Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Could Someone Please Check My Logs


  • This topic is locked This topic is locked
7 replies to this topic

#1 redcorvette

redcorvette

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 10 May 2007 - 07:29 PM

I hope I am doing this right. I did a scan with hijack this but I have no idea what it is really telling me. My problem is that when I do a search (with any search engine) i get the normal results but when I click on one of the results (links) I get redirected to a completely different site which is always an advertisement site. This is starting to happen with my saved favorites too. I am using Internet explorer 7. I have done an ad-aware scan, a spybot scan, a Norton antivirus scan and nothing comes up. I have all the latest updates, including Windows Updates. I am hoping that there is something that shows up in this HijackThis scan that will tell why I am having this problem. Thanks for the help!

SCAN LOG - one thing that I notice is there are 6 svchost.exe processes running on my computer. Is this normal?

Logfile of HijackThis v1.99.1
Scan saved at 8:53:41 PM, on 5/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\WScript.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Adam Richardson\Desktop\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective.keynote.com/applicatio...torLauncher.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1176871611453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1178310146781
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

Edited by redcorvette, 10 May 2007 - 07:58 PM.


BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 11 May 2007 - 08:37 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum redcorvette :thumbsup:

Download HostsXpert 3.8:
http://www.funkytoad.com/download/HostsXpert.zip
1. Extract the zip file to your desktop or a permanent folder on your hard drive.
2. Open the folder and double-click on the Hoster.exe
3. Press "Restore Microsofts Original Hosts File"
4. Press "OK" and exit the program.

Go to:
C:\WINDOWS\System32\drivers\etc\HOSTS.
1) Right-click on the HOSTS file
2) Click Properties
3) You will see a window open,at the bottom of the window to the right of Attributes,check the box that says 'Read-only'.
4) Click Apply/OK.

*********************

Download\install CleanUp.
Launch CleanUp,then click on 'Options'.
Now move the slider on the left up to 'Standard Cleanup!'.
Click 'Ok',now run the program by clicking on the 'Cleanup' button.
Reboot,or log off/log on when it's finished.

*********************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


*********************

Download and run Fixwareout from the link below:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
After the reboot post the contents of C:\ComboFix.txt,the contents of the logfile C:\fixwareout\report.txt,along with a new Hijackthis log in your next reply.
Posted Image
Posted Image

#3 redcorvette

redcorvette
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 11 May 2007 - 05:14 PM

Combo Fix log -

"Adam Richardson" - 2007-05-11 17:55:37 Service Pack 2
ComboFix 07-05.11.5V - Running from: "C:\Documents and Settings\Adam Richardson\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\kdkpb.exe


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-11 ))))))))))))))))))))))))))))))))))


