10 00:45 . 2008-03-10 00:45 15,529 --a------ C:\WINDOWS\obyfezeg.dl
2008-03-10 00:45 . 2008-03-10 00:45 15,346 --a------ C:\WINDOWS\imabomixa.db
2008-03-10 00:45 . 2008-03-10 00:45 14,014 --a------ C:\Documents and Settings\Owner\Application Data\nofopupip.pif
2008-03-10 00:45 . 2008-03-10 00:45 12,709 --a------ C:\WINDOWS\emehufuwaw.lib
2008-03-10 00:45 . 2008-03-10 00:45 11,899 --a------ C:\WINDOWS\system32\potyxo.inf
2008-03-10 00:45 . 2008-03-10 00:45 11,745 --a------ C:\WINDOWS\vozesubaw.lib
2008-03-10 00:45 . 2008-03-10 00:45 11,246 --a------ C:\Program Files\Common Files\dacotyko.bin
2008-03-10 00:45 . 2008-03-10 00:45 10,622 --a------ C:\WINDOWS\ygafu.db
2008-03-10 00:41 . 2008-03-10 00:41 59,904 --a------ C:\Documents and Settings\Owner\wn852.exe
2008-03-09 10:57 . 2008-03-09 10:57 48,668 --a------ C:\verbena2.docx
2008-03-09 10:18 . 2008-03-09 10:18 17,573 --a------ C:\Congratulations to the Verbena.docx
2008-03-08 04:13 . 2006-08-21 05:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-03-08 04:13 . 2006-08-21 05:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-03-08 04:13 . 2006-08-21 08:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-03-03 20:37 . 2008-03-03 20:38 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Move Networks
2008-02-29 23:53 . 2008-02-29 23:53 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\NewSoft
2008-02-29 00:54 . 2008-02-29 00:55 <DIR> d-------- C:\Program Files\MFInstall
2008-02-28 17:30 . 2008-03-01 04:38 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-02-26 01:44 . 2008-02-26 01:44 <DIR> d-------- C:\Sunrider International - Your order detail and status-Sun-12_files
2008-02-26 01:44 . 2008-02-26 01:44 22,728 --a------ C:\Sunrider International - Your order detail and status-Sun-12.htm
2008-02-25 22:48 . 2008-02-25 22:48 <DIR> d-------- C:\Getting the Most Out of a Writing Conference_files
2008-02-25 22:48 . 2008-02-25 22:48 15,089 --a------ C:\Getting the Most Out of a Writing Conference.htm
2008-02-25 19:16 . 2008-02-25 19:16 <DIR> d-------- C:\Hamilton County Clerk Express Tag Renewal Center_files
2008-02-25 19:16 . 2008-02-25 19:16 17,147 --a------ C:\Hamilton County Clerk Express Tag Renewal Center.htm
2008-02-24 16:31 . 2008-02-24 16:31 39,642 --a------ C:\Yahoo! Registration Confirmation.htm
2008-02-23 17:05 . 2008-02-23 17:07 <DIR> d-------- C:\Kionas Old
2008-02-23 14:29 . 2008-03-08 01:02 <DIR> dr------- C:\Kionas Music
2008-02-23 14:29 . 2008-02-23 17:01 <DIR> d-------- C:\Kierans Music
2008-02-23 14:27 . 2008-02-23 14:27 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-23 04:50 . 2007-07-09 09:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-02-23 04:01 . 2005-06-28 11:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-02-22 16:26 . 2008-03-07 20:43 109 --a------ C:\WINDOWS\webica.ini
2008-02-21 02:22 . 2008-02-26 03:05 <DIR> d-------- C:\WORK
2008-02-20 04:56 . 2008-02-20 04:56 <DIR> d-------- C:\HSN_com-receipt022008_files
2008-02-20 04:56 . 2008-02-20 04:56 48,096 --a------ C:\HSN_com-receipt022008.htm
2008-02-18 01:07 . 2008-02-18 01:07 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Amazon
2008-02-18 01:05 . 2008-02-18 01:05 <DIR> d-------- C:\Program Files\Amazon
2008-02-17 19:42 . 2008-02-17 21:56 <DIR> d-------- C:\BBQ
2008-02-17 18:45 . 2008-03-19 16:31 <DIR> d-------- C:\The Best Sandwiches in America - Esquire_files
2008-02-17 18:45 . 2008-02-17 18:45 56,939 --a------ C:\The Best Sandwiches in America - Esquire.htm
2008-02-17 03:14 . 2008-02-17 03:14 11,423 --a------ C:\1-DailyRoutine.docx
2008-02-15 01:33 . 2008-02-15 01:33 <DIR> d-------- C:\Lew Magram Order Confirmation_files
2008-02-15 01:33 . 2008-02-15 01:33 11,957 --a------ C:\Lew Magram Order Confirmation.htm
2008-02-14 03:05 . 2008-02-15 03:28 <DIR> d-------- C:\Barefoot Herbalist
2008-02-10 15:53 . 2008-02-10 15:53 22,412 --a------ C:\1-How can i connect my laptop.docx
2008-02-10 15:52 . 2008-02-10 15:52 106,893 --a------ C:\1-Step by step - router.docx
2008-02-10 15:41 . 2008-02-10 15:41 70,123 --a------ C:\1-router notes.docx
2008-02-10 14:56 . 2008-02-10 14:56 9,173 --a------ C:\spy doctor license.xlsx
2008-02-10 14:23 . 2008-02-10 14:23 8,293 --a------ C:\1-orderStatus.htm
2008-02-10 14:22 . 2008-02-10 14:22 7,507 --a------ C:\1-RegNow Order Form.htm
2008-02-10 14:18 . 2008-02-10 14:18 7,515 --a------ C:\1-RegNow_com - Shareware Registration Service - Ecommerce - Shopping Cart.htm
2008-02-08 04:16 . 2008-03-16 00:02 <DIR> d-------- C:\Roots
2008-02-07 12:51 . 2008-03-31 18:19 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-02 03:44 . 2008-02-02 03:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-02-02 03:41 . 2007-01-17 16:45 413,696 --a------ C:\WINDOWS\system32\lxcidrs.dll
2008-02-02 03:41 . 2005-08-08 10:01 61,440 --a------ C:\WINDOWS\system32\lxcicnv4.dll
2008-02-01 23:12 . 2007-05-23 17:58 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-01 23:12 . 2007-05-23 17:58 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-01 23:12 . 2007-05-23 17:58 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-01 23:12 . 2007-05-23 17:58 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2008-02-01 23:12 . 2007-05-23 17:58 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-01 23:11 . 2008-03-31 18:19 <DIR> d-------- C:\Program Files\Spyware Doctor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 23:07 --------- d-----w C:\Program Files\lx_Cats
2008-03-31 02:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-30 00:58 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-03-17 08:16 --------- d-----w C:\Program Files\Java
2008-03-17 08:07 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-15 20:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-14 19:07 --------- d-----w C:\Program Files\Pure Networks
2008-03-14 18:41 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-14 18:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-13 00:04 --------- d-----w C:\Program Files\Lexmark 7300 Series
2008-03-13 00:04 --------- d-----w C:\Program Files\Lexmark 3100 Series
2008-03-13 00:04 --------- d-----w C:\Program Files\Digital Media Reader
2008-03-13 00:04 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-10 04:45 19,230 ----a-w C:\Program Files\Common Files\igaseqe.ban
2008-02-28 21:31 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-22 20:39 --------- d-----w C:\Documents and Settings\Owner\Application Data\ICAClient
2008-02-22 18:19 --------- d-----w C:\Program Files\Citrix
2008-01-31 22:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-31 22:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-01-31 22:34 --------- d-----w C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-01-31 22:32 --------- d-----w C:\Program Files\Lexmark Applications
2008-01-31 22:32 --------- d-----w C:\Program Files\Common Files\NewSoft
2007-05-07 06:54 648 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.
Files Infected - Win32.Agent.zb
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe
C:\WINDOWS\system32\NeroCheck.exe
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Common Files\AOL\1154307608\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Lexmark 7300 Series\lxcimon.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 15:00 200704]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-03-10 01:09 218032]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 18:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2008-03-10 01:09 32768]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-03-10 01:09 70816]
"NAV CfgWiz"="C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe" [2008-03-10 01:09 124096]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2008-03-10 01:09 155648]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2008-03-10 01:09 53248]
"CHotkey"="zHotkey.exe" [2004-05-17 21:30 543232 C:\WINDOWS\zHotkey.exe]
"ShowWnd"="ShowWnd.exe" [2003-09-19 12:09 36864 C:\WINDOWS\ShowWnd.exe]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2008-03-10 01:09 135168]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 15:58 73728 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-05 22:05 2550272 C:\WINDOWS\ALCWZRD.EXE]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 06:32 50688]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2005-04-18 14:38 71256]
"HostManager"="C:\Program Files\Common Files\AOL\1154307608\ee\AOLSoftware.exe" [2008-03-15 03:06 50736]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2008-03-10 01:09 126104]
"Lexmark 3100 Series"="C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe" [2008-03-10 01:09 106496]
"LXBRKsk"="C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe" [2008-03-10 01:09 294912]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-03-10 01:09 31016]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2008-03-10 01:09 106496]
"lxcimon.exe"="C:\Program Files\Lexmark 7300 Series\lxcimon.exe" [2008-03-10 01:09 205744]
"EzPrint"="C:\Program Files\Lexmark 7300 Series\ezprint.exe" [2008-03-10 01:09 103344]
"WrtMon.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 09:35 20480]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-06-27 14:54 1051464]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-03-17 20:44 144784]
"5417482f"="C:\WINDOWS\system32\pxsttgqi.dll" [ ]
"AOLAspSunset2"="C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp2.exe" [2008-03-14 13:33 53248]
"LXCICATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll" [2006-11-21 13:27 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\America Online 9.0a\\waol.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\WINDOWS\\system32\\lxcicoms.exe"=