2007-05-10 17:06 <DIR> d-------- C:\DOCUME~1\ADAMRI~1\APPLIC~1\Keynote Systems
2007-05-09 20:32 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-05-07 00:52 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS
2007-05-04 23:28 <DIR> d-------- C:\Senior Exit Project
2007-05-04 16:19 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-05-04 15:26 24,816 --a------ C:\WINDOWS\system32\mdimon.dll
2007-05-04 15:25 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-05-04 15:24 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-05-04 15:22 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-05-04 15:19 <DIR> dr-h----- C:\MSOCache
2007-05-01 16:57 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-05-01 16:57 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-05-01 16:57 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-04-26 15:51 <DIR> d-------- C:\DOCUME~1\ADAMRI~1\APPLIC~1\Aim
2007-04-26 15:49 <DIR> d-------- C:\Program Files\AOD
2007-04-26 15:49 <DIR> d-------- C:\Program Files\AIM
2007-04-26 14:49 <DIR> d-------- C:\DOCUME~1\ADAMRI~1\APPLIC~1\DivX
2007-04-26 11:02 <DIR> d-------- C:\DOCUME~1\ADAMRI~1\APPLIC~1\Nvu
2007-04-26 11:01 <DIR> d-------- C:\Program Files\Nvu
2007-04-26 10:46 <DIR> d-------- C:\DOCUME~1\ADAMRI~1\Shared
2007-04-26 10:46 <DIR> d-------- C:\DOCUME~1\ADAMRI~1\Incomplete
2007-04-26 10:46 <DIR> d-------- C:\DOCUME~1\ADAMRI~1\APPLIC~1\LimeWire
2007-04-26 10:38 <DIR> d-------- C:\Program Files\LimeWire
2007-04-25 21:58 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-04-25 21:47 <DIR> d-------- C:\Program Files\Microsoft Games
2007-04-25 20:25 <DIR> d-------- C:\Program Files\Valve
2007-04-24 21:06 278,528 --a------ C:\WINDOWS\system32\livesnth.dll
2007-04-24 21:06 203,776 --a------ C:\WINDOWS\system32\clrviddc.dll
2007-04-24 20:52 <DIR> d-------- C:\DOCUME~1\ADAMRI~1\APPLIC~1\AdobeUM
2007-04-24 20:46 <DIR> d-------- C:\DOCUME~1\ADAMRI~1\APPLIC~1\Kensington
2007-04-24 20:44 90,752 --a------ C:\WINDOWS\system32\drivers\KMW_SYS.sys
2007-04-24 20:44 5,248 --a------ C:\WINDOWS\system32\drivers\KMW_KBD.sys
2007-04-24 20:44 4,736 --a------ C:\WINDOWS\system32\drivers\KMW_LIB.sys
2007-04-24 20:44 172,032 --a------ C:\WINDOWS\system32\kmw_show.exe
2007-04-24 20:44 110,592 --a------ C:\WINDOWS\system32\kmw_dll.dll
2007-04-24 20:44 106,496 --a------ C:\WINDOWS\system32\kmw_run.exe
2007-04-24 20:44 <DIR> d-------- C:\Program Files\Kensington
2007-04-24 20:43 <DIR> d-------- C:\Program Files\hp deskjet 5550 series
2007-04-24 20:42 147,512 --a------ C:\WINDOWS\system32\hpzlnt06.dll
2007-04-24 20:40 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-04-24 20:32 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-04-24 20:31 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-04-24 20:31 <DIR> d-------- C:\NVIDIA
2007-04-19 11:43 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-04-19 11:41 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-04-19 11:41 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-04-19 11:33 <DIR> d-------- C:\Program Files\iTunes
2007-04-19 11:33 <DIR> d-------- C:\Program Files\iPod
2007-04-19 11:33 <DIR> d-------- C:\DOCUME~1\ADAMRI~1\APPLIC~1\Apple Computer
2007-04-19 11:32 <DIR> d-------- C:\Program Files\Apple Software Update
2007-04-19 11:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-04-19 11:25 <DIR> d-------- C:\WINDOWS\pss
2007-04-19 11:11 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-04-19 11:00 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-04-19 11:00 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-04-19 11:00 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-04-19 11:00 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-04-19 11:00 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-04-19 11:00 <DIR> d-------- C:\Program Files\DivX
2007-04-19 10:56 <DIR> d-------- C:\DOCUME~1\ADAMRI~1\APPLIC~1\3M
2007-04-19 10:55 <DIR> d-------- C:\Program Files\3M
2007-04-19 10:53 <DIR> d-------- C:\Program Files\CCleaner
2007-04-19 10:27 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2007-04-19 10:12 <DIR> d-------- C:\DOCUME~1\ADAMRI~1\APPLIC~1\Lavasoft
2007-04-19 05:28 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-19 05:28 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-19 05:12 <DIR> d-------- C:\DOCUME~1\ADAMRI~1\APPLIC~1\acccore
2007-04-19 05:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-04-19 05:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-04-19 05:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-04-19 05:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-04-18 23:52 56,832 --a------ C:\WINDOWS\Unwash6.exe
2007-04-18 23:52 <DIR> d-------- C:\Program Files\Webroot
2007-04-18 23:52 <DIR> d-------- C:\Program Files\Common Files\Webroot Shared
2007-04-18 23:52 <DIR> d-------- C:\DOCUME~1\ADAMRI~1\APPLIC~1\Webroot
2007-04-18 23:10 <DIR> d--h----- C:\Program Files\New Folder
2007-04-18 11:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-18 11:44 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-04-18 11:40 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-04-18 11:40 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-04-18 11:40 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-04-18 11:17 83,208 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-04-18 11:17 73,496 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-04-18 11:17 <DIR> d-------- C:\Program Files\Symantec_Client_Security
2007-04-18 11:17 <DIR> d-------- C:\Program Files\Symantec
2007-04-18 11:17 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-04-18 11:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-04-18 11:10 <DIR> d-------- C:\WINDOWS\Prefetch
2007-04-18 01:43 <DIR> d-------- C:\WINDOWS\provisioning
2007-04-18 01:43 <DIR> d-------- C:\WINDOWS\peernet
2007-04-18 01:42 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-04-18 01:36 <DIR> d-------- C:\WINDOWS\EHome
2007-04-18 01:33 4,569 --------- C:\WINDOWS\system32\secupd.dat
2007-04-18 01:33 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2007-04-18 01:08 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2007-04-18 01:08 40,960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-04-18 01:08 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2007-04-18 01:07 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2007-04-18 01:07 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2007-04-18 01:07 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-04-18 01:07 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2007-04-18 01:07 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-04-18 01:07 404,752 --a------ C:\WINDOWS\system32\javart.dll
2007-04-18 01:07 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2007-04-18 01:07 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2007-04-18 01:07 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2007-04-18 01:07 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2007-04-18 01:07 172,304 --a------ C:\WINDOWS\system32\jview.exe