R2 lxci_device;lxci_device;C:\WINDOWS\system32\lxcicoms.exe [2007-02-01 22:13]
R2 WENCRNT4;WENCRNT4;C:\WINDOWS\system32\Drivers\WENCRNT4.SYS [2006-05-04 23:12]
S1 Hdaudioo;Hdaudioo;C:\WINDOWS\system32\drivers\Hdaudioo.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-03-10 04:57:30 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2005-11-12 16:50:38 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 19:59:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ATWPKT2]
"ImagePath"="\??\C:\WINDOWS\system32\drivers\ATWPKT2.SYS"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\BigFix\bigfix.exe
c:\program files\common files\aol\1154307608\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wentxp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
.
**************************************************************************
.
Completion time: 2008-03-31 20:01:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-01 00:01:22
Pre-Run: 182,124,802,048 bytes free
Post-Run: 182,034,132,992 bytes free
.
2008-03-12 23:49:13 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:56:10 PM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\lxcicoms.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wentxp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\AOL\1154307608\ee\AOLSoftware.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Lexmark 7300 Series\lxcimon.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
c:\program files\common files\aol\1154307608\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\BigFix\bigfix.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Hijack this\AnalyzeThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1154307608\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [lxcimon.exe] "C:\Program Files\Lexmark 7300 Series\lxcimon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [5417482f] rundll32.exe "C:\WINDOWS\system32\pxsttgqi.dll",b
O4 - HKLM\..\Run: [AOLAspSunset2] C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp2.exe
O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxci_device - - C:\WINDOWS\system32\lxcicoms.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinEncrypt service (wencrservice) - WinEncrypt - C:\WINDOWS\SYSTEM32\wentxp.exe
O24 - Desktop Component 0: (no name) - https://secure.shoppersmetropolis.com/61182...aderRegPage.gif
O24 - Desktop Component 1: (no name) - http://www.theabeforum.com/attachment.php?id=5
O24 - Desktop Component 2: (no name) - http://herballegacy.com/images/img00294.gif
O24 - Desktop Component 3: (no name) - http://i.a.cnn.net/si/.element/img/3.0/glo...ue_gradient.jpg

--
End of file - 11372 bytes

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:46 AM

Posted 01 April 2008 - 12:18 AM

Hello Sapphiah,

I will have to destroy those infected files so you have to uninstall then re-install the associated programs:

Files Infected - Win32.Agent.zb
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe
C:\WINDOWS\system32\NeroCheck.exe
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Common Files\AOL\1154307608\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Lexmark 7300 Series\lxcimon.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe


Please uninstall these via Add or Remove Programs. You may reinstall them after your run combofix (which will delete the above files) .

Digital Media Reader
AOL
Symantec
Java jre1.6.0_05
lexmark
CorelPhot album6
nero
musicmatch
CyberLink\PowerDVD
Lexmark 7300 Series


You need to disable your Norton Antivirus, SpywareDoctor and WinPatrol and Spybot Teatimer before running ComboFix, as they will prevent it from running.


To disable Norton Antivirus:  
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Disable Auto-Protect."
  • select a duration of 5 hours (this assures no interference with the cleanup of your pc)
  • click "Ok."
  • a popup will warn that protection will now be disabled and the sign will now look like this: Posted Image
You succesfully disabled the Norton Antivirus Guard.


Disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts


To disable Spyware Doctor from running on your system startup:
1. First, disable the OnGuard Tools. This way, when you exit Spyware Doctor, these tools won't stay resident in the background.
2. Click the "Settings" button on the left side.
3. Click the "Startup Settings" link.
4. Uncheck "Run at Windows Startup".
5. Click the "Apply" button.

To disable WinPatrol
Right-click the running icon of Winpatrol in the system tray and choose exit. It will automatically restart at next boot.

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe
C:\WINDOWS\system32\NeroCheck.exe
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Common Files\AOL\1154307608\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Lexmark 7300 Series\lxcimon.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\obyfezeg.dl
C:\WINDOWS\imabomixa.db
C:\WINDOWS\emehufuwaw.lib
C:\WINDOWS\system32\potyxo.inf
C:\WINDOWS\vozesubaw.lib
C:\Program Files\Common Files\dacotyko.bin
C:\WINDOWS\ygafu.db
C:\Documents and Settings\Owner\wn852.exe
C:\verbena2.docx
C:\Congratulations to the Verbena.docx
C:\WINDOWS\system32\pxsttgqi.dll

Registry:: 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"=-  
"ccApp"=-  
"NAV CfgWiz"=-
"NeroFilterCheck"=-
"mmtask"=- 
"SunKistEM"=-   
"HostManager"=-  
"IPHSend"=- 
"Lexmark 3100 Series"=- 
"LXBRKsk"=- 
"GrooveMonitor"=- 
"Corel Photo Downloader"=- 
"lxcimon.exe"=- 
"EzPrint"=- 
"SunJavaUpdateSched"=- 
"5417482f"=-
"AOLAspSunset2"=-


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

THEN

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously

Edited by SifuMike, 01 April 2008 - 12:20 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Sapphiah

Sapphiah
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 02 April 2008 - 05:19 PM

I hope I did this correctly. I'm afraid that I may have uninstalled too much. I could not retrieve my AOL emails. Can combofix restore the previous backup.? I also copied some of those files to a disk. Maybe I can use it. See the following logs:

Background information:

vundo virus, causing constant popups/redirections and missing windows dll file.


ComboFix 08-03-30.4 - Owner 2008-04-02 16:59:55.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.207 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Congratulations to the Verbena.docx
C:\Documents and Settings\Owner\wn852.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Common Files\AOL\1154307608\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
C:\Program Files\Common Files\dacotyko.bin
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\Program Files\Lexmark 7300 Series\lxcimon.exe
C:\Program Files\Microsoft Office\Office12\groovemonitor.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\verbena2.docx
C:\WINDOWS\emehufuwaw.lib
C:\WINDOWS\imabomixa.db
C:\WINDOWS\obyfezeg.dl
C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\system32\potyxo.inf
C:\WINDOWS\system32\pxsttgqi.dll
C:\WINDOWS\vozesubaw.lib
C:\WINDOWS\ygafu.db
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Congratulations to the Verbena.docx
C:\Documents and Settings\Owner\wn852.exe
C:\Program Files\Common Files\dacotyko.bin
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\verbena2.docx
C:\WINDOWS\emehufuwaw.lib
C:\WINDOWS\imabomixa.db
C:\WINDOWS\obyfezeg.dl
C:\WINDOWS\system32\potyxo.inf
C:\WINDOWS\vozesubaw.lib
C:\WINDOWS\ygafu.db

.
((((((((((((((((((((((((( Files Created from 2008-03-02 to 2008-04-02 )))))))))))))))))))))))))))))))
.