2007-04-18 01:07 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2007-04-18 01:07 171,280 --a------ C:\WINDOWS\system32\jit.dll
2007-04-18 01:07 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2007-04-18 01:07 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2007-04-18 01:07 113 --a------ C:\WINDOWS\system32\zonedon.reg
2007-04-18 01:07 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2007-04-18 01:03 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
2007-04-18 00:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-04-18 00:50 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-04-18 00:50 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-04-18 00:50 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-04-18 00:49 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
2007-04-18 00:49 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2007-04-18 00:49 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2007-04-18 00:49 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-04-18 00:49 <DIR> d-------- C:\WINDOWS\system32\bits
2007-04-18 00:47 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2007-04-18 00:47 41,240 --a------ C:\WINDOWS\system32\wups.dll
2007-04-18 00:47 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2007-04-18 00:47 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2007-04-18 00:47 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-04-18 00:47 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2007-04-18 00:46 <DIR> d--hs---- C:\DOCUME~1\ADAMRI~1\UserData
2007-04-18 00:46 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2007-04-18 00:43 <DIR> d-------- C:\Program Files\Microsoft Money
2007-04-18 00:41 <DIR> d-------- C:\Program Files\Encarta Online
2007-04-18 00:40 <DIR> d-------- C:\Program Files\Microsoft Works
2007-04-18 00:36 <DIR> d-------- C:\Program Files\VERITAS Software
2007-04-18 00:36 <DIR> d-------- C:\DOCUME~1\ADAMRI~1\APPLIC~1\VERITAS
2007-04-18 00:35 <DIR> d-------- C:\WUTemp
2007-04-18 00:35 <DIR> d-------- C:\Program Files\CyberLink
2007-04-18 00:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
2007-04-18 00:34 3,407,872 --ah----- C:\DOCUME~1\ADAMRI~1\NTUSER.DAT
2007-04-18 00:34 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-04-18 00:34 182,880 --a------ C:\WINDOWS\system32\iuenginenew.dll
2007-04-18 00:34 <DIR> d-------- C:\DOCUME~1\ADAMRI~1\APPLIC~1\Real
2007-04-18 00:34 <DIR> d-------- C:\DOCUME~1\ADAMRI~1\APPLIC~1\MSN6
2007-04-18 00:34 <DIR> d-------- C:\DOCUME~1\ADAMRI~1\APPLIC~1\InterTrust
2007-04-18 00:34 <DIR> d-------- C:\DOCUME~1\ADAMRI~1\APPLIC~1\Help
2007-04-18 00:33 262,144 --a------ C:\DOCUME~1\ALLUSE~1\NTUSER.DAT
2007-04-18 00:33 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Real
2007-04-18 00:33 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\MSN6
2007-04-18 00:33 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\InterTrust
2007-04-18 00:33 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Help
2007-04-18 00:29 36,224 --a------ C:\WINDOWS\system32\drivers\an983.sys
2007-04-18 00:29 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-26 01:58:52 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-25 00:31:36 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-04-19 15:33:14 -------- d-----w C:\Program Files\QuickTime
2007-04-19 15:11:22 -------- d-----w C:\Program Files\Common Files\Real
2007-04-19 09:11:29 -------- d-----w C:\Program Files\Viewpoint
2007-04-18 15:28:39 -------- d-----w C:\Program Files\Messenger
2007-04-18 15:24:50 -------- d-----w C:\Program Files\MoodLogic
2007-04-18 15:24:13 -------- d-----w C:\Program Files\Sony
2007-04-18 05:43:37 -------- d-----w C:\Program Files\Movie Maker
2007-04-18 05:41:57 -------- d-----w C:\Program Files\Windows NT
2007-04-18 04:47:28 -------- d--h--w C:\Program Files\WindowsUpdate
2007-03-27 07:55:57 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-03-27 07:55:48 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-03-27 07:55:31 36,624 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-03-27 07:55:23 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-03-27 07:55:23 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-03-27 07:49:07 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-03-27 07:49:07 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-03-27 07:49:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-03-27 07:49:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-03-27 07:49:02 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-03-27 07:49:02 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-03-27 07:48:59 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-03-27 07:48:58 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-03-27 07:48:58 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-03-27 07:48:58 639,066 ----a-w C:\WINDOWS\system32\DivX.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-16 01:40:35 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{243B17DE-77C7-46BF-B94B-0B5F309A0E64}=C:\Program Files\Microsoft Money\System\mnyside.dll
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIModeChange"="Ati2mdxx.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"ezShieldProtector for Px"="C:\\WINDOWS\\System32\\ezSP_Px.exe"
"ZTgServerSwitch"="c:\\program files\\support.com\\client\\lserver\\server.vbs"
"VAIO Recovery"="C:\\Windows\\Sonysys\\VAIO Recovery\\PartSeal.exe"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb06.exe"
"kmw_run.exe"="kmw_run.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 17:24 C:\WINDOWS\system32\Ati2mdxx.exe])
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-03-01 00:00]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-03-11 14:24]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 14:11]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29]
"ZTgServerSwitch"="c:\program files\support.com\client\lserver\server.vbs" [2002-07-14 15:50]
"VAIO Recovery"="C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 01:08]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 01:21]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe])
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe" [2002-07-11 08:06]
"kmw_run.exe"="kmw_run.exe" [2004-01-27 09:39 C:\WINDOWS\system32\kmw_run.exe])
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^adobe reader speed launch.lnk
C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^billminder.lnk
C:\PROGRA~1\Quicken\billmind.exe -startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^quicken scheduled updates.lnk
C:\PROGRA~1\Quicken\bagent.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^quicken startup.lnk
C:\PROGRA~1\Quicken\QWDLLS.EXE