2008-04-02 02:34 . 2008-04-02 02:34 <DIR> d-------- C:\WINDOWS\LastGood
2008-03-30 22:41 . 2008-03-30 22:48 <DIR> d-------- C:\Program Files\Yahoo!
2008-03-30 22:41 . 2008-03-30 22:41 <DIR> d-------- C:\Program Files\CCleaner
2008-03-30 17:37 . 2008-03-30 17:40 <DIR> d-------- C:\Black Women's Issues
2008-03-30 16:23 . 2008-03-30 16:23 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-30 16:11 . 2008-03-30 16:52 <DIR> d-------- C:\SDFix
2008-03-27 17:43 . 2008-03-27 19:43 <DIR> d-------- C:\Jobs
2008-03-26 02:49 . 2008-03-31 13:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-26 02:49 . 2008-03-26 02:49 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-21 23:15 . 2008-03-21 23:15 <DIR> d-------- C:\Program Files\BillP Studios
2008-03-21 23:15 . 2008-03-21 23:15 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\WinPatrol
2008-03-21 23:14 . 2008-03-29 22:38 <DIR> d-------- C:\WinPatrol 2007
2008-03-21 17:04 . 2008-03-31 20:56 <DIR> d-------- C:\Hijack this
2008-03-19 16:44 . 2008-03-19 16:44 <DIR> d-------- C:\bleepingcomputer_files
2008-03-19 16:44 . 2008-03-19 16:44 56,518 --a------ C:\bleepingcomputer.htm
2008-03-18 18:51 . 2008-03-18 18:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-03-18 18:32 . 2008-03-18 18:32 14,336 --a------ C:\sRVN.exe
2008-03-18 18:11 . 2004-08-19 21:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-03-18 18:11 . 2004-08-19 21:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-03-18 18:11 . 2004-08-19 21:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2008-03-18 18:11 . 2004-08-19 21:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-03-18 17:50 . 2008-03-30 02:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-18 02:34 . 2008-03-30 02:30 <DIR> d-------- C:\Hijack This Log
2008-03-17 04:17 . 2008-03-17 20:14 <DIR> d-------- C:\Program Files\Google
2008-03-17 02:21 . 2008-03-31 00:58 14,845,991 --a------ C:\WINDOWS\system32.zip
2008-03-17 02:16 . 2008-03-17 02:16 <DIR> d-------- C:\Autoruns
2008-03-17 01:44 . 2008-03-17 01:51 <DIR> d-------- C:\Documents and Settings\Owner\.SunDownloadManager
2008-03-14 14:40 . 2008-03-14 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-03-14 03:03 . 2008-03-14 03:03 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-14 03:03 . 2008-03-14 03:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-14 03:01 . 2008-03-14 03:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-12 04:05 . 2008-03-12 04:05 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-03-11 00:12 . 2008-03-11 15:02 <DIR> d-------- C:\Receipts
2008-03-10 02:04 . 2008-03-11 15:01 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-10 02:04 . 2008-03-10 02:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-03-10 02:04 . 2008-03-10 02:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-10 02:02 . 2008-03-10 02:02 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-03-10 00:45 . 2008-03-10 00:45 16,787 --a------ C:\Documents and Settings\All Users\Application Data\utunag.exe
2008-03-10 00:45 . 2008-03-10 00:45 14,014 --a------ C:\Documents and Settings\Owner\Application Data\nofopupip.pif
2008-03-08 04:13 . 2006-08-21 05:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-03-08 04:13 . 2006-08-21 05:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-03-08 04:13 . 2006-08-21 08:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-03-03 20:37 . 2008-03-03 20:38 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-02 18:48 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-02 06:44 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-02 06:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-02 06:43 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL
2008-04-02 06:42 --------- d-----w C:\Program Files\CyberLink
2008-04-02 06:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-02 06:39 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-02 06:38 --------- d-----w C:\Program Files\Symantec
2008-04-02 06:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-02 06:37 --------- d-----w C:\Program Files\MUSICMATCH
2008-04-02 06:35 --------- d-----w C:\Program Files\Lexmark 7300 Series
2008-04-02 06:28 --------- d-----w C:\Program Files\Spyware Doctor
2008-04-02 06:28 --------- d-----w C:\Program Files\Majestic Chess
2008-04-02 06:28 --------- d-----w C:\Program Files\DivX
2008-04-02 06:28 --------- d-----w C:\Program Files\Common Files\Nullsoft
2008-04-02 06:28 --------- d-----w C:\Program Files\Common Files\aolshare
2008-04-02 06:28 --------- d-----w C:\Program Files\America Online 9.0a
2008-04-02 06:28 --------- d-----w C:\Program Files\America Online 9.0
2008-04-01 17:41 --------- d-----w C:\Program Files\lx_Cats
2008-03-31 02:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-30 00:58 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-03-17 08:07 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-15 20:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-10 04:45 19,230 ----a-w C:\Program Files\Common Files\igaseqe.ban
2008-03-01 03:53 --------- d-----w C:\Documents and Settings\Owner\Application Data\NewSoft
2008-02-29 04:55 --------- d-----w C:\Program Files\MFInstall
2008-02-28 21:31 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-22 20:39 --------- d-----w C:\Documents and Settings\Owner\Application Data\ICAClient
2008-02-22 18:19 --------- d-----w C:\Program Files\Citrix
2008-02-18 05:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\Amazon
2008-02-18 05:05 --------- d-----w C:\Program Files\Amazon
2008-02-02 07:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Tools
2008-02-02 03:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\PC Tools
2007-05-07 06:54 648 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2008-03-31_20.00.55.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2003-09-04 03:56:36 57,344 ----a-w C:\WINDOWS\LastGood\system32\lxbrcinf.dll
+ 2003-09-04 03:56:29 49,152 ----a-w C:\WINDOWS\LastGood\system32\lxbrcoin.dll
+ 2003-09-04 03:56:32 69,632 ----a-w C:\WINDOWS\LastGood\system32\lxbrscin.dll
+ 2001-08-18 03:36:34 87,040 ----a-w C:\WINDOWS\LastGood\system32\wiafbdrv.dll
+ 2008-03-05 12:30:56 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 15:00 200704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 18:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"CHotkey"="zHotkey.exe" [2004-05-17 21:30 543232 C:\WINDOWS\zHotkey.exe]
"ShowWnd"="ShowWnd.exe" [2003-09-19 12:09 36864 C:\WINDOWS\ShowWnd.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 15:58 73728 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-05 22:05 2550272 C:\WINDOWS\ALCWZRD.EXE]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 06:32 50688]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [ ]
"WrtMon.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 09:35 20480]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-06-27 14:54 1051464]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\America Online 9.0a\\waol.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=

R2 WENCRNT4;WENCRNT4;C:\WINDOWS\system32\Drivers\WENCRNT4.SYS [2006-05-04 23:12]
S1 Hdaudioo;Hdaudioo;C:\WINDOWS\system32\drivers\Hdaudioo.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-02 17:01:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-02 17:01:45
ComboFix-quarantined-files.txt 2008-04-02 21:01:43
ComboFix2.txt 2008-04-01 00:01:27
Pre-Run: 182,179,250,176 bytes free
Post-Run: 182,167,306,240 bytes free
.
2008-04-01 00:53:38 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:12:05 PM, on 4/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wentxp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
c:\program files\common files\aol\1154307608\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\BigFix\bigfix.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp2.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Hijack this\AnalyzeThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: WinEncrypt service (wencrservice) - WinEncrypt - C:\WINDOWS\SYSTEM32\wentxp.exe
O24 - Desktop Component 0: (no name) - https://secure.shoppersmetropolis.com/61182...aderRegPage.gif
O24 - Desktop Component 1: (no name) - http://www.theabeforum.com/attachment.php?id=5
O24 - Desktop Component 2: (no name) - http://herballegacy.com/images/img00294.gif
O24 - Desktop Component 3: (no name) - http://i.a.cnn.net/si/.element/img/3.0/glo...ue_gradient.jpg

--
End of file - 6673 bytes


aolconnfix.exe;C:\;Trojan.PWS.Gamania.origin;Incurable.Moved.;




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users