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task
"C:\Program Files\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\storageguard
"C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updatemgr
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\window washer
C:\Program Files\Webroot\Washer\wwDisp.exe /startup


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HTTPFilter HTTPFilter\0\0
DcomLaunch DcomLaunch\0TermService\0\0
WudfServiceGroup WUDFSvc\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-11 18:01:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-11 18:02:23 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-11 18:02


Fixwareout log -


Fixwareout Last edited 4/5/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"ezShieldProtector for Px"="C:\\WINDOWS\\System32\\ezSP_Px.exe"
"ZTgServerSwitch"="c:\\program files\\support.com\\client\\lserver\\server.vbs"
"VAIO Recovery"="C:\\Windows\\Sonysys\\VAIO Recovery\\PartSeal.exe"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb06.exe"
"kmw_run.exe"="kmw_run.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


HijackThis log -

Logfile of HijackThis v1.99.1
Scan saved at 6:11:07 PM, on 5/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\WScript.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Documents and Settings\Adam Richardson\Desktop\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective.keynote.com/applicatio...torLauncher.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1176871611453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1178310146781
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 11 May 2007 - 05:36 PM

one thing that I notice is there are 6 svchost.exe processes running on my computer. Is this normal?

Yes,thats perfectly normal.

Have you still got problems.
Posted Image
Posted Image

#5 redcorvette

redcorvette
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 11 May 2007 - 06:18 PM

Everything seems to be fine now. Thank you very much. Do you know what was causing the problem with my computer?

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 11 May 2007 - 06:47 PM

Do you know what was causing the problem with my computer?

This file,it looks like you had a 'Wareout' infection.
C:\WINDOWS\system32\kdkpb.exe

***********************

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
Exit Hijackthis.

***********************

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
C:\QooBox

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#7 redcorvette

redcorvette
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 11 May 2007 - 07:52 PM

Thanks again for all your help. Everything is now back to normal

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 11 May 2007 - 08:18 PM

You're most welcome :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users